opensource
/
dify
mirror of https://github.com/langgenius/dify.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat(ssrf_proxy): Support DEV_MODE 

Signed-off-by: -LAN- <laipz8200@outlook.com>
This commit is contained in:
-LAN- 2025-09-01 14:58:49 +08:00
parent b7c87245a3
commit 5ea168f03b
No known key found for this signature in database
GPG Key ID: 6BA0D108DED011FF
8 changed files with 75 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docker/docker-compose.middleware.yaml
View File

@ -140,11 +140,8 @@ services:
restart: always
volumes:
- ./ssrf_proxy/squid.conf.template:/etc/squid/squid.conf.template
- ./ssrf_proxy/squid.conf.dev.template:/etc/squid/squid.conf.dev.template
- ./ssrf_proxy/docker-entrypoint.sh:/docker-entrypoint-mount.sh
# DEVELOPMENT MODE: Mount dev configs that disable all SSRF protections
# WARNING: This configuration allows access to private networks!
# Only use this in development environments, never in production!
- ./ssrf_proxy/conf.d.dev:/etc/squid/conf.d:ro
entrypoint: [ "sh", "-c", "cp /docker-entrypoint-mount.sh /docker-entrypoint.sh && sed -i 's/\r$$//' /docker-entrypoint.sh && chmod +x /docker-entrypoint.sh && /docker-entrypoint.sh" ]
env_file:
- ./middleware.env

4
docker/middleware.env.example
View File

@ -64,6 +64,10 @@ SSRF_HTTP_PORT=3128
SSRF_COREDUMP_DIR=/var/spool/squid
SSRF_REVERSE_PROXY_PORT=8194
SSRF_SANDBOX_HOST=sandbox
# Development mode switch - set to true to disable all SSRF protections
# WARNING: This allows access to localhost, private networks, and all ports!
# Only use this in development environments, NEVER in production!
SSRF_PROXY_DEV_MODE=false
# ------------------------------
# Environment Variables for weaviate Service

44
docker/ssrf_proxy/README.md
View File

@ -105,30 +105,46 @@ Development mode provides a zero-configuration environment that:
### Using Development Mode
#### Option 1: Docker Compose Override (Recommended)
#### Option 1: Environment Variable (Recommended)
From the main Dify repository root:
Simply set the `SSRF_PROXY_DEV_MODE` environment variable to `true`:
```bash
# Use the development overlay with your existing docker-compose
docker-compose -f docker-compose.middleware.yaml -f docker/ssrf_proxy/docker-compose.dev.yaml up ssrf_proxy
# In your .env or middleware.env file
SSRF_PROXY_DEV_MODE=true
# Then start normally
docker-compose -f docker-compose.middleware.yaml up ssrf_proxy
```
#### Option 2: Manual Configuration
Or set it directly in docker-compose:
Mount the development configuration manually:
```yaml
services:
ssrf_proxy:
environment:
SSRF_PROXY_DEV_MODE: true
```
**Important Note about Docker Networking:**
When accessing services on your host machine from within Docker containers:
- Do NOT use `127.0.0.1` or `localhost` (these refer to the container itself)
- Instead use:
- `host.docker.internal:port` (recommended, works on Mac/Windows/Linux with Docker 20.10+)
- Your host machine's actual IP address
- On Linux: the Docker bridge gateway (usually `172.17.0.1`)
Example:
```bash
docker run -d \
--name ssrf-proxy-dev \
-p 3128:3128 \
-v ./docker/ssrf_proxy/squid.conf.template:/etc/squid/squid.conf.template:ro \
-v ./docker/ssrf_proxy/docker-entrypoint.sh:/docker-entrypoint.sh:ro \
-v ./docker/ssrf_proxy/conf.d.dev:/etc/squid/conf.d:ro \
ubuntu/squid:latest
# Wrong (won't work from inside container):
http://127.0.0.1:1234
# Correct (will work):
http://host.docker.internal:1234
```
The development mode configuration is in `conf.d.dev/00-development-mode.conf`.
The development mode uses `squid.conf.dev.template` which allows all connections.
## Testing

22
docker/ssrf_proxy/conf.d.dev/00-development-mode.conf
View File

@ -1,22 +0,0 @@
################################## DEVELOPMENT MODE CONFIGURATION ##################################
# WARNING: This configuration DISABLES all SSRF protections!
# Only use this in development environments. NEVER use in production!
# Override all previous access rules and allow everything
# This must be placed early in the configuration to take precedence
# Allow all ports (not just 80/443)
acl Dev_All_Ports port 1-65535
# Allow all connections including private networks
# This effectively bypasses all SSRF protections
http_access allow all
# Additional development conveniences
# Allow cache manager access from any source (useful for debugging)
http_access allow manager
# Log everything for debugging
debug_options ALL,1
# Note: Since we're allowing all, the deny rules in the main config won't be reached

21
docker/ssrf_proxy/docker-compose.dev.yaml
View File

@ -1,21 +0,0 @@
# Development Mode Docker Compose Override
# WARNING: This configuration DISABLES all SSRF protections!
# Only use this in development environments, never in production!
#
# Usage (from main Dify repository):
# docker-compose -f docker-compose.middleware.yaml -f docker/ssrf_proxy/docker-compose.dev.yaml up
#
# This overlay modifies the ssrf_proxy service to mount development configurations
# that allow ALL requests including private networks and cloud metadata.
version: '3.8'
services:
ssrf_proxy:
volumes:
# Override the conf.d mount to use development configuration
- ./docker/ssrf_proxy/conf.d.dev:/etc/squid/conf.d:ro
environment:
# Optional: Add any development-specific environment variables
SQUID_DEV_MODE: "true"
container_name: dify-ssrf-proxy-dev

39
docker/ssrf_proxy/docker-entrypoint.sh
View File

@ -26,8 +26,26 @@ tail -F /var/log/squid/error.log 2>/dev/null &
tail -F /var/log/squid/store.log 2>/dev/null &
tail -F /var/log/squid/cache.log 2>/dev/null &
# Select the appropriate template based on DEV_MODE
echo "[ENTRYPOINT] SSRF_PROXY_DEV_MODE is set to: '${SSRF_PROXY_DEV_MODE}'"
if [ "${SSRF_PROXY_DEV_MODE}" = "true" ] || [ "${SSRF_PROXY_DEV_MODE}" = "True" ] || [ "${SSRF_PROXY_DEV_MODE}" = "TRUE" ] || [ "${SSRF_PROXY_DEV_MODE}" = "1" ]; then
echo "[ENTRYPOINT] WARNING: Development mode is ENABLED! All SSRF protections are DISABLED!"
echo "[ENTRYPOINT] This allows access to localhost, private networks, and all ports."
echo "[ENTRYPOINT] DO NOT USE IN PRODUCTION!"
TEMPLATE_FILE="/etc/squid/squid.conf.dev.template"
else
echo "[ENTRYPOINT] Using production configuration with SSRF protections enabled"
TEMPLATE_FILE="/etc/squid/squid.conf.template"
fi
# Check if the selected template exists
if [ ! -f "$TEMPLATE_FILE" ]; then
echo "[ENTRYPOINT] ERROR: Template file $TEMPLATE_FILE not found"
exit 1
fi
# Replace environment variables in the template and output to the squid.conf
echo "[ENTRYPOINT] replacing environment variables in the template"
echo "[ENTRYPOINT] replacing environment variables in the template: $TEMPLATE_FILE"
awk '{
while(match($0, /\${[A-Za-z_][A-Za-z_0-9]*}/)) {
var = substr($0, RSTART+2, RLENGTH-3)
@ -35,7 +53,24 @@ awk '{
$0 = substr($0, 1, RSTART-1) val substr($0, RSTART+RLENGTH)
}
print
}' /etc/squid/squid.conf.template > /etc/squid/squid.conf
}' "$TEMPLATE_FILE" > /etc/squid/squid.conf
# Log first few lines of generated config for debugging
echo "[ENTRYPOINT] First 30 lines of generated squid.conf:"
head -n 30 /etc/squid/squid.conf
# Create an empty conf.d directory if it doesn't exist
if [ ! -d /etc/squid/conf.d ]; then
echo "[ENTRYPOINT] creating /etc/squid/conf.d directory"
mkdir -p /etc/squid/conf.d
fi
# If conf.d directory is empty, create a placeholder file to prevent include errors
# Only needed for production template which has the include directive
if [ "${SSRF_PROXY_DEV_MODE}" != "true" ] && [ -z "$(ls -A /etc/squid/conf.d/*.conf 2>/dev/null)" ]; then
echo "[ENTRYPOINT] conf.d directory is empty, creating placeholder"
echo "# Placeholder file to prevent include errors" > /etc/squid/conf.d/placeholder.conf
fi
/usr/sbin/squid -Nz
echo "[ENTRYPOINT] starting squid"

41
docker/ssrf_proxy/squid.conf.dev.template
View File

@ -1,47 +1,10 @@
################################## DEVELOPMENT MODE CONFIGURATION ##################################
# WARNING: This configuration DISABLES all SSRF protections!
# Only use this in development environments. NEVER use in production!
#
# This is a special configuration for development that allows ALL requests
# including private networks, cloud metadata endpoints, and any ports.
################################## Allow Everything ##################################
# In development mode, we allow all connections without restrictions
# Define ACLs but don't use them for blocking
acl private_networks dst 0.0.0.0/8
acl private_networks dst 10.0.0.0/8
acl private_networks dst 127.0.0.0/8
acl private_networks dst 169.254.0.0/16
acl private_networks dst 172.16.0.0/12
acl private_networks dst 192.168.0.0/16
acl localhost src 127.0.0.1/32 ::1
acl SSL_ports port 443
acl Safe_ports port 1-65535 # Allow ALL ports in dev mode
acl CONNECT method CONNECT
################################## Access Control Rules ##################################
# DEVELOPMENT MODE: Allow everything!
# Special rule for reverse proxy port (sandbox access)
acl reverse_proxy_port myport ${REVERSE_PROXY_PORT}
http_access allow reverse_proxy_port
# Explicitly allow link-local addresses (169.254.0.0/16)
acl link_local dst 169.254.0.0/16
http_access allow link_local
# Explicitly allow localhost and loopback
http_access allow localhost
# Explicitly allow all private networks
http_access allow private_networks
# ALLOW ALL REQUESTS - Development mode bypasses all security
# Allow all requests - put this FIRST before any other rules
http_access allow all
# Note: No deny rules in development mode
################################## Proxy Server Configuration ##################################
http_port ${HTTP_PORT}
coredump_dir ${COREDUMP_DIR}
@ -64,4 +27,4 @@ cache_peer ${SANDBOX_HOST} parent ${SANDBOX_PORT} 0 no-query originserver
client_request_buffer_max_size 100 MB
# Debug logging for development
debug_options ALL,1
debug_options ALL,1

1
docker/ssrf_proxy/squid.conf.template
View File

@ -61,6 +61,7 @@ http_access deny manager
# User overrides in /etc/squid/conf.d/*.conf should be placed here
# These can be used to add additional restrictions or allowances
# Note: debian.conf may be present by default in the ubuntu/squid image
# The include directive uses a script to handle optional includes
include /etc/squid/conf.d/*.conf
# Allow all other requests (public internet resources)