mirror of
https://github.com/langgenius/dify.git
synced 2026-04-07 08:46:31 +08:00
23c97ec7f7
- Block all private/internal networks by default to prevent SSRF attacks - Restrict allowed ports to only HTTP (80) and HTTPS (443) - Remove default domain allowlists (e.g., marketplace.dify.ai) - Implement deny-all-by-default policy with explicit whitelisting - Add example configuration files for common customization scenarios - Provide comprehensive documentation for security configuration Fixes #24392
15 lines
668 B
Plaintext
15 lines
668 B
Plaintext
# Example: Allow access to internal services (USE WITH CAUTION!)
|
|
# Copy this file to /etc/squid/conf.d/20-allow-internal-services.conf to enable
|
|
# WARNING: This reduces SSRF protection. Only use if you understand the security implications.
|
|
|
|
# Example: Allow specific internal service
|
|
# acl internal_api_service dst 10.0.1.100
|
|
# http_access allow internal_api_service
|
|
|
|
# Example: Allow Docker network (172.17.0.0/16 is Docker's default bridge network)
|
|
# acl docker_network dst 172.17.0.0/16
|
|
# http_access allow docker_network
|
|
|
|
# Example: Allow localhost access (DANGEROUS - can bypass SSRF protection)
|
|
# acl localhost_dst dst 127.0.0.1
|
|
# http_access allow localhost_dst |