mirror of
https://github.com/langgenius/dify.git
synced 2026-04-10 03:33:37 +08:00
23c97ec7f7
- Block all private/internal networks by default to prevent SSRF attacks - Restrict allowed ports to only HTTP (80) and HTTPS (443) - Remove default domain allowlists (e.g., marketplace.dify.ai) - Implement deny-all-by-default policy with explicit whitelisting - Add example configuration files for common customization scenarios - Provide comprehensive documentation for security configuration Fixes #24392
18 lines
689 B
Plaintext
18 lines
689 B
Plaintext
# Example: Allow access to specific external domains
|
|
# Copy this file to /etc/squid/conf.d/30-allow-external-domains.conf to enable
|
|
|
|
# Allow specific domains for API integrations
|
|
# acl allowed_apis dstdomain .api.openai.com .anthropic.com .googleapis.com
|
|
# http_access allow allowed_apis
|
|
|
|
# Allow webhook endpoints
|
|
# acl webhook_endpoints dstdomain .webhook.site .zapier.com
|
|
# http_access allow webhook_endpoints
|
|
|
|
# Allow storage services
|
|
# acl storage_services dstdomain .s3.amazonaws.com .blob.core.windows.net .storage.googleapis.com
|
|
# http_access allow storage_services
|
|
|
|
# Allow by specific IP address (use with caution)
|
|
# acl trusted_ip dst 203.0.113.10
|
|
# http_access allow trusted_ip |