mirror of
https://github.com/langgenius/dify.git
synced 2026-06-23 12:31:13 +08:00
91 lines
3.4 KiB
Bash
Executable File
91 lines
3.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Modified based on Squid OCI image entrypoint
|
|
|
|
# This entrypoint aims to forward the squid logs to stdout to assist users of
|
|
# common container related tooling (e.g., kubernetes, docker-compose, etc) to
|
|
# access the service logs.
|
|
|
|
# Moreover, it invokes the squid binary, leaving all the desired parameters to
|
|
# be provided by the "command" passed to the spawned container. If no command
|
|
# is provided by the user, the default behavior (as per the CMD statement in
|
|
# the Dockerfile) will be to use Ubuntu's default configuration [1] and run
|
|
# squid with the "-NYC" options to mimic the behavior of the Ubuntu provided
|
|
# systemd unit.
|
|
|
|
# [1] The default configuration is changed in the Dockerfile to allow local
|
|
# network connections. See the Dockerfile for further information.
|
|
|
|
echo "[ENTRYPOINT] re-create snakeoil self-signed certificate removed in the build process"
|
|
if [ ! -f /etc/ssl/private/ssl-cert-snakeoil.key ]; then
|
|
/usr/sbin/make-ssl-cert generate-default-snakeoil --force-overwrite > /dev/null 2>&1
|
|
fi
|
|
|
|
tail -F /var/log/squid/access.log 2>/dev/null &
|
|
tail -F /var/log/squid/error.log 2>/dev/null &
|
|
tail -F /var/log/squid/store.log 2>/dev/null &
|
|
tail -F /var/log/squid/cache.log 2>/dev/null &
|
|
|
|
ALLOW_PRIVATE_CONF=/etc/squid/dify_allow_private.conf
|
|
SANDBOX_PROXY_CONF=/etc/squid/dify_sandbox_proxy.conf
|
|
|
|
write_optional_private_allowlist() {
|
|
local env_name="$1"
|
|
local acl_name="$2"
|
|
local acl_type="$3"
|
|
local raw_values="${!env_name:-}"
|
|
|
|
raw_values="${raw_values//,/ }"
|
|
|
|
if [ -z "${raw_values//[[:space:]]/}" ]; then
|
|
return
|
|
fi
|
|
|
|
printf 'acl %s %s' "$acl_name" "$acl_type" >> "$ALLOW_PRIVATE_CONF"
|
|
for value in $raw_values; do
|
|
printf ' %s' "$value" >> "$ALLOW_PRIVATE_CONF"
|
|
done
|
|
printf '\nhttp_access allow client_localnet %s\n' "$acl_name" >> "$ALLOW_PRIVATE_CONF"
|
|
}
|
|
|
|
{
|
|
echo "# Generated by docker-entrypoint.sh."
|
|
echo "# Allows selected private targets before the default private-network deny rule."
|
|
} > "$ALLOW_PRIVATE_CONF"
|
|
write_optional_private_allowlist "SSRF_PROXY_ALLOW_PRIVATE_IPS" "dify_allowed_private_networks" "dst"
|
|
write_optional_private_allowlist "SSRF_PROXY_ALLOW_PRIVATE_DOMAINS" "dify_allowed_private_domains" "dstdomain"
|
|
|
|
{
|
|
echo "# Generated by docker-entrypoint.sh."
|
|
echo "# Enables the middleware-only sandbox host bridge when configured."
|
|
} > "$SANDBOX_PROXY_CONF"
|
|
|
|
if [ -n "${SSRF_SANDBOX_PROXY_PORT:-}" ]; then
|
|
sandbox_proxy_host="${SSRF_SANDBOX_PROXY_HOST:-sandbox}"
|
|
sandbox_proxy_target_port="${SANDBOX_PORT:-8194}"
|
|
|
|
{
|
|
printf 'http_port %s accel vhost\n' "$SSRF_SANDBOX_PROXY_PORT"
|
|
printf 'cache_peer %s parent %s 0 no-query originserver name=dify_sandbox\n' \
|
|
"$sandbox_proxy_host" \
|
|
"$sandbox_proxy_target_port"
|
|
printf 'acl dify_sandbox_proxy_port localport %s\n' "$SSRF_SANDBOX_PROXY_PORT"
|
|
printf 'http_access allow dify_sandbox_proxy_port\n'
|
|
} >> "$SANDBOX_PROXY_CONF"
|
|
fi
|
|
|
|
# Replace environment variables in the template and output to the squid.conf
|
|
echo "[ENTRYPOINT] replacing environment variables in the template"
|
|
awk '{
|
|
while(match($0, /\${[A-Za-z_][A-Za-z_0-9]*}/)) {
|
|
var = substr($0, RSTART+2, RLENGTH-3)
|
|
val = ENVIRON[var]
|
|
$0 = substr($0, 1, RSTART-1) val substr($0, RSTART+RLENGTH)
|
|
}
|
|
print
|
|
}' /etc/squid/squid.conf.template > /etc/squid/squid.conf
|
|
|
|
/usr/sbin/squid -Nz
|
|
echo "[ENTRYPOINT] starting squid"
|
|
/usr/sbin/squid -f /etc/squid/squid.conf -NYC 1
|