History

autofix-ci[bot] 9e2b6325f3 [autofix.ci] apply automated fixes		2025-09-01 13:45:07 +08:00
..
conf.d.example	chore: strengthen SSRF proxy default configuration	2025-09-01 13:45:07 +08:00
README.md	[autofix.ci] apply automated fixes	2025-09-01 13:45:07 +08:00
docker-entrypoint.sh	Chore/improve deployment flow (#4299 )	2024-06-28 17:37:52 +08:00
squid.conf.template	chore: strengthen SSRF proxy default configuration	2025-09-01 13:45:07 +08:00

README.md

SSRF Proxy Configuration

This directory contains the Squid proxy configuration used to prevent Server-Side Request Forgery (SSRF) attacks in Dify.

Security by Default

The default configuration (squid.conf.template) is strict by default to prevent SSRF attacks:

Blocks all private/internal networks (RFC 1918, loopback, link-local, etc.)
Only allows HTTP (80) and HTTPS (443) ports
Denies all requests by default unless explicitly allowed

Customizing the Configuration

For Development/Local Environments

To allow additional domains or relax restrictions for your local environment:

Create a conf.d directory in your deployment
Copy example configurations from conf.d.example/ and modify as needed
Mount the config files to /etc/squid/conf.d/ in the container

Example: Docker Compose

services:
  ssrf-proxy:
    volumes:
      - ./my-proxy-configs:/etc/squid/conf.d:ro

Example: Kubernetes ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: squid-custom-config
data:
  10-allow-marketplace.conf: |
    acl allowed_marketplace dstdomain .marketplace.dify.ai
    http_access allow allowed_marketplace    
---
apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
      - name: ssrf-proxy
        volumeMounts:
        - name: custom-config
          mountPath: /etc/squid/conf.d
      volumes:
      - name: custom-config
        configMap:
          name: squid-custom-config

Available Example Configurations

The conf.d.example/ directory contains example configurations:

10-allow-marketplace.conf.example: Allow access to Dify marketplace
20-allow-internal-services.conf.example: Allow internal services (use with caution!)
30-allow-external-domains.conf.example: Allow specific external domains
40-allow-additional-ports.conf.example: Allow additional ports

Security Considerations

⚠️ WARNING: Relaxing these restrictions can expose your system to SSRF attacks!

Never allow access to private networks in production unless absolutely necessary
Carefully review any domains you whitelist to ensure they cannot be used for SSRF
Avoid allowing high port ranges (1025-65535) as they can bypass security restrictions
Monitor proxy logs for suspicious activity

Default Blocked Networks

The following networks are blocked by default to prevent SSRF:

0.0.0.0/8 - "This" network
10.0.0.0/8 - Private network (RFC 1918)
127.0.0.0/8 - Loopback
169.254.0.0/16 - Link-local (RFC 3927)
172.16.0.0/12 - Private network (RFC 1918)
192.168.0.0/16 - Private network (RFC 1918)
224.0.0.0/4 - Multicast
fc00::/7 - IPv6 unique local addresses
fe80::/10 - IPv6 link-local
::1/128 - IPv6 loopback

Troubleshooting

If your application needs to access a service that's being blocked:

Check the Squid logs to identify what's being blocked
Create a custom configuration in /etc/squid/conf.d/
Only allow the minimum necessary access
Test thoroughly to ensure security is maintained

File Structure

docker/ssrf_proxy/
├── squid.conf.template       # Strict default configuration
├── docker-entrypoint.sh      # Container entrypoint script
├── conf.d.example/           # Example override configurations
│   ├── 10-allow-marketplace.conf.example
│   ├── 20-allow-internal-services.conf.example
│   ├── 30-allow-external-domains.conf.example
│   └── 40-allow-additional-ports.conf.example
└── README.md                 # This file