mirror of https://github.com/langgenius/dify.git
68 lines
2.5 KiB
Plaintext
68 lines
2.5 KiB
Plaintext
################################## DEVELOPMENT MODE CONFIGURATION ##################################
|
|
# WARNING: This configuration DISABLES all SSRF protections!
|
|
# Only use this in development environments. NEVER use in production!
|
|
#
|
|
# This is a special configuration for development that allows ALL requests
|
|
# including private networks, cloud metadata endpoints, and any ports.
|
|
|
|
################################## Allow Everything ##################################
|
|
# In development mode, we allow all connections without restrictions
|
|
|
|
# Define ACLs but don't use them for blocking
|
|
acl private_networks dst 0.0.0.0/8
|
|
acl private_networks dst 10.0.0.0/8
|
|
acl private_networks dst 127.0.0.0/8
|
|
acl private_networks dst 169.254.0.0/16
|
|
acl private_networks dst 172.16.0.0/12
|
|
acl private_networks dst 192.168.0.0/16
|
|
acl localhost src 127.0.0.1/32 ::1
|
|
acl SSL_ports port 443
|
|
acl Safe_ports port 1-65535 # Allow ALL ports in dev mode
|
|
acl CONNECT method CONNECT
|
|
|
|
################################## Access Control Rules ##################################
|
|
# DEVELOPMENT MODE: Allow everything!
|
|
|
|
# Special rule for reverse proxy port (sandbox access)
|
|
acl reverse_proxy_port myport ${REVERSE_PROXY_PORT}
|
|
http_access allow reverse_proxy_port
|
|
|
|
# Explicitly allow link-local addresses (169.254.0.0/16)
|
|
acl link_local dst 169.254.0.0/16
|
|
http_access allow link_local
|
|
|
|
# Explicitly allow localhost and loopback
|
|
http_access allow localhost
|
|
|
|
# Explicitly allow all private networks
|
|
http_access allow private_networks
|
|
|
|
# ALLOW ALL REQUESTS - Development mode bypasses all security
|
|
http_access allow all
|
|
|
|
# Note: No deny rules in development mode
|
|
|
|
################################## Proxy Server Configuration ##################################
|
|
http_port ${HTTP_PORT}
|
|
coredump_dir ${COREDUMP_DIR}
|
|
|
|
# Refresh patterns
|
|
refresh_pattern ^ftp: 1440 20% 10080
|
|
refresh_pattern ^gopher: 1440 0% 1440
|
|
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
|
|
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
|
|
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
|
|
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
|
|
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
|
|
refresh_pattern . 0 20% 4320
|
|
|
|
################################## Reverse Proxy To Sandbox ##################################
|
|
http_port ${REVERSE_PROXY_PORT} accel vhost
|
|
cache_peer ${SANDBOX_HOST} parent ${SANDBOX_PORT} 0 no-query originserver
|
|
|
|
# Buffer size for file uploads
|
|
client_request_buffer_max_size 100 MB
|
|
|
|
# Debug logging for development
|
|
debug_options ALL,1
|