Skip to content

fix(docker): harden default SSRF proxy egress#36332

Draft
laipz8200 wants to merge 2 commits into
mainfrom
laipz8200/harden-docker-ssrf-proxy
Draft

fix(docker): harden default SSRF proxy egress#36332
laipz8200 wants to merge 2 commits into
mainfrom
laipz8200/harden-docker-ssrf-proxy

Conversation

@laipz8200
Copy link
Copy Markdown
Member

@laipz8200 laipz8200 commented May 18, 2026
edited
Loading

Summary

Closes #36400.

  • Harden the Docker Compose SSRF proxy defaults by denying loopback, private, CGN, link-local, ULA, multicast, reserved, and cloud metadata target networks before general egress is allowed.
  • Stop relying on the Ubuntu Squid image's packaged conf.d access rules so allow localnet cannot bypass Dify's policy.
  • Preserve the sandbox reverse proxy path and add explicit SSRF_PROXY_ALLOW_PRIVATE_IPS / SSRF_PROXY_ALLOW_PRIVATE_DOMAINS escape hatches for trusted private-network deployments.

Note: this PR should remain draft until #36397 is resolved, so Dify-owned signed file URLs can be handled through internal file retrieval instead of the SSRF proxy.

Screenshots

N/A

Checklist

  • This change requires a documentation update, included: Dify Document
  • I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
  • I've updated the documentation accordingly.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 18, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.01%. Comparing base (d9e90d0) to head (6b4e147).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #36332      +/-   ##
==========================================
- Coverage   86.02%   86.01%   -0.01%     
==========================================
  Files        4477     4473       -4     
  Lines      213442   213403      -39     
  Branches    39669    39655      -14     
==========================================
- Hits       183614   183562      -52     
- Misses      26566    26578      +12     
- Partials     3262     3263       +1
Flag Coverage Δ
api 85.59% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@laipz8200 laipz8200 force-pushed the laipz8200/harden-docker-ssrf-proxy branch from a7726f0 to bcbb072 Compare May 19, 2026 05:39
@laipz8200
fix(docker): harden default SSRF proxy egress
96622fa 
Block private, loopback, link-local, multicast, reserved, and metadata target networks in the Docker Compose SSRF proxy while preserving public egress and sandbox reverse proxy access.

Add explicit private IP and domain allowlist environment variables for deployments that need trusted private-network access.
@laipz8200 laipz8200 force-pushed the laipz8200/harden-docker-ssrf-proxy branch from bcbb072 to 96622fa Compare May 19, 2026 06:20
@laipz8200 ChatGPT Codex Connector
Copy link
Copy Markdown
Member Author

laipz8200 commented May 19, 2026

Update: this PR should stay draft/paused until #36397 is resolved.

The proxy hardening in this PR blocks loopback, private, link-local, and metadata target networks by default. That is the intended security posture, but it also means local Docker deployments can regress when a Dify-signed /files/... URL is passed back into Dify as a remote URL. In those deployments, FILES_URL or INTERNAL_FILES_URL may resolve to localhost, a Docker-internal hostname, or another private address, so the current SSRF proxy policy would reject the request.

We should first land the centralized signed-file retrieval work in #36397, so Dify-owned signed file URLs are verified and resolved through an internal file/storage path instead of being treated as arbitrary external remote URLs through the SSRF proxy. Once that is in place, we can resume this PR without breaking local signed-file flows.

@laipz8200 laipz8200 mentioned this pull request May 19, 2026
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crazywoola crazywoola Awaiting requested review from crazywoola crazywoola will be requested when the pull request is marked ready for review crazywoola is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Proposal] Harden Docker Compose SSRF proxy defaults

1 participant

@laipz8200