配置 DIFY 的 HTTP 代理

目前，DIFY 向公网发起的所有请求都会通过 ssrf_proxy 容器进行代理转发。

因此，最方便的方式就是：

直接将 ssrf_proxy 的默认出站流量改写为对应的 HTTP 代理地址。

---

修改ssrf_proxy配置

ssrf_proxy 的启动配置文件位于：

docker/ssrf_proxy/squid.conf.template

实测可用的配置文件如下：

############################## Networks & Ports ACLs ##############################

acl localnet src 0.0.0.1-0.255.255.255    # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8               # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10            # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16           # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12            # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16           # RFC 1918 local private network (LAN)
acl localnet src fc00::/7                 # RFC 4193 local private network range
acl localnet src fe80::/10                # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
# acl SSL_ports port 1025-65535   # Enable if needed for specific CONNECT use cases

acl Safe_ports port 80           # http
acl Safe_ports port 21           # ftp
acl Safe_ports port 443          # https
acl Safe_ports port 70           # gopher
acl Safe_ports port 210          # wais
acl Safe_ports port 1025-65535   # unregistered ports
acl Safe_ports port 280          # http-mgmt
acl Safe_ports port 488          # gss-http
acl Safe_ports port 591          # filemaker
acl Safe_ports port 777          # multiling http

acl CONNECT method CONNECT


################################## Listen Ports ##################################
# Forward proxy port
http_port ${HTTP_PORT} name=forward

# Reverse proxy port
http_port ${REVERSE_PROXY_PORT} accel vhost name=reverse


################################## Peers ########################################
# Forward upstream proxy (sing-box)
# 在这里修改为你的代理地址，我是用的是singbox，所以起名为sing-box
# login为可选的代理身份验证，username:password修改为你自己的
cache_peer x.x.x.x parent xxxx 0 no-query default name=singbox login=username:password
# Reverse origin (sandbox)
cache_peer ${SANDBOX_HOST} parent ${SANDBOX_PORT} 0 no-query originserver name=sandbox


################################## Port-based Split ACLs ########################
acl is_forward myportname forward
acl is_reverse myportname reverse


################################## Forward WhiteList Domains ####################
# 方案2：正向代理仅允许访问白名单域名（按需增补）
acl allowed_domains dstdomain .marketplace.dify.ai
# 你可以继续加，比如：
# acl allowed_domains dstdomain .example.com
# acl allowed_domains dstdomain .internal.myteam.com


################################## Peer Routing Control #########################
# Forward：只允许 forward 端口使用 singbox
cache_peer_access singbox allow is_forward
cache_peer_access singbox deny all

# Reverse：只允许 reverse 端口使用 sandbox
cache_peer_access sandbox allow is_reverse
cache_peer_access sandbox deny all

# 强制 forward 端口永远走 cache_peer（即 singbox），不允许直连
never_direct allow is_forward
never_direct deny all

# Reverse 不走 direct 的问题由 originserver peer 处理；
# 这里不需要额外 never_direct 规则给 reverse（但也不会被 is_forward 命中）


################################## http_access (Order Matters!) #################
# 安全端口限制（两种代理都适用）
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# ---- Reverse proxy access ----
# 反向代理：按你的需求允许所有来源访问 REVERSE_PROXY_PORT
acl src_all src all
http_access allow is_reverse src_all

# ---- Forward proxy access ----
# 正向代理：只允许本机/内网来用（更安全）。如需放开，按需调整。
http_access allow is_forward localhost
http_access allow is_forward localnet

# 正向代理：只允许访问白名单域名（注意：必须放在“允许使用代理的来源”之后）
http_access allow is_forward allowed_domains

# 重要：如果没命中 allowed_domains，就拒绝（只针对 forward 端口）
http_access deny is_forward

# manager（保留你的）
http_access allow localhost manager
http_access deny manager

# 允许本机访问（保留你的，可按需删除/收紧）
http_access allow localhost

# include 外部 conf
include /etc/squid/conf.d/*.conf

# 最终兜底拒绝
http_access deny all


################################## Core #########################################
coredump_dir ${COREDUMP_DIR}

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern .               0       20%     4320


################################## Upload Buffer ################################
# Unless the option's size is increased, an error will occur when uploading more than two files.
client_request_buffer_max_size 100 MB


################################## Performance & Concurrency ####################
max_filedescriptors 65536

connect_timeout 30 seconds
request_timeout 2 minutes
read_timeout 2 minutes
client_lifetime 5 minutes
shutdown_lifetime 30 seconds

server_persistent_connections on
client_persistent_connections on
persistent_request_timeout 30 seconds
pconn_timeout 1 minute

client_db on
server_idle_pconn_timeout 2 minutes
client_idle_pconn_timeout 2 minutes

quick_abort_min 16 KB
quick_abort_max 16 MB
quick_abort_pct 95

memory_cache_mode disk
cache_mem 256 MB
maximum_object_size_in_memory 512 KB

dns_timeout 30 seconds
dns_retransmit_interval 5 seconds
# dns_nameservers 8.8.8.8 8.8.4.4   # example only; customize if needed


################################## Logging ######################################
logformat dify_log %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log daemon:/var/log/squid/access.log dify_log
logfile_rotate 10