diff --git a/keep-ui/auth.ts b/keep-ui/auth.ts index f0b470971..985c938b7 100644 --- a/keep-ui/auth.ts +++ b/keep-ui/auth.ts @@ -8,12 +8,6 @@ import MicrosoftEntraID from "next-auth/providers/microsoft-entra-id"; import { AuthError } from "next-auth"; import { AuthenticationError, AuthErrorCodes } from "@/errors"; import type { JWT } from "next-auth/jwt"; -// https://github.com/nextauthjs/next-auth/issues/11028 - -export class BackendRefusedError extends AuthError { - static type = "BackendRefusedError"; -} - import { getApiURL } from "@/utils/apiUrl"; import { AuthType, @@ -24,6 +18,12 @@ import { NoAuthTenant, } from "@/utils/authenticationType"; import type { User } from "next-auth"; +import { ProxyAgent, fetch as undici } from "undici"; + +// https://github.com/nextauthjs/next-auth/issues/11028 +export class BackendRefusedError extends AuthError { + static type = "BackendRefusedError"; +} // Determine auth type with backward compatibility const authTypeEnv = process.env.AUTH_TYPE; @@ -36,13 +36,15 @@ const authType = ? AuthType.NOAUTH : (authTypeEnv as AuthType); +// Determine proxy settings const proxyUrl = process.env.HTTP_PROXY || process.env.HTTPS_PROXY || process.env.http_proxy || process.env.https_proxy; -import { ProxyAgent, fetch as undici } from "undici"; +// used only if proxyUrl is set +// currently tested only on Azure AD function proxyFetch( ...args: Parameters ): ReturnType { @@ -75,12 +77,6 @@ function proxyFetch( * because in Microsoft entra it already has a customFetch symbol and we need to override it.s */ export const createAzureADProvider = () => { - if (!proxyUrl) { - console.log("Proxy is not enabled"); - } else { - console.log("Proxy is enabled:", proxyUrl); - } - // Step 1: Create the base provider const baseConfig = { clientId: process.env.KEEP_AZUREAD_CLIENT_ID!, diff --git a/proxy/squid.conf b/proxy/squid.conf index e36a34687..2e569360f 100644 --- a/proxy/squid.conf +++ b/proxy/squid.conf @@ -1,26 +1,31 @@ # Port configurations http_port 3128 -dns_nameservers 8.8.8.8 8.8.4.4 # Google DNS servers, adjust as needed # DNS configurations +dns_nameservers 8.8.8.8 8.8.4.4 dns_v4_first on -dns_timeout 5 seconds -positive_dns_ttl 24 hours -negative_dns_ttl 1 minutes -# Allow all clients in our Docker network -acl localnet src 172.16.0.0/12 +# ACL definitions +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 443 # https +acl Safe_ports port 1025-65535 # unprivileged ports +acl CONNECT method CONNECT +acl localnet src 172.16.0.0/12 # Docker network + +# Access rules - order is important +http_access deny !Safe_ports +http_access deny CONNECT !SSL_ports +http_access allow localnet http_access allow all -# Basic settings +# Logging +debug_options ALL,1 28,3 + +# Cache settings cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid -# DNS cache settings -ipcache_size 1024 -ipcache_low 90 -ipcache_high 95 - # Refresh patterns refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440