keephq · shahargl · Nov 21, 2024 · Nov 21, 2024 · Nov 23, 2024 · Nov 23, 2024
diff --git a/keep-ui/auth.ts b/keep-ui/auth.ts
@@ -8,12 +8,6 @@ import MicrosoftEntraID from "next-auth/providers/microsoft-entra-id";
 import { AuthError } from "next-auth";
 import { AuthenticationError, AuthErrorCodes } from "@/errors";
 import type { JWT } from "next-auth/jwt";
-// https://github.com/nextauthjs/next-auth/issues/11028
-
-export class BackendRefusedError extends AuthError {
-  static type = "BackendRefusedError";
-}
-
 import { getApiURL } from "@/utils/apiUrl";
 import {
   AuthType,
@@ -24,6 +18,12 @@ import {
   NoAuthTenant,
 } from "@/utils/authenticationType";
 import type { User } from "next-auth";
+import { ProxyAgent, fetch as undici } from "undici";
+
+// https://github.com/nextauthjs/next-auth/issues/11028
+export class BackendRefusedError extends AuthError {
+  static type = "BackendRefusedError";
+}
 
 // Determine auth type with backward compatibility
 const authTypeEnv = process.env.AUTH_TYPE;
@@ -36,13 +36,15 @@ const authType =
     ? AuthType.NOAUTH
     : (authTypeEnv as AuthType);
 
+// Determine proxy settings
 const proxyUrl =
   process.env.HTTP_PROXY ||
   process.env.HTTPS_PROXY ||
   process.env.http_proxy ||
   process.env.https_proxy;
 
-import { ProxyAgent, fetch as undici } from "undici";
+// used only if proxyUrl is set
+// currently tested only on Azure AD
 function proxyFetch(
   ...args: Parameters<typeof fetch>
 ): ReturnType<typeof fetch> {
@@ -75,12 +77,6 @@ function proxyFetch(
  * because in Microsoft entra it already has a customFetch symbol and we need to override it.s
  */
 export const createAzureADProvider = () => {
-  if (!proxyUrl) {
-    console.log("Proxy is not enabled");
-  } else {
-    console.log("Proxy is enabled:", proxyUrl);
-  }
-
   // Step 1: Create the base provider
   const baseConfig = {
     clientId: process.env.KEEP_AZUREAD_CLIENT_ID!,

diff --git a/proxy/squid.conf b/proxy/squid.conf
@@ -1,26 +1,31 @@
 # Port configurations
 http_port 3128
-dns_nameservers 8.8.8.8 8.8.4.4  # Google DNS servers, adjust as needed
 
 # DNS configurations
+dns_nameservers 8.8.8.8 8.8.4.4
 dns_v4_first on
-dns_timeout 5 seconds
-positive_dns_ttl 24 hours
-negative_dns_ttl 1 minutes
 
-# Allow all clients in our Docker network
-acl localnet src 172.16.0.0/12
+# ACL definitions
+acl SSL_ports port 443
+acl Safe_ports port 80          # http
+acl Safe_ports port 443         # https
+acl Safe_ports port 1025-65535  # unprivileged ports
+acl CONNECT method CONNECT
+acl localnet src 172.16.0.0/12  # Docker network
+
+# Access rules - order is important
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localnet
 http_access allow all
 
-# Basic settings
+# Logging
+debug_options ALL,1 28,3
+
+# Cache settings
 cache_dir ufs /var/spool/squid 100 16 256
 coredump_dir /var/spool/squid
 
-# DNS cache settings
-ipcache_size 1024
-ipcache_low 90
-ipcache_high 95
-
 # Refresh patterns
 refresh_pattern ^ftp:           1440    20%     10080
 refresh_pattern ^gopher:        1440    0%      1440