diff options
| author | Mohamed Bassem <me@mbassem.com> | 2025-11-02 17:19:28 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-11-02 17:19:28 +0000 |
| commit | b63a49fc3980296c6a6ea6ac0624142e8af94d52 (patch) | |
| tree | 1b1266f09f7821c0c59220895e9f28f406ebb841 /docs | |
| parent | c6ebceb9f0b13da902edd6bf722cfc961d7eedc6 (diff) | |
| download | karakeep-b63a49fc3980296c6a6ea6ac0624142e8af94d52.tar.zst | |
fix: Stricter SSRF validation (#2082)
* fix: Stricter SSRF validation
* skip dns resolution if running in proxy context
* more fixes
* Add LRU cache
* change the env variable for internal hostnames
* make dns resolution timeout configerable
* upgrade ipaddr
* handle ipv6
* handle proxy bypass for request interceptor
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/docs/03-configuration.md | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/docs/docs/03-configuration.md b/docs/docs/03-configuration.md index 26760d6c..50280a55 100644 --- a/docs/docs/03-configuration.md +++ b/docs/docs/03-configuration.md @@ -222,11 +222,12 @@ Karakeep can send emails for various purposes such as email verification during If your Karakeep instance needs to connect through a proxy server, you can configure the following settings: -| Name | Required | Default | Description | -| ------------------- | -------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| CRAWLER_HTTP_PROXY | No | Not set | HTTP proxy server URL for outgoing HTTP requests (e.g., `http://proxy.example.com:8080`). You can pass multiple comma separated proxies and the used one will be chosen at random. | -| CRAWLER_HTTPS_PROXY | No | Not set | HTTPS proxy server URL for outgoing HTTPS requests (e.g., `http://proxy.example.com:8080`). You can pass multiple comma separated proxies and the used one will be chosen at random. | -| CRAWLER_NO_PROXY | No | Not set | Comma-separated list of hostnames/IPs that should bypass the proxy (e.g., `localhost,127.0.0.1,.local`) | +| Name | Required | Default | Description | +| ---------------------------------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CRAWLER_HTTP_PROXY | No | Not set | HTTP proxy server URL for outgoing HTTP requests (e.g., `http://proxy.example.com:8080`). You can pass multiple comma separated proxies and the used one will be chosen at random. The proxy is used for crawling, RSS feed fetches and webhooks. | +| CRAWLER_HTTPS_PROXY | No | Not set | HTTPS proxy server URL for outgoing HTTPS requests (e.g., `http://proxy.example.com:8080`). You can pass multiple comma separated proxies and the used one will be chosen at random. The proxy is used for crawling, RSS feed fetches and webhooks. | +| CRAWLER_NO_PROXY | No | Not set | Comma-separated list of hostnames/IPs that should bypass the proxy (e.g., `localhost,127.0.0.1,.local`) | +| CRAWLER_ALLOWED_INTERNAL_HOSTNAMES | No | Not set | By default, Karakeep blocks worker-initiated requests whose DNS resolves to private, loopback, or link-local IP addresses. Use this to allowlist specific hostnames for internal access (e.g., `internal.company.com,.local`). Supports domain wildcards by prefixing with a dot (e.g., `.internal.company.com`). Note: Internal IP validation is bypassed when a proxy is configured for the URL as the local DNS resolver won't necessarily be the same as the one used by the proxy. | :::info These proxy settings will be used by the crawler and other components that make outgoing HTTP requests. |