Spaces:
Running
Running
deploy: rename Dockerfile.hf -> Dockerfile on the Space side
Browse files- Dockerfile +6 -0
Dockerfile
CHANGED
|
@@ -94,6 +94,12 @@ ENV SAR_BYOK_MODE=true
|
|
| 94 |
# would still be defended; visitors who exceed the cap are nudged to
|
| 95 |
# paste their own BYOK key via the UI 429 banner.
|
| 96 |
ENV SAR_BYOK_OWNER_KEY_QUOTA_PER_HOUR=10
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 97 |
ENV SAR_SESSION_COLLECTION_TTL_HOURS=24
|
| 98 |
ENV SAR_CORS_ALLOW_ORIGINS='["https://secureagentrag-web.vercel.app","https://secureagentrag.vercel.app"]'
|
| 99 |
|
|
|
|
| 94 |
# would still be defended; visitors who exceed the cap are nudged to
|
| 95 |
# paste their own BYOK key via the UI 429 banner.
|
| 96 |
ENV SAR_BYOK_OWNER_KEY_QUOTA_PER_HOUR=10
|
| 97 |
+
# HF Spaces fronts the container with exactly one trusted reverse proxy that
|
| 98 |
+
# *appends* the peer it saw to X-Forwarded-For. Tell the throttle to read the
|
| 99 |
+
# IP one hop from the right (spoof-resistant) instead of the attacker-appendable
|
| 100 |
+
# leftmost token, so a visitor can't mint a fresh owner-key bucket per request
|
| 101 |
+
# by forging XFF. See interfaces/byok.py::client_ip_from_request.
|
| 102 |
+
ENV SAR_BYOK_XFF_TRUSTED_HOPS=1
|
| 103 |
ENV SAR_SESSION_COLLECTION_TTL_HOURS=24
|
| 104 |
ENV SAR_CORS_ALLOW_ORIGINS='["https://secureagentrag-web.vercel.app","https://secureagentrag.vercel.app"]'
|
| 105 |
|