17b41f6453
## Description Previously added `allowed-origins` (for CORs) is not sufficient for preventing DNS rebinding attacks. We'll have to check host headers. To test, run Toolbox with the following: ``` go run . --allowed-hosts=127.0.0.1:5000 ``` Test with the following: ``` // curl successfully curl -H "Host: 127.0.0.1:5000" http://127.0.0.1:5000 // will show Invalid Host Header error curl -H "Host: attacker:5000" http://127.0.0.1:5000 ``` ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [ ] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [ ] Ensure the tests and linter pass - [ ] Code coverage does not decrease (if any source code was changed) - [ ] Appropriate docs were updated (if necessary) - [ ] Make sure to add `!` if this involve a breaking change 🛠️ Fixes #<issue_number_goes_here>
3.3 KiB
title, type, weight, description
| title | type | weight | description |
|---|---|---|---|
| Deploy using Docker Compose | docs | 4 | How to deploy Toolbox using Docker Compose. |
Before you begin
Configure tools.yaml file
Create a tools.yaml file that contains your configuration for Toolbox. For
details, see the
configuration
section.
Deploy using Docker Compose
- Create a
docker-compose.ymlfile, customizing as needed:
services:
toolbox:
# TODO: It is recommended to pin to a specific image version instead of latest.
image: us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest
hostname: toolbox
platform: linux/amd64
ports:
- "5000:5000"
volumes:
- ./config:/config
command: [ "toolbox", "--tools-file", "/config/tools.yaml", "--address", "0.0.0.0"]
depends_on:
db:
condition: service_healthy
networks:
- tool-network
db:
# TODO: It is recommended to pin to a specific image version instead of latest.
image: postgres
hostname: db
environment:
POSTGRES_USER: toolbox_user
POSTGRES_PASSWORD: my-password
POSTGRES_DB: toolbox_db
ports:
- "5432:5432"
volumes:
- ./db:/var/lib/postgresql/data
# This file can be used to bootstrap your schema if needed.
# See "initialization scripts" on https://hub.docker.com/_/postgres/ for more info
- ./config/init.sql:/docker-entrypoint-initdb.d/init.sql
healthcheck:
test: ["CMD-SHELL", "pg_isready -U toolbox_user -d toolbox_db"]
interval: 10s
timeout: 5s
retries: 5
networks:
- tool-network
networks:
tool-network:
{{< notice tip >}}
To prevent DNS rebinding attack, use the --allowed-hosts flag to specify a
list of hosts for validation. E.g. command: [ "toolbox", "--tools-file", "/config/tools.yaml", "--address", "0.0.0.0", "--allowed-hosts", "localhost:5000"]
To implement CORs, use the --allowed-origins flag to specify a
list of origins permitted to access the server. E.g. command: [ "toolbox", "--tools-file", "/config/tools.yaml", "--address", "0.0.0.0", "--allowed-origins", "https://foo.bar"]
{{< /notice >}}
-
Run the following command to bring up the Toolbox and Postgres instance
docker-compose up -d
{{< notice tip >}}
You can use this setup to quickly set up Toolbox + Postgres to follow along in our Quickstart
{{< /notice >}}
Connecting with Toolbox Client SDK
Next, we will use Toolbox with the Client SDKs:
-
The url for the Toolbox server running using docker-compose will be:
http://localhost:5000 -
Import and initialize the client with the URL:
{{< tabpane persist=header >}} {{< tab header="LangChain" lang="Python" >}} from toolbox_langchain import ToolboxClient
Replace with the cloud run service URL generated above
async with ToolboxClient("http://$YOUR_URL") as toolbox: {{< /tab >}} {{< tab header="Llamaindex" lang="Python" >}} from toolbox_llamaindex import ToolboxClient
Replace with the cloud run service URL generated above
async with ToolboxClient("http://$YOUR_URL") as toolbox: {{< /tab >}} {{< /tabpane >}}