From b55b5c925f348b36b44363c9bf3ebf4f9b7fe428 Mon Sep 17 00:00:00 2001
From: ThinhHV <thinh@thinhhv.com>
Date: Thu, 9 Apr 2026 07:24:43 +0000
Subject: [PATCH] feat(proxy): update SSRF protection handling for aliases in
 configuration

---
 README.md  | 3 +--
 src/app.rs | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index bf4dc35..863fd22 100644
--- a/README.md
+++ b/README.md
@@ -273,8 +273,7 @@ GET /300x200,webp/mycdn:/photos/dog.jpg
 GET /proxy?url=mycdn:/photos/dog.jpg&w=300
 ```
 
-- Aliases bypass `PP_ALLOWED_HOSTS` (operator-controlled, implicitly trusted)
-- SSRF protection (private IP blocking) still applies
+- Aliases bypass `PP_ALLOWED_HOSTS` and private IP blocking.
 - Base URL must be `http://` or `https://`
 
 ## Development
diff --git a/src/app.rs b/src/app.rs
index 5505463..d58d103 100644
--- a/src/app.rs
+++ b/src/app.rs
@@ -60,7 +60,7 @@ pub async fn router(
         cfg.max_source_bytes,
         Arc::new(Allowlist::new(vec![])),
       )
-      .with_private_ip_check(check_private),
+      .with_private_ip_check(false), // aliases are defined in server config, bypass SSRF
     );
     let alias_s3 = s3.clone().map(|x| x as Arc<dyn Fetchable>);
     let alias_local = local.clone().map(|x| x as Arc<dyn Fetchable>);