search

langgenius / dify

Dify is an open-source LLM app development platform. Dify's intuitive interface combines AI workflow, RAG pipeline, agent capabilities, model management, observability features and more, letting you quickly go from prototype to production.
https://dify.ai
Other
51.21k stars 7.38k forks source link

If HTTP-PROXY is configured, it will cause errors in the code execution module #5058

Closed sunk926 closed 5 months ago

sunk926 commented 5 months ago

Self Checks

Dify version

0.6.10

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

Perhaps there is a conflict below

HTTP_PROXY: 'http://192.168.8.6:10809' HTTPS_PROXY: 'http://192.168.8.6:10809'

...

SSRF_PROXY_HTTP_URL: 'http://ssrf_proxy:3128' SSRF_PROXY_HTTPS_URL: 'http://ssrf_proxy:3128'

✔️ Expected Behavior

No response

❌ Actual Behavior

No response

dosubot[bot] commented 5 months ago

Hello @sunk926 👋, I'm here to help you with any issues you're experiencing with the Dify software. I can assist with bug fixes, answer questions, and guide you on how to contribute. Let me know how I can assist you!

To resolve errors in the code execution module when HTTP-PROXY is configured in Dify version 0.6.10 on a self-hosted Docker environment, you can use the following Nginx proxy configuration:

proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;

Additionally, ensure that your docker-compose.middleware.yaml file includes the correct environment variables for the sandbox service to properly configure the HTTP and HTTPS proxies:

version: '3'
services:
  sandbox:
    image: langgenius/dify-sandbox:0.2.1
    restart: always
    environment:
      API_KEY: dify-sandbox
      GIN_MODE: 'release'
      WORKER_TIMEOUT: 15
      ENABLE_NETWORK: 'true'
      HTTP_PROXY: 'http://ssrf_proxy:3128'
      HTTPS_PROXY: 'http://ssrf_proxy:3128'
      SANDBOX_PORT: 8194
    volumes:
      - ./volumes/sandbox/dependencies:/dependencies
    networks:
      - ssrf_proxy_network

  ssrf_proxy:
    image: ubuntu/squid:latest
    restart: always
    ports:
      - "3128:3128"
      - "8194:8194"
    volumes:
      - ./volumes/ssrf_proxy/squid.conf:/etc/squid/squid.conf
    networks:
      - ssrf_proxy_network
      - default

networks:
  ssrf_proxy_network:
    driver: bridge
    internal: true

This configuration ensures that the necessary headers are set correctly, timeouts are appropriately configured to handle long-running requests, and the HTTP/HTTPS proxy settings are correctly applied to the sandbox service [1][2][3].

To continue talking to Dosu, mention @dosu.

sunk926 commented 5 months ago

Hello @sunk926 👋, I'm here to help you with any issues you're experiencing with the Dify software. I can assist with bug fixes, answer questions, and guide you on how to contribute. Let me know how I can assist you!

To resolve errors in the code execution module when HTTP-PROXY is configured in Dify version 0.6.10 on a self-hosted Docker environment, you can use the following Nginx proxy configuration:...

I saw the following information in the Hysteria output log...

2024-06-10T10:59:37Z    ERROR   HTTP error      {"addr": "172.31.0.7:59124", "reqURL": "http://sandbox:8194/v1/sandbox/dependencies?language=python3", "error": "Get \"http://sandbox:8194/v1/sandbox/dependencies?language=python3\": dial error: resolve error: lookup sandbox on 8.8.8.8:53: no such host"}
2024-06-10T10:59:40Z    ERROR   HTTP error      {"addr": "172.31.0.7:59126", "reqURL": "http://sandbox:8194/v1/sandbox/run", "error": "Post \"http://sandbox:8194/v1/sandbox/run\": dial error: resolve error: lookup sandbox on 8.8.8.8:53: no such host"}

I believe that the configuration of "HTTP_PROXY" might be causing the local URL http://sandbox/ to be proxied by "HTTP_PROXY". However, my hysteria client is unable to handle this issue. Could you please suggest any other methods to resolve this problem?

version: '3'
services:
  # API service
  api:
    image: langgenius/dify-api:0.6.10
    restart: always
    environment:
      HTTP_PROXY: 'http://192.168.8.6:10809'
      HTTPS_PROXY: 'http://192.168.8.6:10809'
      # Startup mode, 'api' starts the API server.
      MODE: api
      ...

My docker-compose.yaml is fine

 # The DifySandbox
  sandbox:
    image: langgenius/dify-sandbox:0.2.1
    restart: always
    environment:
      # The DifySandbox configurations
      # Make sure you are changing this key for your deployment with a strong key.
      # You can generate a strong key using `openssl rand -base64 42`.
      API_KEY: dify-sandbox
      GIN_MODE: 'release'
      WORKER_TIMEOUT: 15
      ENABLE_NETWORK: 'true'
      HTTP_PROXY: 'http://ssrf_proxy:3128'
      HTTPS_PROXY: 'http://ssrf_proxy:3128'
      SANDBOX_PORT: 8194
    volumes:
      - ./volumes/sandbox/dependencies:/dependencies
    networks:
      - ssrf_proxy_network

  # ssrf_proxy server
  # for more information, please refer to
  # https://docs.dify.ai/getting-started/install-self-hosted/install-faq#id-16.-why-is-ssrf_proxy-needed
  ssrf_proxy:
    image: ubuntu/squid:latest
    restart: always
    ports:
      - "3128:3128"
      - "8194:8194"
    volumes:
      # pls clearly modify the squid.conf file to fit your network environment.
      - ./volumes/ssrf_proxy/squid.conf:/etc/squid/squid.conf
    networks:
      - ssrf_proxy_network
      - default
dosubot[bot] commented 5 months ago

The issue you're experiencing is likely due to the HTTP_PROXY and HTTPS_PROXY environment variables causing the local URL http://sandbox/ to be proxied, which is not intended. To resolve this, you can set the NO_PROXY environment variable to exclude the local addresses from being proxied.

You can modify your docker-compose.yaml file to include the NO_PROXY environment variable for the api and sandbox services. Here is the updated configuration:

version: '3'
services:
  # API service
  api:
    image: langgenius/dify-api:0.6.10
    restart: always
    environment:
      HTTP_PROXY: 'http://192.168.8.6:10809'
      HTTPS_PROXY: 'http://192.168.8.6:10809'
      NO_PROXY: 'localhost,127.0.0.1,sandbox'
      MODE: api
      ...

  # The DifySandbox
  sandbox:
    image: langgenius/dify-sandbox:0.2.1
    restart: always
    environment:
      API_KEY: dify-sandbox
      GIN_MODE: 'release'
      WORKER_TIMEOUT: 15
      ENABLE_NETWORK: 'true'
      HTTP_PROXY: 'http://ssrf_proxy:3128'
      HTTPS_PROXY: 'http://ssrf_proxy:3128'
      NO_PROXY: 'localhost,127.0.0.1,sandbox'
      SANDBOX_PORT: 8194
    volumes:
      - ./volumes/sandbox/dependencies:/dependencies
    networks:
      - ssrf_proxy_network

  # ssrf_proxy server
  ssrf_proxy:
    image: ubuntu/squid:latest
    restart: always
    ports:
      - "3128:3128"
      - "8194:8194"
    volumes:
      - ./volumes/ssrf_proxy/squid.conf:/etc/squid/squid.conf
    networks:
      - ssrf_proxy_network
      - default

Additionally, ensure that your squid.conf file is correctly configured to handle the reverse proxy to the sandbox. Here is an example configuration:

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8     # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10      # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16     # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12      # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16     # RFC 1918 local private network (LAN)
acl localnet src fc00::/7           # RFC 4193 local private network range
acl localnet src fe80::/10          # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow localnet
http_access deny all

################################## Proxy Server ################################
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern .       0   20% 4320
logfile_rotate 0

# upstream proxy, set to your own upstream proxy IP to avoid SSRF attacks
# cache_peer 172.1.1.1 parent 3128 0 no-query no-digest no-netdb-exchange default
################################## Reverse Proxy To Sandbox ################################
http_port 8194 accel vhost
cache_peer sandbox parent 8194 0 no-query originserver
acl src_all src all
http_access allow src_all

By adding NO_PROXY: 'localhost,127.0.0.1,sandbox', you instruct the services to bypass the proxy for the specified addresses, which should resolve the DNS resolution errors for the sandbox service. Additionally, the squid.conf configuration ensures that the reverse proxy to the sandbox is correctly set up [1][2][3].

To continue talking to Dosu, mention @dosu.

sunk926 commented 5 months ago

The issue you're experiencing is likely due to the HTTP_PROXY and HTTPS_PROXY environment variables causing the local URL http://sandbox/ to be proxied, which is not intended. To resolve this, you can set the NO_PROXY environment variable to exclude the local addresses from being proxied.

You can modify your docker-compose.yaml file to include the NO_PROXY environment variable for the api and sandbox services. Here is the updated configuration:

version: '3'
services:
  # API service
  api:
    image: langgenius/dify-api:0.6.10
    restart: always
    environment:
      HTTP_PROXY: 'http://192.168.8.6:10809'
      HTTPS_PROXY: 'http://192.168.8.6:10809'
      NO_PROXY: 'localhost,127.0.0.1,sandbox'
      MODE: api
      ...

  # The DifySandbox
  sandbox:
    image: langgenius/dify-sandbox:0.2.1
    restart: always
    environment:
      API_KEY: dify-sandbox
      GIN_MODE: 'release'
      WORKER_TIMEOUT: 15
      ENABLE_NETWORK: 'true'
      HTTP_PROXY: 'http://ssrf_proxy:3128'
      HTTPS_PROXY: 'http://ssrf_proxy:3128'
      NO_PROXY: 'localhost,127.0.0.1,sandbox'
      SANDBOX_PORT: 8194
    volumes:
      - ./volumes/sandbox/dependencies:/dependencies
    networks:
      - ssrf_proxy_network

  # ssrf_proxy server
  ssrf_proxy:
    image: ubuntu/squid:latest
    restart: always
    ports:
      - "3128:3128"
      - "8194:8194"
    volumes:
      - ./volumes/ssrf_proxy/squid.conf:/etc/squid/squid.conf
    networks:
      - ssrf_proxy_network
      - default

Additionally, ensure that your squid.conf file is correctly configured to handle the reverse proxy to the sandbox. Here is an example configuration:

acl localnet src 0.0.0.1-0.255.255.255    # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8       # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10        # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16   # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12        # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16       # RFC 1918 local private network (LAN)
acl localnet src fc00::/7         # RFC 4193 local private network range
acl localnet src fe80::/10        # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443       # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210       # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280       # http-mgmt
acl Safe_ports port 488       # gss-http
acl Safe_ports port 591       # filemaker
acl Safe_ports port 777       # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow localnet
http_access deny all

################################## Proxy Server ################################
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:     1440    20% 10080
refresh_pattern ^gopher:  1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0   0%  0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern .     0   20% 4320
logfile_rotate 0

# upstream proxy, set to your own upstream proxy IP to avoid SSRF attacks
# cache_peer 172.1.1.1 parent 3128 0 no-query no-digest no-netdb-exchange default
################################## Reverse Proxy To Sandbox ################################
http_port 8194 accel vhost
cache_peer sandbox parent 8194 0 no-query originserver
acl src_all src all
http_access allow src_all

By adding NO_PROXY: 'localhost,127.0.0.1,sandbox', you instruct the services to bypass the proxy for the specified addresses, which should resolve the DNS resolution errors for the sandbox service. Additionally, the squid.conf configuration ensures that the reverse proxy to the sandbox is correctly set up [1][2][3].

To continue talking to Dosu, mention @dosu. Thank you very much. The problem has been resolved 👍

dosubot[bot] commented 5 months ago

You're welcome! I'm glad to hear that the problem has been resolved. If you have any more questions or need further assistance, feel free to reach out. Happy coding! 👍

To continue talking to Dosu, mention @dosu.

hponiang commented 5 months ago

How was it resolved? Was it by adding no_proxy?

hponiang commented 5 months ago

@sunk926

sunk926 commented 5 months ago

How was it resolved? Was it by adding no_proxy?

version: '3' services:

API service

api: image: langgenius/dify-api:0.6.10 restart: always environment: HTTP_PROXY: 'http://192.168.8.6:10809' HTTPS_PROXY: 'http://192.168.8.6:10809' NO_PROXY: 'localhost,127.0.0.1,192.168.8.6,weaviate,sandbox,.bigmodel.cn,.aliyun.com' ...