Open lonnys opened 3 weeks ago
To avoid the 401 status code errors for the URLs /console/api/apps?page=1&limit=30&name=
, /console/api/account/profile
, and /console/api/workspaces/current
when using Nginx proxy and LDAP for user verification in Dify version 0.7.1, you need to ensure that the Nginx configuration properly handles authentication and passes the necessary headers to the backend API.
Here is an example of how you might modify your Nginx configuration to include LDAP authentication and ensure that the necessary headers are passed:
server {
listen 80;
server_name _;
# LDAP authentication configuration
auth_ldap "LDAP Authentication";
auth_ldap_servers ldap_server;
location /console/api {
auth_ldap "Restricted";
proxy_pass http://api:5001;
include proxy.conf;
proxy_set_header Authorization $http_authorization;
}
location /api {
auth_ldap "Restricted";
proxy_pass http://api:5001;
include proxy.conf;
proxy_set_header Authorization $http_authorization;
}
location /v1 {
auth_ldap "Restricted";
proxy_pass http://api:5001;
include proxy.conf;
proxy_set_header Authorization $http_authorization;
}
location /files {
auth_ldap "Restricted";
proxy_pass http://api:5001;
include proxy.conf;
proxy_set_header Authorization $http_authorization;
}
location / {
proxy_pass http://web:3000;
include proxy.conf;
}
# If you want to support HTTPS, please uncomment the code snippet below
#listen 443 ssl;
#ssl_certificate ./../ssl/your_cert_file.cer;
#ssl_certificate_key ./../ssl/your_cert_key.key;
#ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
#ssl_prefer_server_ciphers on;
#ssl_session_cache shared:SSL:10m;
#ssl_session_timeout 10m;
}
In this configuration:
auth_ldap
is used to enable LDAP authentication for the specified locations.proxy_set_header Authorization $http_authorization;
ensures that the Authorization
header is passed to the backend API, which is necessary for user verification.Make sure you have the necessary LDAP configuration and modules enabled in your Nginx setup [1].
To continue talking to Dosu, mention @dosu.
The above-mentioned Nginx configuration method was tried, but it still didn't work.
Hi @lonnys,
Could you please check if the signin request (the second one in the image) is returning the correct token? It seems like the login failure might be causing this issue.
Thanks!
Before logging in, the correct token cannot be obtained. When I first visited the domain name, in the request list, these three URLs directly returned the 401 status code without performing the login operation. But if the login is successful, these three URLs can obtain the correct token. My requirement is: When visiting Dify for the first time, even without logging in, the status code of these three URLs should be 200 instead of other abnormal status codes, without affecting the LDAP verification before accessing the host.
Self Checks
Dify version
Version 0.7.1
Cloud or Self Hosted
Self Hosted (Docker)
Steps to reproduce
When Dify logs in, it will prompt
Invalid Authorization header format. Expected 'Bearer <api-key>' format.
and some requested URLs return the 401 status code. Although this does not affect the final login, if I use the Nginx proxy and use LDAP to verify the intranet users, these three 401 errors will cause the LDAP verification to fail. Is there any way to avoid this problem and make the server return a normal status?✔️ Expected Behavior
During the request process, the URL returns normal status codes instead of abnormal status codes
❌ Actual Behavior
The following three URLs returned the 401 abnormal status code /console/api/apps?page=1&limit=30&name= /console/api/account/profile /console/api/workspaces/current?