search

langgenius / dify

Dify is an open-source LLM app development platform. Dify's intuitive interface combines AI workflow, RAG pipeline, agent capabilities, model management, observability features and more, letting you quickly go from prototype to production.
https://dify.ai
Other
45.22k stars 6.35k forks source link

When Dify logs in, some requested URLs return the 401 status code. #7452

Open lonnys opened 3 weeks ago

lonnys commented 3 weeks ago

Self Checks

Dify version

Version 0.7.1

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

When Dify logs in, it will prompt Invalid Authorization header format. Expected 'Bearer <api-key>' format. image and some requested URLs return the 401 status code. image Although this does not affect the final login, if I use the Nginx proxy and use LDAP to verify the intranet users, these three 401 errors will cause the LDAP verification to fail. Is there any way to avoid this problem and make the server return a normal status?

✔️ Expected Behavior

During the request process, the URL returns normal status codes instead of abnormal status codes

❌ Actual Behavior

The following three URLs returned the 401 abnormal status code /console/api/apps?page=1&limit=30&name= /console/api/account/profile /console/api/workspaces/current?

dosubot[bot] commented 3 weeks ago

To avoid the 401 status code errors for the URLs /console/api/apps?page=1&limit=30&name=, /console/api/account/profile, and /console/api/workspaces/current when using Nginx proxy and LDAP for user verification in Dify version 0.7.1, you need to ensure that the Nginx configuration properly handles authentication and passes the necessary headers to the backend API.

Here is an example of how you might modify your Nginx configuration to include LDAP authentication and ensure that the necessary headers are passed:

server {
    listen 80;
    server_name _;

    # LDAP authentication configuration
    auth_ldap "LDAP Authentication";
    auth_ldap_servers ldap_server;

    location /console/api {
      auth_ldap "Restricted";
      proxy_pass http://api:5001;
      include proxy.conf;
      proxy_set_header Authorization $http_authorization;
    }

    location /api {
      auth_ldap "Restricted";
      proxy_pass http://api:5001;
      include proxy.conf;
      proxy_set_header Authorization $http_authorization;
    }

    location /v1 {
      auth_ldap "Restricted";
      proxy_pass http://api:5001;
      include proxy.conf;
      proxy_set_header Authorization $http_authorization;
    }

    location /files {
      auth_ldap "Restricted";
      proxy_pass http://api:5001;
      include proxy.conf;
      proxy_set_header Authorization $http_authorization;
    }

    location / {
      proxy_pass http://web:3000;
      include proxy.conf;
    }

    # If you want to support HTTPS, please uncomment the code snippet below
    #listen 443 ssl;
    #ssl_certificate ./../ssl/your_cert_file.cer;
    #ssl_certificate_key ./../ssl/your_cert_key.key;
    #ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    #ssl_prefer_server_ciphers on;
    #ssl_session_cache shared:SSL:10m;
    #ssl_session_timeout 10m;
}

In this configuration:

Make sure you have the necessary LDAP configuration and modules enabled in your Nginx setup [1].

To continue talking to Dosu, mention @dosu.

lonnys commented 3 weeks ago

The above-mentioned Nginx configuration method was tried, but it still didn't work.

laipz8200 commented 3 weeks ago

Hi @lonnys,

Could you please check if the signin request (the second one in the image) is returning the correct token? It seems like the login failure might be causing this issue.

Thanks!

lonnys commented 3 weeks ago

Before logging in, the correct token cannot be obtained. When I first visited the domain name, in the request list, these three URLs directly returned the 401 status code without performing the login operation. But if the login is successful, these three URLs can obtain the correct token. My requirement is: When visiting Dify for the first time, even without logging in, the status code of these three URLs should be 200 instead of other abnormal status codes, without affecting the LDAP verification before accessing the host.