From 325cf9f64864edfcafef7998a285304eadcc287b Mon Sep 17 00:00:00 2001 From: wangys <3401275564@qq.com> Date: Thu, 27 Nov 2025 18:22:53 +0800 Subject: [PATCH 1/3] =?UTF-8?q?dify=20=20=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docker/dify/docker-compose.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docker/dify/docker-compose.yaml b/docker/dify/docker-compose.yaml index de2e394..3e855d7 100644 --- a/docker/dify/docker-compose.yaml +++ b/docker/dify/docker-compose.yaml @@ -770,8 +770,8 @@ services: # The PostgreSQL database. db_postgres: image: postgres:15-alpine - profiles: - - postgresql + # profiles: + # - postgresql restart: always environment: POSTGRES_USER: ${POSTGRES_USER:-postgres} @@ -1041,8 +1041,8 @@ services: # The Weaviate vector store. weaviate: image: semitechnologies/weaviate:1.27.0 - profiles: - - weaviate + # profiles: + # - weaviate restart: always volumes: # Mount the Weaviate data directory to the con tainer. From 801edc8d8d3c154effa87bfdc5de120a2a50b503 Mon Sep 17 00:00:00 2001 From: wangys <3401275564@qq.com> Date: Fri, 28 Nov 2025 10:39:43 +0800 Subject: [PATCH 2/3] =?UTF-8?q?=E6=9B=B4=E6=96=B0=E9=83=A8=E7=BD=B2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- doc/部署.md | 1 + docker/dify/.env | 2 +- .../config/users.d/custom_users_config.xml | 17 -- .../volumes/oceanbase/init.d/vec_memory.sql | 1 - .../opensearch/opensearch_dashboards.yml | 222 ------------------ docker/dify/volumes/sandbox/conf/config.yaml | 14 -- .../volumes/sandbox/conf/config.yaml.example | 35 --- 7 files changed, 2 insertions(+), 290 deletions(-) delete mode 100644 docker/dify/volumes/myscale/config/users.d/custom_users_config.xml delete mode 100644 docker/dify/volumes/oceanbase/init.d/vec_memory.sql delete mode 100644 docker/dify/volumes/opensearch/opensearch_dashboards.yml delete mode 100644 docker/dify/volumes/sandbox/conf/config.yaml delete mode 100644 docker/dify/volumes/sandbox/conf/config.yaml.example diff --git a/doc/部署.md b/doc/部署.md index 80e39d0..9b60033 100644 --- a/doc/部署.md +++ b/doc/部署.md @@ -71,6 +71,7 @@ docker-compose restart ```bash cd docker/dify docker-compose up -d +sudo chown -R 1001:1001 ./volumes/app/storage # 新版dify用非root用户启动,需要修改docker卷的权限 ``` ## 配置dify工作流 diff --git a/docker/dify/.env b/docker/dify/.env index 09063a5..1bcdc84 100644 --- a/docker/dify/.env +++ b/docker/dify/.env @@ -1265,7 +1265,7 @@ COMPOSE_PROFILES=${VECTOR_STORE:-weaviate},${DB_TYPE:-postgresql} # ------------------------------ # Docker Compose Service Expose Host Port Configurations # ------------------------------ -EXPOSE_NGINX_PORT=80 +EXPOSE_NGINX_PORT=8000 EXPOSE_NGINX_SSL_PORT=443 # ---------------------------------------------------------------------------- diff --git a/docker/dify/volumes/myscale/config/users.d/custom_users_config.xml b/docker/dify/volumes/myscale/config/users.d/custom_users_config.xml deleted file mode 100644 index b46e73a..0000000 --- a/docker/dify/volumes/myscale/config/users.d/custom_users_config.xml +++ /dev/null @@ -1,17 +0,0 @@ - - - - - - ::1 - 127.0.0.1 - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 - - default - default - 1 - - - diff --git a/docker/dify/volumes/oceanbase/init.d/vec_memory.sql b/docker/dify/volumes/oceanbase/init.d/vec_memory.sql deleted file mode 100644 index 0d859e5..0000000 --- a/docker/dify/volumes/oceanbase/init.d/vec_memory.sql +++ /dev/null @@ -1 +0,0 @@ -ALTER SYSTEM SET ob_vector_memory_limit_percentage = 30; diff --git a/docker/dify/volumes/opensearch/opensearch_dashboards.yml b/docker/dify/volumes/opensearch/opensearch_dashboards.yml deleted file mode 100644 index f50d63b..0000000 --- a/docker/dify/volumes/opensearch/opensearch_dashboards.yml +++ /dev/null @@ -1,222 +0,0 @@ ---- -# Copyright OpenSearch Contributors -# SPDX-License-Identifier: Apache-2.0 - -# Description: -# Default configuration for OpenSearch Dashboards - -# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use. -# server.port: 5601 - -# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values. -# The default is 'localhost', which usually means remote machines will not be able to connect. -# To allow connections from remote users, set this parameter to a non-loopback address. -# server.host: "localhost" - -# Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy. -# Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath -# from requests it receives, and to prevent a deprecation warning at startup. -# This setting cannot end in a slash. -# server.basePath: "" - -# Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with -# `server.basePath` or require that they are rewritten by your reverse proxy. -# server.rewriteBasePath: false - -# The maximum payload size in bytes for incoming server requests. -# server.maxPayloadBytes: 1048576 - -# The OpenSearch Dashboards server's name. This is used for display purposes. -# server.name: "your-hostname" - -# The URLs of the OpenSearch instances to use for all your queries. -# opensearch.hosts: ["http://localhost:9200"] - -# OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and -# dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist. -# opensearchDashboards.index: ".opensearch_dashboards" - -# The default application to load. -# opensearchDashboards.defaultAppId: "home" - -# Setting for an optimized healthcheck that only uses the local OpenSearch node to do Dashboards healthcheck. -# This settings should be used for large clusters or for clusters with ingest heavy nodes. -# It allows Dashboards to only healthcheck using the local OpenSearch node rather than fan out requests across all nodes. -# -# It requires the user to create an OpenSearch node attribute with the same name as the value used in the setting -# This node attribute should assign all nodes of the same cluster an integer value that increments with each new cluster that is spun up -# e.g. in opensearch.yml file you would set the value to a setting using node.attr.cluster_id: -# Should only be enabled if there is a corresponding node attribute created in your OpenSearch config that matches the value here -# opensearch.optimizedHealthcheckId: "cluster_id" - -# If your OpenSearch is protected with basic authentication, these settings provide -# the username and password that the OpenSearch Dashboards server uses to perform maintenance on the OpenSearch Dashboards -# index at startup. Your OpenSearch Dashboards users still need to authenticate with OpenSearch, which -# is proxied through the OpenSearch Dashboards server. -# opensearch.username: "opensearch_dashboards_system" -# opensearch.password: "pass" - -# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. -# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser. -# server.ssl.enabled: false -# server.ssl.certificate: /path/to/your/server.crt -# server.ssl.key: /path/to/your/server.key - -# Optional settings that provide the paths to the PEM-format SSL certificate and key files. -# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when -# xpack.security.http.ssl.client_authentication in OpenSearch is set to required. -# opensearch.ssl.certificate: /path/to/your/client.crt -# opensearch.ssl.key: /path/to/your/client.key - -# Optional setting that enables you to specify a path to the PEM file for the certificate -# authority for your OpenSearch instance. -# opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ] - -# To disregard the validity of SSL certificates, change this setting's value to 'none'. -# opensearch.ssl.verificationMode: full - -# Time in milliseconds to wait for OpenSearch to respond to pings. Defaults to the value of -# the opensearch.requestTimeout setting. -# opensearch.pingTimeout: 1500 - -# Time in milliseconds to wait for responses from the back end or OpenSearch. This value -# must be a positive integer. -# opensearch.requestTimeout: 30000 - -# List of OpenSearch Dashboards client-side headers to send to OpenSearch. To send *no* client-side -# headers, set this value to [] (an empty list). -# opensearch.requestHeadersWhitelist: [ authorization ] - -# Header names and values that are sent to OpenSearch. Any custom headers cannot be overwritten -# by client-side headers, regardless of the opensearch.requestHeadersWhitelist configuration. -# opensearch.customHeaders: {} - -# Time in milliseconds for OpenSearch to wait for responses from shards. Set to 0 to disable. -# opensearch.shardTimeout: 30000 - -# Logs queries sent to OpenSearch. Requires logging.verbose set to true. -# opensearch.logQueries: false - -# Specifies the path where OpenSearch Dashboards creates the process ID file. -# pid.file: /var/run/opensearchDashboards.pid - -# Enables you to specify a file where OpenSearch Dashboards stores log output. -# logging.dest: stdout - -# Set the value of this setting to true to suppress all logging output. -# logging.silent: false - -# Set the value of this setting to true to suppress all logging output other than error messages. -# logging.quiet: false - -# Set the value of this setting to true to log all events, including system usage information -# and all requests. -# logging.verbose: false - -# Set the interval in milliseconds to sample system and process performance -# metrics. Minimum is 100ms. Defaults to 5000. -# ops.interval: 5000 - -# Specifies locale to be used for all localizable strings, dates and number formats. -# Supported languages are the following: English - en , by default , Chinese - zh-CN . -# i18n.locale: "en" - -# Set the allowlist to check input graphite Url. Allowlist is the default check list. -# vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite'] - -# Set the blocklist to check input graphite Url. Blocklist is an IP list. -# Below is an example for reference -# vis_type_timeline.graphiteBlockedIPs: [ -# //Loopback -# '127.0.0.0/8', -# '::1/128', -# //Link-local Address for IPv6 -# 'fe80::/10', -# //Private IP address for IPv4 -# '10.0.0.0/8', -# '172.16.0.0/12', -# '192.168.0.0/16', -# //Unique local address (ULA) -# 'fc00::/7', -# //Reserved IP address -# '0.0.0.0/8', -# '100.64.0.0/10', -# '192.0.0.0/24', -# '192.0.2.0/24', -# '198.18.0.0/15', -# '192.88.99.0/24', -# '198.51.100.0/24', -# '203.0.113.0/24', -# '224.0.0.0/4', -# '240.0.0.0/4', -# '255.255.255.255/32', -# '::/128', -# '2001:db8::/32', -# 'ff00::/8', -# ] -# vis_type_timeline.graphiteBlockedIPs: [] - -# opensearchDashboards.branding: -# logo: -# defaultUrl: "" -# darkModeUrl: "" -# mark: -# defaultUrl: "" -# darkModeUrl: "" -# loadingLogo: -# defaultUrl: "" -# darkModeUrl: "" -# faviconUrl: "" -# applicationTitle: "" - -# Set the value of this setting to true to capture region blocked warnings and errors -# for your map rendering services. -# map.showRegionBlockedWarning: false% - -# Set the value of this setting to false to suppress search usage telemetry -# for reducing the load of OpenSearch cluster. -# data.search.usageTelemetry.enabled: false - -# 2.4 renames 'wizard.enabled: false' to 'vis_builder.enabled: false' -# Set the value of this setting to false to disable VisBuilder -# functionality in Visualization. -# vis_builder.enabled: false - -# 2.4 New Experimental Feature -# Set the value of this setting to true to enable the experimental multiple data source -# support feature. Use with caution. -# data_source.enabled: false -# Set the value of these settings to customize crypto materials to encryption saved credentials -# in data sources. -# data_source.encryption.wrappingKeyName: 'changeme' -# data_source.encryption.wrappingKeyNamespace: 'changeme' -# data_source.encryption.wrappingKey: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - -# 2.6 New ML Commons Dashboards Feature -# Set the value of this setting to true to enable the ml commons dashboards -# ml_commons_dashboards.enabled: false - -# 2.12 New experimental Assistant Dashboards Feature -# Set the value of this setting to true to enable the assistant dashboards -# assistant.chat.enabled: false - -# 2.13 New Query Assistant Feature -# Set the value of this setting to false to disable the query assistant -# observability.query_assist.enabled: false - -# 2.14 Enable Ui Metric Collectors in Usage Collector -# Set the value of this setting to true to enable UI Metric collections -# usageCollection.uiMetric.enabled: false - -opensearch.hosts: [https://localhost:9200] -opensearch.ssl.verificationMode: none -opensearch.username: admin -opensearch.password: 'Qazwsxedc!@#123' -opensearch.requestHeadersWhitelist: [authorization, securitytenant] - -opensearch_security.multitenancy.enabled: true -opensearch_security.multitenancy.tenants.preferred: [Private, Global] -opensearch_security.readonly_mode.roles: [kibana_read_only] -# Use this setting if you are running opensearch-dashboards without https -opensearch_security.cookie.secure: false -server.host: '0.0.0.0' diff --git a/docker/dify/volumes/sandbox/conf/config.yaml b/docker/dify/volumes/sandbox/conf/config.yaml deleted file mode 100644 index 8c1a1de..0000000 --- a/docker/dify/volumes/sandbox/conf/config.yaml +++ /dev/null @@ -1,14 +0,0 @@ -app: - port: 8194 - debug: True - key: dify-sandbox -max_workers: 4 -max_requests: 50 -worker_timeout: 5 -python_path: /usr/local/bin/python3 -enable_network: True # please make sure there is no network risk in your environment -allowed_syscalls: # please leave it empty if you have no idea how seccomp works -proxy: - socks5: '' - http: '' - https: '' diff --git a/docker/dify/volumes/sandbox/conf/config.yaml.example b/docker/dify/volumes/sandbox/conf/config.yaml.example deleted file mode 100644 index f92c19e..0000000 --- a/docker/dify/volumes/sandbox/conf/config.yaml.example +++ /dev/null @@ -1,35 +0,0 @@ -app: - port: 8194 - debug: True - key: dify-sandbox -max_workers: 4 -max_requests: 50 -worker_timeout: 5 -python_path: /usr/local/bin/python3 -python_lib_path: - - /usr/local/lib/python3.10 - - /usr/lib/python3.10 - - /usr/lib/python3 - - /usr/lib/x86_64-linux-gnu - - /etc/ssl/certs/ca-certificates.crt - - /etc/nsswitch.conf - - /etc/hosts - - /etc/resolv.conf - - /run/systemd/resolve/stub-resolv.conf - - /run/resolvconf/resolv.conf - - /etc/localtime - - /usr/share/zoneinfo - - /etc/timezone - # add more paths if needed -python_pip_mirror_url: https://pypi.tuna.tsinghua.edu.cn/simple -nodejs_path: /usr/local/bin/node -enable_network: True -allowed_syscalls: - - 1 - - 2 - - 3 - # add all the syscalls which you require -proxy: - socks5: '' - http: '' - https: '' From bbe8866ccec07598eaea14ec6c7314eb7d470fc3 Mon Sep 17 00:00:00 2001 From: wangys <3401275564@qq.com> Date: Fri, 28 Nov 2025 14:56:10 +0800 Subject: [PATCH 3/3] =?UTF-8?q?dify=E4=BF=AE=E6=94=B9=E5=B7=A5=E4=BD=9C?= =?UTF-8?q?=E6=B5=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docker/dify/.env | 4 +--- docker/dify/.env.example | 2 -- docker/dify/docker-compose-template.yaml | 2 +- docker/dify/docker-compose.yaml | 8 +++++--- docker/dify/version | 1 - schoolNewsServ/.bin/dify/动态知识库检索.yml | 4 ++-- 6 files changed, 9 insertions(+), 12 deletions(-) delete mode 100644 docker/dify/version diff --git a/docker/dify/.env b/docker/dify/.env index 1bcdc84..d52bacb 100644 --- a/docker/dify/.env +++ b/docker/dify/.env @@ -133,8 +133,6 @@ ACCESS_TOKEN_EXPIRE_MINUTES=60 # Refresh token expiration time in days REFRESH_TOKEN_EXPIRE_DAYS=30 -# The default number of active requests for the application, where 0 means unlimited, should be a non-negative integer. -APP_DEFAULT_ACTIVE_REQUESTS=0 # The maximum number of active requests for the application, where 0 means unlimited, should be a non-negative integer. APP_MAX_ACTIVE_REQUESTS=0 APP_MAX_EXECUTION_TIME=1200 @@ -1333,8 +1331,8 @@ PLUGIN_STDIO_MAX_BUFFER_SIZE=5242880 PLUGIN_PYTHON_ENV_INIT_TIMEOUT=120 PLUGIN_MAX_EXECUTION_TIMEOUT=600 -# PIP_MIRROR_URL=https://pypi.tuna.tsinghua.edu.cn/simple PIP_MIRROR_URL=https://pypi.tuna.tsinghua.edu.cn/simple +# PIP_MIRROR_URL= # https://github.com/langgenius/dify-plugin-daemon/blob/main/.env.example # Plugin storage type, local aws_s3 tencent_cos azure_blob aliyun_oss volcengine_tos diff --git a/docker/dify/.env.example b/docker/dify/.env.example index c9981ba..0bfdc6b 100644 --- a/docker/dify/.env.example +++ b/docker/dify/.env.example @@ -133,8 +133,6 @@ ACCESS_TOKEN_EXPIRE_MINUTES=60 # Refresh token expiration time in days REFRESH_TOKEN_EXPIRE_DAYS=30 -# The default number of active requests for the application, where 0 means unlimited, should be a non-negative integer. -APP_DEFAULT_ACTIVE_REQUESTS=0 # The maximum number of active requests for the application, where 0 means unlimited, should be a non-negative integer. APP_MAX_ACTIVE_REQUESTS=0 APP_MAX_EXECUTION_TIME=1200 diff --git a/docker/dify/docker-compose-template.yaml b/docker/dify/docker-compose-template.yaml index 703a60e..975c926 100644 --- a/docker/dify/docker-compose-template.yaml +++ b/docker/dify/docker-compose-template.yaml @@ -676,7 +676,7 @@ services: milvus-standalone: container_name: milvus-standalone - image: milvusdb/milvus:v2.6.3 + image: milvusdb/milvus:v2.5.15 profiles: - milvus command: ["milvus", "run", "standalone"] diff --git a/docker/dify/docker-compose.yaml b/docker/dify/docker-compose.yaml index 3e855d7..d49c818 100644 --- a/docker/dify/docker-compose.yaml +++ b/docker/dify/docker-compose.yaml @@ -34,7 +34,6 @@ x-shared-env: &shared-api-worker-env FILES_ACCESS_TIMEOUT: ${FILES_ACCESS_TIMEOUT:-300} ACCESS_TOKEN_EXPIRE_MINUTES: ${ACCESS_TOKEN_EXPIRE_MINUTES:-60} REFRESH_TOKEN_EXPIRE_DAYS: ${REFRESH_TOKEN_EXPIRE_DAYS:-30} - APP_DEFAULT_ACTIVE_REQUESTS: ${APP_DEFAULT_ACTIVE_REQUESTS:-0} APP_MAX_ACTIVE_REQUESTS: ${APP_MAX_ACTIVE_REQUESTS:-0} APP_MAX_EXECUTION_TIME: ${APP_MAX_EXECUTION_TIME:-1200} DIFY_BIND_ADDRESS: ${DIFY_BIND_ADDRESS:-0.0.0.0} @@ -1037,6 +1036,9 @@ services: ports: - "${EXPOSE_NGINX_PORT:-80}:${NGINX_PORT:-80}" - "${EXPOSE_NGINX_SSL_PORT:-443}:${NGINX_SSL_PORT:-443}" + networks: + - ssrf_proxy_network + - default # The Weaviate vector store. weaviate: @@ -1311,7 +1313,7 @@ services: milvus-standalone: container_name: milvus-standalone - image: milvusdb/milvus:v2.6.3 + image: milvusdb/milvus:v2.5.15 profiles: - milvus command: ["milvus", "run", "standalone"] @@ -1500,7 +1502,7 @@ networks: # create a network between sandbox, api and ssrf_proxy, and can not access outside. ssrf_proxy_network: driver: bridge - internal: true + internal: true # 修改为false以允许访问外部网络(如192.168.0.64) milvus: driver: bridge opensearch-net: diff --git a/docker/dify/version b/docker/dify/version deleted file mode 100644 index e33692a..0000000 --- a/docker/dify/version +++ /dev/null @@ -1 +0,0 @@ -1.10.1 \ No newline at end of file diff --git a/schoolNewsServ/.bin/dify/动态知识库检索.yml b/schoolNewsServ/.bin/dify/动态知识库检索.yml index 285eec0..c2ed436 100644 --- a/schoolNewsServ/.bin/dify/动态知识库检索.yml +++ b/schoolNewsServ/.bin/dify/动态知识库检索.yml @@ -250,7 +250,7 @@ workflow: }' type: json desc: '' - headers: 'Authorization:Bearer dataset-HeDK9gHBqPnI4rBZ2q2Hm7rV + headers: 'Authorization:Bearer dataset-DCyO89dHNWmsXMzJaWCCQOKo Content-Type:application/json' isInIteration: true @@ -270,7 +270,7 @@ workflow: max_write_timeout: 0 title: HTTP 请求 type: http-request - url: http://192.168.0.64:7700/v1/datasets/{{#1747125586388.item#}}/retrieve + url: http://nginx:80/v1/datasets/{{#1747125586388.item#}}/retrieve variables: [] height: 157 id: '1747125795256'