Merge branch 'master' of ssh://49.234.3.145:222/wangys/schoolNews

doc/部署.md

@@ -71,6 +71,7 @@ docker-compose restart
 ```bash
 cd docker/dify
 docker-compose up -d
+sudo chown -R 1001:1001 ./volumes/app/storage # 新版dify用非root用户启动，需要修改docker卷的权限
 ```
 
 ## 配置dify工作流

docker/dify/.env

@@ -133,8 +133,6 @@ ACCESS_TOKEN_EXPIRE_MINUTES=60
 # Refresh token expiration time in days
 REFRESH_TOKEN_EXPIRE_DAYS=30
 
-# The default number of active requests for the application, where 0 means unlimited, should be a non-negative integer.
-APP_DEFAULT_ACTIVE_REQUESTS=0
 # The maximum number of active requests for the application, where 0 means unlimited, should be a non-negative integer.
 APP_MAX_ACTIVE_REQUESTS=0
 APP_MAX_EXECUTION_TIME=1200
@@ -1265,7 +1263,7 @@ COMPOSE_PROFILES=${VECTOR_STORE:-weaviate},${DB_TYPE:-postgresql}
 # ------------------------------
 # Docker Compose Service Expose Host Port Configurations
 # ------------------------------
-EXPOSE_NGINX_PORT=80
+EXPOSE_NGINX_PORT=8000
 EXPOSE_NGINX_SSL_PORT=443
 
 # ----------------------------------------------------------------------------
@@ -1333,8 +1331,8 @@ PLUGIN_STDIO_MAX_BUFFER_SIZE=5242880
 
 PLUGIN_PYTHON_ENV_INIT_TIMEOUT=120
 PLUGIN_MAX_EXECUTION_TIMEOUT=600
-# PIP_MIRROR_URL=https://pypi.tuna.tsinghua.edu.cn/simple
 PIP_MIRROR_URL=https://pypi.tuna.tsinghua.edu.cn/simple
+# PIP_MIRROR_URL=
 
 # https://github.com/langgenius/dify-plugin-daemon/blob/main/.env.example
 # Plugin storage type, local aws_s3 tencent_cos azure_blob aliyun_oss volcengine_tos

docker/dify/.env.example

@@ -133,8 +133,6 @@ ACCESS_TOKEN_EXPIRE_MINUTES=60
 # Refresh token expiration time in days
 REFRESH_TOKEN_EXPIRE_DAYS=30
 
-# The default number of active requests for the application, where 0 means unlimited, should be a non-negative integer.
-APP_DEFAULT_ACTIVE_REQUESTS=0
 # The maximum number of active requests for the application, where 0 means unlimited, should be a non-negative integer.
 APP_MAX_ACTIVE_REQUESTS=0
 APP_MAX_EXECUTION_TIME=1200

docker/dify/docker-compose-template.yaml

@@ -676,7 +676,7 @@ services:
 
   milvus-standalone:
     container_name: milvus-standalone
-    image: milvusdb/milvus:v2.6.3
+    image: milvusdb/milvus:v2.5.15
     profiles:
       - milvus
     command: ["milvus", "run", "standalone"]

docker/dify/docker-compose.yaml

@@ -34,7 +34,6 @@ x-shared-env: &shared-api-worker-env
   FILES_ACCESS_TIMEOUT: ${FILES_ACCESS_TIMEOUT:-300}
   ACCESS_TOKEN_EXPIRE_MINUTES: ${ACCESS_TOKEN_EXPIRE_MINUTES:-60}
   REFRESH_TOKEN_EXPIRE_DAYS: ${REFRESH_TOKEN_EXPIRE_DAYS:-30}
-  APP_DEFAULT_ACTIVE_REQUESTS: ${APP_DEFAULT_ACTIVE_REQUESTS:-0}
   APP_MAX_ACTIVE_REQUESTS: ${APP_MAX_ACTIVE_REQUESTS:-0}
   APP_MAX_EXECUTION_TIME: ${APP_MAX_EXECUTION_TIME:-1200}
   DIFY_BIND_ADDRESS: ${DIFY_BIND_ADDRESS:-0.0.0.0}
@@ -770,8 +769,8 @@ services:
   # The PostgreSQL database.
   db_postgres:
     image: postgres:15-alpine
-    profiles:
-      - postgresql
+    # profiles:
+    #   - postgresql
     restart: always
     environment:
       POSTGRES_USER: ${POSTGRES_USER:-postgres}
@@ -1037,12 +1036,15 @@ services:
     ports:
       - "${EXPOSE_NGINX_PORT:-80}:${NGINX_PORT:-80}"
       - "${EXPOSE_NGINX_SSL_PORT:-443}:${NGINX_SSL_PORT:-443}"
+    networks:
+      - ssrf_proxy_network
+      - default
 
   # The Weaviate vector store.
   weaviate:
     image: semitechnologies/weaviate:1.27.0
-    profiles:
-      - weaviate
+    # profiles:
+    #   - weaviate
     restart: always
     volumes:
       # Mount the Weaviate data directory to the con tainer.
@@ -1311,7 +1313,7 @@ services:
 
   milvus-standalone:
     container_name: milvus-standalone
-    image: milvusdb/milvus:v2.6.3
+    image: milvusdb/milvus:v2.5.15
     profiles:
       - milvus
     command: ["milvus", "run", "standalone"]
@@ -1500,7 +1502,7 @@ networks:
   # create a network between sandbox, api and ssrf_proxy, and can not access outside.
   ssrf_proxy_network:
     driver: bridge
-    internal: true
+    internal: true  # 修改为false以允许访问外部网络（如192.168.0.64）
   milvus:
     driver: bridge
   opensearch-net:

docker/dify/version

@@ -1 +0,0 @@
-1.10.1

docker/dify/volumes/myscale/config/users.d/custom_users_config.xml

@@ -1,17 +0,0 @@
-<clickhouse>
-    <users>
-        <default>
-            <password></password>
-            <networks>
-                <ip>::1</ip> <!-- change to ::/0 to allow access from all addresses -->
-                <ip>127.0.0.1</ip>
-                <ip>10.0.0.0/8</ip>
-                <ip>172.16.0.0/12</ip>
-                <ip>192.168.0.0/16</ip>
-            </networks>
-            <profile>default</profile>
-            <quota>default</quota>
-            <access_management>1</access_management>
-        </default>
-    </users>
-</clickhouse>

docker/dify/volumes/oceanbase/init.d/vec_memory.sql

@@ -1 +0,0 @@
-ALTER SYSTEM SET ob_vector_memory_limit_percentage = 30;

docker/dify/volumes/opensearch/opensearch_dashboards.yml

@@ -1,222 +0,0 @@
----
-# Copyright OpenSearch Contributors
-# SPDX-License-Identifier: Apache-2.0
-
-# Description:
-# Default configuration for OpenSearch Dashboards
-
-# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use.
-# server.port: 5601
-
-# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values.
-# The default is 'localhost', which usually means remote machines will not be able to connect.
-# To allow connections from remote users, set this parameter to a non-loopback address.
-# server.host: "localhost"
-
-# Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy.
-# Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath
-# from requests it receives, and to prevent a deprecation warning at startup.
-# This setting cannot end in a slash.
-# server.basePath: ""
-
-# Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with
-# `server.basePath` or require that they are rewritten by your reverse proxy.
-# server.rewriteBasePath: false
-
-# The maximum payload size in bytes for incoming server requests.
-# server.maxPayloadBytes: 1048576
-
-# The OpenSearch Dashboards server's name.  This is used for display purposes.
-# server.name: "your-hostname"
-
-# The URLs of the OpenSearch instances to use for all your queries.
-# opensearch.hosts: ["http://localhost:9200"]
-
-# OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and
-# dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist.
-# opensearchDashboards.index: ".opensearch_dashboards"
-
-# The default application to load.
-# opensearchDashboards.defaultAppId: "home"
-
-# Setting for an optimized healthcheck that only uses the local OpenSearch node to do Dashboards healthcheck.
-# This settings should be used for large clusters or for clusters with ingest heavy nodes.
-# It allows Dashboards to only healthcheck using the local OpenSearch node rather than fan out requests across all nodes.
-#
-# It requires the user to create an OpenSearch node attribute with the same name as the value used in the setting
-# This node attribute should assign all nodes of the same cluster an integer value that increments with each new cluster that is spun up
-# e.g. in opensearch.yml file you would set the value to a setting using node.attr.cluster_id:
-# Should only be enabled if there is a corresponding node attribute created in your OpenSearch config that matches the value here
-# opensearch.optimizedHealthcheckId: "cluster_id"
-
-# If your OpenSearch is protected with basic authentication, these settings provide
-# the username and password that the OpenSearch Dashboards server uses to perform maintenance on the OpenSearch Dashboards
-# index at startup. Your OpenSearch Dashboards users still need to authenticate with OpenSearch, which
-# is proxied through the OpenSearch Dashboards server.
-# opensearch.username: "opensearch_dashboards_system"
-# opensearch.password: "pass"
-
-# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
-# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser.
-# server.ssl.enabled: false
-# server.ssl.certificate: /path/to/your/server.crt
-# server.ssl.key: /path/to/your/server.key
-
-# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
-# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when
-# xpack.security.http.ssl.client_authentication in OpenSearch is set to required.
-# opensearch.ssl.certificate: /path/to/your/client.crt
-# opensearch.ssl.key: /path/to/your/client.key
-
-# Optional setting that enables you to specify a path to the PEM file for the certificate
-# authority for your OpenSearch instance.
-# opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
-
-# To disregard the validity of SSL certificates, change this setting's value to 'none'.
-# opensearch.ssl.verificationMode: full
-
-# Time in milliseconds to wait for OpenSearch to respond to pings. Defaults to the value of
-# the opensearch.requestTimeout setting.
-# opensearch.pingTimeout: 1500
-
-# Time in milliseconds to wait for responses from the back end or OpenSearch. This value
-# must be a positive integer.
-# opensearch.requestTimeout: 30000
-
-# List of OpenSearch Dashboards client-side headers to send to OpenSearch. To send *no* client-side
-# headers, set this value to [] (an empty list).
-# opensearch.requestHeadersWhitelist: [ authorization ]
-
-# Header names and values that are sent to OpenSearch. Any custom headers cannot be overwritten
-# by client-side headers, regardless of the opensearch.requestHeadersWhitelist configuration.
-# opensearch.customHeaders: {}
-
-# Time in milliseconds for OpenSearch to wait for responses from shards. Set to 0 to disable.
-# opensearch.shardTimeout: 30000
-
-# Logs queries sent to OpenSearch. Requires logging.verbose set to true.
-# opensearch.logQueries: false
-
-# Specifies the path where OpenSearch Dashboards creates the process ID file.
-# pid.file: /var/run/opensearchDashboards.pid
-
-# Enables you to specify a file where OpenSearch Dashboards stores log output.
-# logging.dest: stdout
-
-# Set the value of this setting to true to suppress all logging output.
-# logging.silent: false
-
-# Set the value of this setting to true to suppress all logging output other than error messages.
-# logging.quiet: false
-
-# Set the value of this setting to true to log all events, including system usage information
-# and all requests.
-# logging.verbose: false
-
-# Set the interval in milliseconds to sample system and process performance
-# metrics. Minimum is 100ms. Defaults to 5000.
-# ops.interval: 5000
-
-# Specifies locale to be used for all localizable strings, dates and number formats.
-# Supported languages are the following: English - en , by default , Chinese - zh-CN .
-# i18n.locale: "en"
-
-# Set the allowlist to check input graphite Url. Allowlist is the default check list.
-# vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite']
-
-# Set the blocklist to check input graphite Url. Blocklist is an IP list.
-# Below is an example for reference
-# vis_type_timeline.graphiteBlockedIPs: [
-#  //Loopback
-#  '127.0.0.0/8',
-#  '::1/128',
-#  //Link-local Address for IPv6
-#  'fe80::/10',
-#  //Private IP address for IPv4
-#  '10.0.0.0/8',
-#  '172.16.0.0/12',
-#  '192.168.0.0/16',
-#  //Unique local address (ULA)
-#  'fc00::/7',
-#  //Reserved IP address
-#  '0.0.0.0/8',
-#  '100.64.0.0/10',
-#  '192.0.0.0/24',
-#  '192.0.2.0/24',
-#  '198.18.0.0/15',
-#  '192.88.99.0/24',
-#  '198.51.100.0/24',
-#  '203.0.113.0/24',
-#  '224.0.0.0/4',
-#  '240.0.0.0/4',
-#  '255.255.255.255/32',
-#  '::/128',
-#  '2001:db8::/32',
-#  'ff00::/8',
-# ]
-# vis_type_timeline.graphiteBlockedIPs: []
-
-# opensearchDashboards.branding:
-#   logo:
-#     defaultUrl: ""
-#     darkModeUrl: ""
-#   mark:
-#     defaultUrl: ""
-#     darkModeUrl: ""
-#   loadingLogo:
-#     defaultUrl: ""
-#     darkModeUrl: ""
-#   faviconUrl: ""
-#   applicationTitle: ""
-
-# Set the value of this setting to true to capture region blocked warnings and errors
-# for your map rendering services.
-# map.showRegionBlockedWarning: false%
-
-# Set the value of this setting to false to suppress search usage telemetry
-# for reducing the load of OpenSearch cluster.
-# data.search.usageTelemetry.enabled: false
-
-# 2.4 renames 'wizard.enabled: false' to 'vis_builder.enabled: false'
-# Set the value of this setting to false to disable VisBuilder
-# functionality in Visualization.
-# vis_builder.enabled: false
-
-# 2.4 New Experimental Feature
-# Set the value of this setting to true to enable the experimental multiple data source
-# support feature. Use with caution.
-# data_source.enabled: false
-# Set the value of these settings to customize crypto materials to encryption saved credentials
-# in data sources.
-# data_source.encryption.wrappingKeyName: 'changeme'
-# data_source.encryption.wrappingKeyNamespace: 'changeme'
-# data_source.encryption.wrappingKey: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-
-# 2.6 New ML Commons Dashboards Feature
-# Set the value of this setting to true to enable the ml commons dashboards
-# ml_commons_dashboards.enabled: false
-
-# 2.12 New experimental Assistant Dashboards Feature
-# Set the value of this setting to true to enable the assistant dashboards
-# assistant.chat.enabled: false
-
-# 2.13 New Query Assistant Feature
-# Set the value of this setting to false to disable the query assistant
-# observability.query_assist.enabled: false
-
-# 2.14 Enable Ui Metric Collectors in Usage Collector
-# Set the value of this setting to true to enable UI Metric collections
-# usageCollection.uiMetric.enabled: false
-
-opensearch.hosts: [https://localhost:9200]
-opensearch.ssl.verificationMode: none
-opensearch.username: admin
-opensearch.password: 'Qazwsxedc!@#123'
-opensearch.requestHeadersWhitelist: [authorization, securitytenant]
-
-opensearch_security.multitenancy.enabled: true
-opensearch_security.multitenancy.tenants.preferred: [Private, Global]
-opensearch_security.readonly_mode.roles: [kibana_read_only]
-# Use this setting if you are running opensearch-dashboards without https
-opensearch_security.cookie.secure: false
-server.host: '0.0.0.0'

docker/dify/volumes/sandbox/conf/config.yaml

@@ -1,14 +0,0 @@
-app:
-  port: 8194
-  debug: True
-  key: dify-sandbox
-max_workers: 4
-max_requests: 50
-worker_timeout: 5
-python_path: /usr/local/bin/python3
-enable_network: True # please make sure there is no network risk in your environment
-allowed_syscalls: # please leave it empty if you have no idea how seccomp works
-proxy:
-  socks5: ''
-  http: ''
-  https: ''

docker/dify/volumes/sandbox/conf/config.yaml.example

@@ -1,35 +0,0 @@
-app:
-  port: 8194
-  debug: True
-  key: dify-sandbox
-max_workers: 4
-max_requests: 50
-worker_timeout: 5
-python_path: /usr/local/bin/python3
-python_lib_path:
-  - /usr/local/lib/python3.10
-  - /usr/lib/python3.10
-  - /usr/lib/python3
-  - /usr/lib/x86_64-linux-gnu
-  - /etc/ssl/certs/ca-certificates.crt
-  - /etc/nsswitch.conf
-  - /etc/hosts
-  - /etc/resolv.conf
-  - /run/systemd/resolve/stub-resolv.conf
-  - /run/resolvconf/resolv.conf
-  - /etc/localtime
-  - /usr/share/zoneinfo
-  - /etc/timezone
-  # add more paths if needed
-python_pip_mirror_url: https://pypi.tuna.tsinghua.edu.cn/simple
-nodejs_path: /usr/local/bin/node
-enable_network: True
-allowed_syscalls:
-  - 1
-  - 2
-  - 3
-  # add all the syscalls which you require
-proxy:
-  socks5: ''
-  http: ''
-  https: ''