LLMOpsのdifyをHTTPSとGoogle認証でサイト全体を防御する
dify自体もHTTPSに対応しているぽかったけど、別にnginxでHTTPS Reverse Proxy立ててそこでHTTPSにするのとdifyアプリ(例: https://dify.example.com/completion/XXXX)を含めたサイト全体をGoogle認証を必須にします。
Let's Encryptで証明書を取得する
mkdir certbot/conf certbot/www
sudo docker run -it --rm --name certbot \
-v "./certbot/conf:/etc/letsencrypt" \
-v "./certbot/www:/var/lib/letsencrypt" \
certbot/certbot certonly \
-d "dify.example.com" \
-p "80:80" \
--standalone \
--agree-tos
続いて他のdockerからアクセスできるようにownerを変更します
sudo chown -R `whoami`:docker certbotDocker Composeで新しいサービスをいくつか起動する
git diff
diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml
index edd4106b..3fd5495c 100644
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@@ -461,9 +461,40 @@ services:
depends_on:
- api
- web
+ #ports:
+ #- "80:80"
+ #- "443:443"
+
+ ssl-proxy:
+ image: nginx:latest
ports:
- "80:80"
- #- "443:443"
+ - "443:443"
+ volumes:
+ - ./ssl-proxy/conf:/etc/nginx/conf.d
+ - ./certbot/www:/var/www/certbot
+ - ./certbot/conf:/etc/letsencrypt
+ restart: always
+
+ certbot:
+ image: certbot/certbot:latest
+ volumes:
+ - ./certbot/www:/var/www/certbot
+ - ./certbot/conf:/etc/letsencrypt
+ entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+
+ oauth2_proxy:
+ image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
+ restart: always
+ volumes:
+ - ./oauth2_proxy/oauth2_proxy.cfg:/etc/oauth2_proxy.cfg
+ command:
+ - --config=/etc/oauth2_proxy.cfg
+ #ports:
+ # - "4180:4180"
+ depends_on:
+ - ssl-proxy
+
networks:
# create a network between sandbox, api and ssrf_proxy, and can not access outside.
ssrf_proxy_network:nginxを使ったHTTPSのreverse proxyの設定
# ssl-proxy/conf/app.conf
server {
listen 80;
server_name dify.example.com;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name dify.example.com;
ssl_certificate /etc/letsencrypt/live/dify.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dify.example.com/privkey.pem;
location /oauth2/ {
proxy_pass http://oauth2_proxy:4180/oauth2/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location = /oauth2/auth {
proxy_pass http://oauth2_proxy:4180/oauth2/auth;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
proxy_pass http://nginx:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}OAuth2 Proxyを使ってGoogle認証
下記のページを参考にGoogle認証の設定します。
# oauth2_proxy/oauth2_proxy.cfg
provider = "google"
client_id = "xxxx.apps.googleusercontent.com"
client_secret = "YYYYXXXX"
redirect_url = "https://dify.example.com/oauth2/callback"
email_domains = ["example.com"]
cookie_secret = "secret!"
upstreams = "http://nginx:3000/"
http_address = ":4180"これで`docker-compose up`すればdifyがhttps+Google Authで起動します