見出し画像

LLMOpsのdifyをHTTPSとGoogle認証でサイト全体を防御する

dify自体もHTTPSに対応しているぽかったけど、別にnginxでHTTPS Reverse Proxy立ててそこでHTTPSにするのとdifyアプリ(例: https://dify.example.com/completion/XXXX)を含めたサイト全体をGoogle認証を必須にします。

Let's Encryptで証明書を取得する

mkdir certbot/conf certbot/www
sudo docker run -it --rm --name certbot \
            -v "./certbot/conf:/etc/letsencrypt" \
            -v "./certbot/www:/var/lib/letsencrypt" \
            certbot/certbot certonly \
            -d "dify.example.com" \
            -p "80:80" \
            --standalone \
            --agree-tos 

続いて他のdockerからアクセスできるようにownerを変更します

sudo chown -R `whoami`:docker certbot

Docker Composeで新しいサービスをいくつか起動する

git diff
diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml
index edd4106b..3fd5495c 100644
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@@ -461,9 +461,40 @@ services:
     depends_on:
       - api
       - web
+    #ports:
+      #- "80:80"
+      #- "443:443"
+
+  ssl-proxy:
+    image: nginx:latest
     ports:
       - "80:80"
-      #- "443:443"
+      - "443:443"
+    volumes:
+      - ./ssl-proxy/conf:/etc/nginx/conf.d
+      - ./certbot/www:/var/www/certbot
+      - ./certbot/conf:/etc/letsencrypt
+    restart: always
+
+  certbot:
+    image: certbot/certbot:latest
+    volumes:
+      - ./certbot/www:/var/www/certbot
+      - ./certbot/conf:/etc/letsencrypt
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+
+  oauth2_proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
+    restart: always
+    volumes:
+      - ./oauth2_proxy/oauth2_proxy.cfg:/etc/oauth2_proxy.cfg
+    command:
+      - --config=/etc/oauth2_proxy.cfg
+        #ports:
+      # - "4180:4180"
+    depends_on:
+      - ssl-proxy
+
 networks:
   # create a network between sandbox, api and ssrf_proxy, and can not access outside.
   ssrf_proxy_network:

nginxを使ったHTTPSのreverse proxyの設定

# ssl-proxy/conf/app.conf
server {
    listen 80;
    server_name dify.example.com;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name dify.example.com;

    ssl_certificate /etc/letsencrypt/live/dify.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dify.example.com/privkey.pem;

    location /oauth2/ {
        proxy_pass http://oauth2_proxy:4180/oauth2/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location = /oauth2/auth {
        proxy_pass http://oauth2_proxy:4180/oauth2/auth;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location / {
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        proxy_pass http://nginx:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

OAuth2 Proxyを使ってGoogle認証

下記のページを参考にGoogle認証の設定します。

# oauth2_proxy/oauth2_proxy.cfg
provider = "google"
client_id = "xxxx.apps.googleusercontent.com"
client_secret = "YYYYXXXX"
redirect_url = "https://dify.example.com/oauth2/callback"
email_domains = ["example.com"]
cookie_secret = "secret!"
upstreams = "http://nginx:3000/"
http_address = ":4180"

これで`docker-compose up`すればdifyがhttps+Google Authで起動します