From 05a09b5b4818c891f3f5a7676ec3858129177b9e Mon Sep 17 00:00:00 2001 From: Meng Sen Date: Mon, 17 Feb 2025 14:01:14 +0800 Subject: [PATCH] =?UTF-8?q?=E5=8F=91=E5=B8=83=20Dify?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Meng Sen --- dify/0.15.3/conf/certbot/README.md | 76 ++++++ dify/0.15.3/conf/certbot/docker-entrypoint.sh | 30 +++ .../conf/certbot/update-cert.template.txt | 19 ++ dify/0.15.3/conf/couchbase-server/Dockerfile | 4 + .../conf/couchbase-server/init-cbserver.sh | 44 ++++ .../conf/elasticsearch/docker-entrypoint.sh | 25 ++ .../conf/nginx/conf.d/default.conf.template | 37 +++ dify/0.15.3/conf/nginx/docker-entrypoint.sh | 39 +++ dify/0.15.3/conf/nginx/https.conf.template | 9 + dify/0.15.3/conf/nginx/nginx.conf.template | 34 +++ dify/0.15.3/conf/nginx/proxy.conf.template | 11 + dify/0.15.3/conf/nginx/ssl/.gitkeep | 0 .../conf/ssrf_proxy/docker-entrypoint.sh | 42 ++++ .../conf/ssrf_proxy/squid.conf.template | 51 ++++ dify/0.15.3/conf/startupscripts/init.sh | 13 + .../conf/startupscripts/init_user.script | 10 + dify/0.15.3/conf/tidb/config/pd.toml | 4 + .../conf/tidb/config/tiflash-learner.toml | 13 + dify/0.15.3/conf/tidb/config/tiflash.toml | 19 ++ dify/0.15.3/conf/tidb/docker-compose.yaml | 62 +++++ .../config/users.d/custom_users_config.xml | 17 ++ .../volumes/oceanbase/init.d/vec_memory.sql | 2 + .../opensearch/opensearch_dashboards.yml | 222 ++++++++++++++++++ .../conf/volumes/sandbox/conf/config.yaml | 14 ++ .../volumes/sandbox/conf/config.yaml.example | 35 +++ .../dependencies/python-requirements.txt | 0 26 files changed, 832 insertions(+) create mode 100644 dify/0.15.3/conf/certbot/README.md create mode 100644 dify/0.15.3/conf/certbot/docker-entrypoint.sh create mode 100644 dify/0.15.3/conf/certbot/update-cert.template.txt create mode 100644 dify/0.15.3/conf/couchbase-server/Dockerfile create mode 100644 dify/0.15.3/conf/couchbase-server/init-cbserver.sh create mode 100644 dify/0.15.3/conf/elasticsearch/docker-entrypoint.sh create mode 100644 dify/0.15.3/conf/nginx/conf.d/default.conf.template create mode 100644 dify/0.15.3/conf/nginx/docker-entrypoint.sh create mode 100644 dify/0.15.3/conf/nginx/https.conf.template create mode 100644 dify/0.15.3/conf/nginx/nginx.conf.template create mode 100644 dify/0.15.3/conf/nginx/proxy.conf.template create mode 100644 dify/0.15.3/conf/nginx/ssl/.gitkeep create mode 100644 dify/0.15.3/conf/ssrf_proxy/docker-entrypoint.sh create mode 100644 dify/0.15.3/conf/ssrf_proxy/squid.conf.template create mode 100644 dify/0.15.3/conf/startupscripts/init.sh create mode 100644 dify/0.15.3/conf/startupscripts/init_user.script create mode 100644 dify/0.15.3/conf/tidb/config/pd.toml create mode 100644 dify/0.15.3/conf/tidb/config/tiflash-learner.toml create mode 100644 dify/0.15.3/conf/tidb/config/tiflash.toml create mode 100644 dify/0.15.3/conf/tidb/docker-compose.yaml create mode 100644 dify/0.15.3/conf/volumes/myscale/config/users.d/custom_users_config.xml create mode 100644 dify/0.15.3/conf/volumes/oceanbase/init.d/vec_memory.sql create mode 100644 dify/0.15.3/conf/volumes/opensearch/opensearch_dashboards.yml create mode 100644 dify/0.15.3/conf/volumes/sandbox/conf/config.yaml create mode 100644 dify/0.15.3/conf/volumes/sandbox/conf/config.yaml.example create mode 100644 dify/0.15.3/conf/volumes/sandbox/dependencies/python-requirements.txt diff --git a/dify/0.15.3/conf/certbot/README.md b/dify/0.15.3/conf/certbot/README.md new file mode 100644 index 000000000..21be34b33 --- /dev/null +++ b/dify/0.15.3/conf/certbot/README.md @@ -0,0 +1,76 @@ +# Launching new servers with SSL certificates + +## Short description + +docker compose certbot configurations with Backward compatibility (without certbot container). +Use `docker compose --profile certbot up` to use this features. + +## The simplest way for launching new servers with SSL certificates + +1. Get letsencrypt certs + set `.env` values + ```properties + NGINX_SSL_CERT_FILENAME=fullchain.pem + NGINX_SSL_CERT_KEY_FILENAME=privkey.pem + NGINX_ENABLE_CERTBOT_CHALLENGE=true + CERTBOT_DOMAIN=your_domain.com + CERTBOT_EMAIL=example@your_domain.com + ``` + execute command: + ```shell + docker network prune + docker compose --profile certbot up --force-recreate -d + ``` + then after the containers launched: + ```shell + docker compose exec -it certbot /bin/sh /update-cert.sh + ``` +2. Edit `.env` file and `docker compose --profile certbot up` again. + set `.env` value additionally + ```properties + NGINX_HTTPS_ENABLED=true + ``` + execute command: + ```shell + docker compose --profile certbot up -d --no-deps --force-recreate nginx + ``` + Then you can access your serve with HTTPS. + [https://your_domain.com](https://your_domain.com) + +## SSL certificates renewal + +For SSL certificates renewal, execute commands below: + +```shell +docker compose exec -it certbot /bin/sh /update-cert.sh +docker compose exec nginx nginx -s reload +``` + +## Options for certbot + +`CERTBOT_OPTIONS` key might be helpful for testing. i.e., + +```properties +CERTBOT_OPTIONS=--dry-run +``` + +To apply changes to `CERTBOT_OPTIONS`, regenerate the certbot container before updating the certificates. + +```shell +docker compose --profile certbot up -d --no-deps --force-recreate certbot +docker compose exec -it certbot /bin/sh /update-cert.sh +``` + +Then, reload the nginx container if necessary. + +```shell +docker compose exec nginx nginx -s reload +``` + +## For legacy servers + +To use cert files dir `nginx/ssl` as before, simply launch containers WITHOUT `--profile certbot` option. + +```shell +docker compose up -d +``` diff --git a/dify/0.15.3/conf/certbot/docker-entrypoint.sh b/dify/0.15.3/conf/certbot/docker-entrypoint.sh new file mode 100644 index 000000000..a70ecd825 --- /dev/null +++ b/dify/0.15.3/conf/certbot/docker-entrypoint.sh @@ -0,0 +1,30 @@ +#!/bin/sh +set -e + +printf '%s\n' "Docker entrypoint script is running" + +printf '%s\n' "\nChecking specific environment variables:" +printf '%s\n' "CERTBOT_EMAIL: ${CERTBOT_EMAIL:-Not set}" +printf '%s\n' "CERTBOT_DOMAIN: ${CERTBOT_DOMAIN:-Not set}" +printf '%s\n' "CERTBOT_OPTIONS: ${CERTBOT_OPTIONS:-Not set}" + +printf '%s\n' "\nChecking mounted directories:" +for dir in "/etc/letsencrypt" "/var/www/html" "/var/log/letsencrypt"; do + if [ -d "$dir" ]; then + printf '%s\n' "$dir exists. Contents:" + ls -la "$dir" + else + printf '%s\n' "$dir does not exist." + fi +done + +printf '%s\n' "\nGenerating update-cert.sh from template" +sed -e "s|\${CERTBOT_EMAIL}|$CERTBOT_EMAIL|g" \ + -e "s|\${CERTBOT_DOMAIN}|$CERTBOT_DOMAIN|g" \ + -e "s|\${CERTBOT_OPTIONS}|$CERTBOT_OPTIONS|g" \ + /update-cert.template.txt > /update-cert.sh + +chmod +x /update-cert.sh + +printf '%s\n' "\nExecuting command:" "$@" +exec "$@" diff --git a/dify/0.15.3/conf/certbot/update-cert.template.txt b/dify/0.15.3/conf/certbot/update-cert.template.txt new file mode 100644 index 000000000..16786a192 --- /dev/null +++ b/dify/0.15.3/conf/certbot/update-cert.template.txt @@ -0,0 +1,19 @@ +#!/bin/bash +set -e + +DOMAIN="${CERTBOT_DOMAIN}" +EMAIL="${CERTBOT_EMAIL}" +OPTIONS="${CERTBOT_OPTIONS}" +CERT_NAME="${DOMAIN}" # 証明書名をドメイン名と同じにする + +# Check if the certificate already exists +if [ -f "/etc/letsencrypt/renewal/${CERT_NAME}.conf" ]; then + echo "Certificate exists. Attempting to renew..." + certbot renew --noninteractive --cert-name ${CERT_NAME} --webroot --webroot-path=/var/www/html --email ${EMAIL} --agree-tos --no-eff-email ${OPTIONS} +else + echo "Certificate does not exist. Obtaining a new certificate..." + certbot certonly --noninteractive --webroot --webroot-path=/var/www/html --email ${EMAIL} --agree-tos --no-eff-email -d ${DOMAIN} ${OPTIONS} +fi +echo "Certificate operation successful" +# Note: Nginx reload should be handled outside this container +echo "Please ensure to reload Nginx to apply any certificate changes." diff --git a/dify/0.15.3/conf/couchbase-server/Dockerfile b/dify/0.15.3/conf/couchbase-server/Dockerfile new file mode 100644 index 000000000..bd8af6415 --- /dev/null +++ b/dify/0.15.3/conf/couchbase-server/Dockerfile @@ -0,0 +1,4 @@ +FROM couchbase/server:latest AS stage_base +# FROM couchbase:latest AS stage_base +COPY init-cbserver.sh /opt/couchbase/init/ +RUN chmod +x /opt/couchbase/init/init-cbserver.sh \ No newline at end of file diff --git a/dify/0.15.3/conf/couchbase-server/init-cbserver.sh b/dify/0.15.3/conf/couchbase-server/init-cbserver.sh new file mode 100644 index 000000000..e66bc1853 --- /dev/null +++ b/dify/0.15.3/conf/couchbase-server/init-cbserver.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# used to start couchbase server - can't get around this as docker compose only allows you to start one command - so we have to start couchbase like the standard couchbase Dockerfile would +# https://github.com/couchbase/docker/blob/master/enterprise/couchbase-server/7.2.0/Dockerfile#L88 + +/entrypoint.sh couchbase-server & + +# track if setup is complete so we don't try to setup again +FILE=/opt/couchbase/init/setupComplete.txt + +if ! [ -f "$FILE" ]; then + # used to automatically create the cluster based on environment variables + # https://docs.couchbase.com/server/current/cli/cbcli/couchbase-cli-cluster-init.html + + echo $COUCHBASE_ADMINISTRATOR_USERNAME ":" $COUCHBASE_ADMINISTRATOR_PASSWORD + + sleep 20s + /opt/couchbase/bin/couchbase-cli cluster-init -c 127.0.0.1 \ + --cluster-username $COUCHBASE_ADMINISTRATOR_USERNAME \ + --cluster-password $COUCHBASE_ADMINISTRATOR_PASSWORD \ + --services data,index,query,fts \ + --cluster-ramsize $COUCHBASE_RAM_SIZE \ + --cluster-index-ramsize $COUCHBASE_INDEX_RAM_SIZE \ + --cluster-eventing-ramsize $COUCHBASE_EVENTING_RAM_SIZE \ + --cluster-fts-ramsize $COUCHBASE_FTS_RAM_SIZE \ + --index-storage-setting default + + sleep 2s + + # used to auto create the bucket based on environment variables + # https://docs.couchbase.com/server/current/cli/cbcli/couchbase-cli-bucket-create.html + + /opt/couchbase/bin/couchbase-cli bucket-create -c localhost:8091 \ + --username $COUCHBASE_ADMINISTRATOR_USERNAME \ + --password $COUCHBASE_ADMINISTRATOR_PASSWORD \ + --bucket $COUCHBASE_BUCKET \ + --bucket-ramsize $COUCHBASE_BUCKET_RAMSIZE \ + --bucket-type couchbase + + # create file so we know that the cluster is setup and don't run the setup again + touch $FILE +fi + # docker compose will stop the container from running unless we do this + # known issue and workaround + tail -f /dev/null diff --git a/dify/0.15.3/conf/elasticsearch/docker-entrypoint.sh b/dify/0.15.3/conf/elasticsearch/docker-entrypoint.sh new file mode 100644 index 000000000..6669aec5a --- /dev/null +++ b/dify/0.15.3/conf/elasticsearch/docker-entrypoint.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +if [ "${VECTOR_STORE}" = "elasticsearch-ja" ]; then + # Check if the ICU tokenizer plugin is installed + if ! /usr/share/elasticsearch/bin/elasticsearch-plugin list | grep -q analysis-icu; then + printf '%s\n' "Installing the ICU tokenizer plugin" + if ! /usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-icu; then + printf '%s\n' "Failed to install the ICU tokenizer plugin" + exit 1 + fi + fi + # Check if the Japanese language analyzer plugin is installed + if ! /usr/share/elasticsearch/bin/elasticsearch-plugin list | grep -q analysis-kuromoji; then + printf '%s\n' "Installing the Japanese language analyzer plugin" + if ! /usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-kuromoji; then + printf '%s\n' "Failed to install the Japanese language analyzer plugin" + exit 1 + fi + fi +fi + +# Run the original entrypoint script +exec /bin/tini -- /usr/local/bin/docker-entrypoint.sh diff --git a/dify/0.15.3/conf/nginx/conf.d/default.conf.template b/dify/0.15.3/conf/nginx/conf.d/default.conf.template new file mode 100644 index 000000000..9691122ce --- /dev/null +++ b/dify/0.15.3/conf/nginx/conf.d/default.conf.template @@ -0,0 +1,37 @@ +# Please do not directly edit this file. Instead, modify the .env variables related to NGINX configuration. + +server { + listen ${NGINX_PORT}; + server_name ${NGINX_SERVER_NAME}; + + location /console/api { + proxy_pass http://api:5001; + include proxy.conf; + } + + location /api { + proxy_pass http://api:5001; + include proxy.conf; + } + + location /v1 { + proxy_pass http://api:5001; + include proxy.conf; + } + + location /files { + proxy_pass http://api:5001; + include proxy.conf; + } + + location / { + proxy_pass http://web:3000; + include proxy.conf; + } + + # placeholder for acme challenge location + ${ACME_CHALLENGE_LOCATION} + + # placeholder for https config defined in https.conf.template + ${HTTPS_CONFIG} +} diff --git a/dify/0.15.3/conf/nginx/docker-entrypoint.sh b/dify/0.15.3/conf/nginx/docker-entrypoint.sh new file mode 100644 index 000000000..d343cb3ef --- /dev/null +++ b/dify/0.15.3/conf/nginx/docker-entrypoint.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +if [ "${NGINX_HTTPS_ENABLED}" = "true" ]; then + # Check if the certificate and key files for the specified domain exist + if [ -n "${CERTBOT_DOMAIN}" ] && \ + [ -f "/etc/letsencrypt/live/${CERTBOT_DOMAIN}/${NGINX_SSL_CERT_FILENAME}" ] && \ + [ -f "/etc/letsencrypt/live/${CERTBOT_DOMAIN}/${NGINX_SSL_CERT_KEY_FILENAME}" ]; then + SSL_CERTIFICATE_PATH="/etc/letsencrypt/live/${CERTBOT_DOMAIN}/${NGINX_SSL_CERT_FILENAME}" + SSL_CERTIFICATE_KEY_PATH="/etc/letsencrypt/live/${CERTBOT_DOMAIN}/${NGINX_SSL_CERT_KEY_FILENAME}" + else + SSL_CERTIFICATE_PATH="/etc/ssl/${NGINX_SSL_CERT_FILENAME}" + SSL_CERTIFICATE_KEY_PATH="/etc/ssl/${NGINX_SSL_CERT_KEY_FILENAME}" + fi + export SSL_CERTIFICATE_PATH + export SSL_CERTIFICATE_KEY_PATH + + # set the HTTPS_CONFIG environment variable to the content of the https.conf.template + HTTPS_CONFIG=$(envsubst < /etc/nginx/https.conf.template) + export HTTPS_CONFIG + # Substitute the HTTPS_CONFIG in the default.conf.template with content from https.conf.template + envsubst '${HTTPS_CONFIG}' < /etc/nginx/conf.d/default.conf.template > /etc/nginx/conf.d/default.conf +fi + +if [ "${NGINX_ENABLE_CERTBOT_CHALLENGE}" = "true" ]; then + ACME_CHALLENGE_LOCATION='location /.well-known/acme-challenge/ { root /var/www/html; }' +else + ACME_CHALLENGE_LOCATION='' +fi +export ACME_CHALLENGE_LOCATION + +env_vars=$(printenv | cut -d= -f1 | sed 's/^/$/g' | paste -sd, -) + +envsubst "$env_vars" < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf +envsubst "$env_vars" < /etc/nginx/proxy.conf.template > /etc/nginx/proxy.conf + +envsubst < /etc/nginx/conf.d/default.conf.template > /etc/nginx/conf.d/default.conf + +# Start Nginx using the default entrypoint +exec nginx -g 'daemon off;' \ No newline at end of file diff --git a/dify/0.15.3/conf/nginx/https.conf.template b/dify/0.15.3/conf/nginx/https.conf.template new file mode 100644 index 000000000..95ea36f46 --- /dev/null +++ b/dify/0.15.3/conf/nginx/https.conf.template @@ -0,0 +1,9 @@ +# Please do not directly edit this file. Instead, modify the .env variables related to NGINX configuration. + +listen ${NGINX_SSL_PORT} ssl; +ssl_certificate ${SSL_CERTIFICATE_PATH}; +ssl_certificate_key ${SSL_CERTIFICATE_KEY_PATH}; +ssl_protocols ${NGINX_SSL_PROTOCOLS}; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; \ No newline at end of file diff --git a/dify/0.15.3/conf/nginx/nginx.conf.template b/dify/0.15.3/conf/nginx/nginx.conf.template new file mode 100644 index 000000000..32a571653 --- /dev/null +++ b/dify/0.15.3/conf/nginx/nginx.conf.template @@ -0,0 +1,34 @@ +# Please do not directly edit this file. Instead, modify the .env variables related to NGINX configuration. + +user nginx; +worker_processes ${NGINX_WORKER_PROCESSES}; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout ${NGINX_KEEPALIVE_TIMEOUT}; + + #gzip on; + client_max_body_size ${NGINX_CLIENT_MAX_BODY_SIZE}; + + include /etc/nginx/conf.d/*.conf; +} \ No newline at end of file diff --git a/dify/0.15.3/conf/nginx/proxy.conf.template b/dify/0.15.3/conf/nginx/proxy.conf.template new file mode 100644 index 000000000..117f80614 --- /dev/null +++ b/dify/0.15.3/conf/nginx/proxy.conf.template @@ -0,0 +1,11 @@ +# Please do not directly edit this file. Instead, modify the .env variables related to NGINX configuration. + +proxy_set_header Host $host; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Port $server_port; +proxy_http_version 1.1; +proxy_set_header Connection ""; +proxy_buffering off; +proxy_read_timeout ${NGINX_PROXY_READ_TIMEOUT}; +proxy_send_timeout ${NGINX_PROXY_SEND_TIMEOUT}; diff --git a/dify/0.15.3/conf/nginx/ssl/.gitkeep b/dify/0.15.3/conf/nginx/ssl/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/dify/0.15.3/conf/ssrf_proxy/docker-entrypoint.sh b/dify/0.15.3/conf/ssrf_proxy/docker-entrypoint.sh new file mode 100644 index 000000000..613897bb7 --- /dev/null +++ b/dify/0.15.3/conf/ssrf_proxy/docker-entrypoint.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# Modified based on Squid OCI image entrypoint + +# This entrypoint aims to forward the squid logs to stdout to assist users of +# common container related tooling (e.g., kubernetes, docker-compose, etc) to +# access the service logs. + +# Moreover, it invokes the squid binary, leaving all the desired parameters to +# be provided by the "command" passed to the spawned container. If no command +# is provided by the user, the default behavior (as per the CMD statement in +# the Dockerfile) will be to use Ubuntu's default configuration [1] and run +# squid with the "-NYC" options to mimic the behavior of the Ubuntu provided +# systemd unit. + +# [1] The default configuration is changed in the Dockerfile to allow local +# network connections. See the Dockerfile for further information. + +echo "[ENTRYPOINT] re-create snakeoil self-signed certificate removed in the build process" +if [ ! -f /etc/ssl/private/ssl-cert-snakeoil.key ]; then + /usr/sbin/make-ssl-cert generate-default-snakeoil --force-overwrite > /dev/null 2>&1 +fi + +tail -F /var/log/squid/access.log 2>/dev/null & +tail -F /var/log/squid/error.log 2>/dev/null & +tail -F /var/log/squid/store.log 2>/dev/null & +tail -F /var/log/squid/cache.log 2>/dev/null & + +# Replace environment variables in the template and output to the squid.conf +echo "[ENTRYPOINT] replacing environment variables in the template" +awk '{ + while(match($0, /\${[A-Za-z_][A-Za-z_0-9]*}/)) { + var = substr($0, RSTART+2, RLENGTH-3) + val = ENVIRON[var] + $0 = substr($0, 1, RSTART-1) val substr($0, RSTART+RLENGTH) + } + print +}' /etc/squid/squid.conf.template > /etc/squid/squid.conf + +/usr/sbin/squid -Nz +echo "[ENTRYPOINT] starting squid" +/usr/sbin/squid -f /etc/squid/squid.conf -NYC 1 diff --git a/dify/0.15.3/conf/ssrf_proxy/squid.conf.template b/dify/0.15.3/conf/ssrf_proxy/squid.conf.template new file mode 100644 index 000000000..676fe7379 --- /dev/null +++ b/dify/0.15.3/conf/ssrf_proxy/squid.conf.template @@ -0,0 +1,51 @@ +acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) +acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines +acl SSL_ports port 443 +# acl SSL_ports port 1025-65535 # Enable the configuration to resolve this issue: https://github.com/langgenius/dify/issues/12792 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT +http_access deny !Safe_ports +http_access deny CONNECT !SSL_ports +http_access allow localhost manager +http_access deny manager +http_access allow localhost +include /etc/squid/conf.d/*.conf +http_access deny all + +################################## Proxy Server ################################ +http_port ${HTTP_PORT} +coredump_dir ${COREDUMP_DIR} +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims +refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims +refresh_pattern \/InRelease$ 0 0% 0 refresh-ims +refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims +refresh_pattern . 0 20% 4320 + + +# cache_dir ufs /var/spool/squid 100 16 256 +# upstream proxy, set to your own upstream proxy IP to avoid SSRF attacks +# cache_peer 172.1.1.1 parent 3128 0 no-query no-digest no-netdb-exchange default + +################################## Reverse Proxy To Sandbox ################################ +http_port ${REVERSE_PROXY_PORT} accel vhost +cache_peer ${SANDBOX_HOST} parent ${SANDBOX_PORT} 0 no-query originserver +acl src_all src all +http_access allow src_all diff --git a/dify/0.15.3/conf/startupscripts/init.sh b/dify/0.15.3/conf/startupscripts/init.sh new file mode 100644 index 000000000..c6e6e1966 --- /dev/null +++ b/dify/0.15.3/conf/startupscripts/init.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +DB_INITIALIZED="/opt/oracle/oradata/dbinit" +#[ -f ${DB_INITIALIZED} ] && exit +#touch ${DB_INITIALIZED} +if [ -f ${DB_INITIALIZED} ]; then + echo 'File exists. Standards for have been Init' + exit +else + echo 'File does not exist. Standards for first time Start up this DB' + "$ORACLE_HOME"/bin/sqlplus -s "/ as sysdba" @"/opt/oracle/scripts/startup/init_user.script"; + touch ${DB_INITIALIZED} +fi diff --git a/dify/0.15.3/conf/startupscripts/init_user.script b/dify/0.15.3/conf/startupscripts/init_user.script new file mode 100644 index 000000000..7aa7c2804 --- /dev/null +++ b/dify/0.15.3/conf/startupscripts/init_user.script @@ -0,0 +1,10 @@ +show pdbs; +ALTER SYSTEM SET PROCESSES=500 SCOPE=SPFILE; +alter session set container= freepdb1; +create user dify identified by dify DEFAULT TABLESPACE users quota unlimited on users; +grant DB_DEVELOPER_ROLE to dify; + +BEGIN +CTX_DDL.CREATE_PREFERENCE('my_chinese_vgram_lexer','CHINESE_VGRAM_LEXER'); +END; +/ diff --git a/dify/0.15.3/conf/tidb/config/pd.toml b/dify/0.15.3/conf/tidb/config/pd.toml new file mode 100644 index 000000000..042b251e4 --- /dev/null +++ b/dify/0.15.3/conf/tidb/config/pd.toml @@ -0,0 +1,4 @@ +# PD Configuration File reference: +# https://docs.pingcap.com/tidb/stable/pd-configuration-file#pd-configuration-file +[replication] +max-replicas = 1 \ No newline at end of file diff --git a/dify/0.15.3/conf/tidb/config/tiflash-learner.toml b/dify/0.15.3/conf/tidb/config/tiflash-learner.toml new file mode 100644 index 000000000..5098829aa --- /dev/null +++ b/dify/0.15.3/conf/tidb/config/tiflash-learner.toml @@ -0,0 +1,13 @@ +# TiFlash tiflash-learner.toml Configuration File reference: +# https://docs.pingcap.com/tidb/stable/tiflash-configuration#configure-the-tiflash-learnertoml-file + +log-file = "/logs/tiflash_tikv.log" + +[server] +engine-addr = "tiflash:4030" +addr = "0.0.0.0:20280" +advertise-addr = "tiflash:20280" +status-addr = "tiflash:20292" + +[storage] +data-dir = "/data/flash" diff --git a/dify/0.15.3/conf/tidb/config/tiflash.toml b/dify/0.15.3/conf/tidb/config/tiflash.toml new file mode 100644 index 000000000..30ac13efc --- /dev/null +++ b/dify/0.15.3/conf/tidb/config/tiflash.toml @@ -0,0 +1,19 @@ +# TiFlash tiflash.toml Configuration File reference: +# https://docs.pingcap.com/tidb/stable/tiflash-configuration#configure-the-tiflashtoml-file + +listen_host = "0.0.0.0" +path = "/data" + +[flash] +tidb_status_addr = "tidb:10080" +service_addr = "tiflash:4030" + +[flash.proxy] +config = "/tiflash-learner.toml" + +[logger] +errorlog = "/logs/tiflash_error.log" +log = "/logs/tiflash.log" + +[raft] +pd_addr = "pd0:2379" diff --git a/dify/0.15.3/conf/tidb/docker-compose.yaml b/dify/0.15.3/conf/tidb/docker-compose.yaml new file mode 100644 index 000000000..fa1577017 --- /dev/null +++ b/dify/0.15.3/conf/tidb/docker-compose.yaml @@ -0,0 +1,62 @@ +services: + pd0: + image: pingcap/pd:v8.5.1 + # ports: + # - "2379" + volumes: + - ./config/pd.toml:/pd.toml:ro + - ./volumes/data:/data + - ./volumes/logs:/logs + command: + - --name=pd0 + - --client-urls=http://0.0.0.0:2379 + - --peer-urls=http://0.0.0.0:2380 + - --advertise-client-urls=http://pd0:2379 + - --advertise-peer-urls=http://pd0:2380 + - --initial-cluster=pd0=http://pd0:2380 + - --data-dir=/data/pd + - --config=/pd.toml + - --log-file=/logs/pd.log + restart: on-failure + tikv: + image: pingcap/tikv:v8.5.1 + volumes: + - ./volumes/data:/data + - ./volumes/logs:/logs + command: + - --addr=0.0.0.0:20160 + - --advertise-addr=tikv:20160 + - --status-addr=tikv:20180 + - --data-dir=/data/tikv + - --pd=pd0:2379 + - --log-file=/logs/tikv.log + depends_on: + - "pd0" + restart: on-failure + tidb: + image: pingcap/tidb:v8.5.1 + # ports: + # - "4000:4000" + volumes: + - ./volumes/logs:/logs + command: + - --advertise-address=tidb + - --store=tikv + - --path=pd0:2379 + - --log-file=/logs/tidb.log + depends_on: + - "tikv" + restart: on-failure + tiflash: + image: pingcap/tiflash:v8.5.1 + volumes: + - ./config/tiflash.toml:/tiflash.toml:ro + - ./config/tiflash-learner.toml:/tiflash-learner.toml:ro + - ./volumes/data:/data + - ./volumes/logs:/logs + command: + - --config=/tiflash.toml + depends_on: + - "tikv" + - "tidb" + restart: on-failure diff --git a/dify/0.15.3/conf/volumes/myscale/config/users.d/custom_users_config.xml b/dify/0.15.3/conf/volumes/myscale/config/users.d/custom_users_config.xml new file mode 100644 index 000000000..67f24b69e --- /dev/null +++ b/dify/0.15.3/conf/volumes/myscale/config/users.d/custom_users_config.xml @@ -0,0 +1,17 @@ + + + + + + ::1 + 127.0.0.1 + 10.0.0.0/8 + 172.16.0.0/12 + 192.168.0.0/16 + + default + default + 1 + + + \ No newline at end of file diff --git a/dify/0.15.3/conf/volumes/oceanbase/init.d/vec_memory.sql b/dify/0.15.3/conf/volumes/oceanbase/init.d/vec_memory.sql new file mode 100644 index 000000000..3dd2fdd53 --- /dev/null +++ b/dify/0.15.3/conf/volumes/oceanbase/init.d/vec_memory.sql @@ -0,0 +1,2 @@ +ALTER +SYSTEM SET ob_vector_memory_limit_percentage = 30; diff --git a/dify/0.15.3/conf/volumes/opensearch/opensearch_dashboards.yml b/dify/0.15.3/conf/volumes/opensearch/opensearch_dashboards.yml new file mode 100644 index 000000000..bd49444b1 --- /dev/null +++ b/dify/0.15.3/conf/volumes/opensearch/opensearch_dashboards.yml @@ -0,0 +1,222 @@ +--- +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 + +# Description: +# Default configuration for OpenSearch Dashboards + +# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use. +# server.port: 5601 + +# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values. +# The default is 'localhost', which usually means remote machines will not be able to connect. +# To allow connections from remote users, set this parameter to a non-loopback address. +# server.host: "localhost" + +# Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy. +# Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath +# from requests it receives, and to prevent a deprecation warning at startup. +# This setting cannot end in a slash. +# server.basePath: "" + +# Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with +# `server.basePath` or require that they are rewritten by your reverse proxy. +# server.rewriteBasePath: false + +# The maximum payload size in bytes for incoming server requests. +# server.maxPayloadBytes: 1048576 + +# The OpenSearch Dashboards server's name. This is used for display purposes. +# server.name: "your-hostname" + +# The URLs of the OpenSearch instances to use for all your queries. +# opensearch.hosts: ["http://localhost:9200"] + +# OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and +# dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist. +# opensearchDashboards.index: ".opensearch_dashboards" + +# The default application to load. +# opensearchDashboards.defaultAppId: "home" + +# Setting for an optimized healthcheck that only uses the local OpenSearch node to do Dashboards healthcheck. +# This settings should be used for large clusters or for clusters with ingest heavy nodes. +# It allows Dashboards to only healthcheck using the local OpenSearch node rather than fan out requests across all nodes. +# +# It requires the user to create an OpenSearch node attribute with the same name as the value used in the setting +# This node attribute should assign all nodes of the same cluster an integer value that increments with each new cluster that is spun up +# e.g. in opensearch.yml file you would set the value to a setting using node.attr.cluster_id: +# Should only be enabled if there is a corresponding node attribute created in your OpenSearch config that matches the value here +# opensearch.optimizedHealthcheckId: "cluster_id" + +# If your OpenSearch is protected with basic authentication, these settings provide +# the username and password that the OpenSearch Dashboards server uses to perform maintenance on the OpenSearch Dashboards +# index at startup. Your OpenSearch Dashboards users still need to authenticate with OpenSearch, which +# is proxied through the OpenSearch Dashboards server. +# opensearch.username: "opensearch_dashboards_system" +# opensearch.password: "pass" + +# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. +# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser. +# server.ssl.enabled: false +# server.ssl.certificate: /path/to/your/server.crt +# server.ssl.key: /path/to/your/server.key + +# Optional settings that provide the paths to the PEM-format SSL certificate and key files. +# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when +# xpack.security.http.ssl.client_authentication in OpenSearch is set to required. +# opensearch.ssl.certificate: /path/to/your/client.crt +# opensearch.ssl.key: /path/to/your/client.key + +# Optional setting that enables you to specify a path to the PEM file for the certificate +# authority for your OpenSearch instance. +# opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ] + +# To disregard the validity of SSL certificates, change this setting's value to 'none'. +# opensearch.ssl.verificationMode: full + +# Time in milliseconds to wait for OpenSearch to respond to pings. Defaults to the value of +# the opensearch.requestTimeout setting. +# opensearch.pingTimeout: 1500 + +# Time in milliseconds to wait for responses from the back end or OpenSearch. This value +# must be a positive integer. +# opensearch.requestTimeout: 30000 + +# List of OpenSearch Dashboards client-side headers to send to OpenSearch. To send *no* client-side +# headers, set this value to [] (an empty list). +# opensearch.requestHeadersWhitelist: [ authorization ] + +# Header names and values that are sent to OpenSearch. Any custom headers cannot be overwritten +# by client-side headers, regardless of the opensearch.requestHeadersWhitelist configuration. +# opensearch.customHeaders: {} + +# Time in milliseconds for OpenSearch to wait for responses from shards. Set to 0 to disable. +# opensearch.shardTimeout: 30000 + +# Logs queries sent to OpenSearch. Requires logging.verbose set to true. +# opensearch.logQueries: false + +# Specifies the path where OpenSearch Dashboards creates the process ID file. +# pid.file: /var/run/opensearchDashboards.pid + +# Enables you to specify a file where OpenSearch Dashboards stores log output. +# logging.dest: stdout + +# Set the value of this setting to true to suppress all logging output. +# logging.silent: false + +# Set the value of this setting to true to suppress all logging output other than error messages. +# logging.quiet: false + +# Set the value of this setting to true to log all events, including system usage information +# and all requests. +# logging.verbose: false + +# Set the interval in milliseconds to sample system and process performance +# metrics. Minimum is 100ms. Defaults to 5000. +# ops.interval: 5000 + +# Specifies locale to be used for all localizable strings, dates and number formats. +# Supported languages are the following: English - en , by default , Chinese - zh-CN . +# i18n.locale: "en" + +# Set the allowlist to check input graphite Url. Allowlist is the default check list. +# vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite'] + +# Set the blocklist to check input graphite Url. Blocklist is an IP list. +# Below is an example for reference +# vis_type_timeline.graphiteBlockedIPs: [ +# //Loopback +# '127.0.0.0/8', +# '::1/128', +# //Link-local Address for IPv6 +# 'fe80::/10', +# //Private IP address for IPv4 +# '10.0.0.0/8', +# '172.16.0.0/12', +# '192.168.0.0/16', +# //Unique local address (ULA) +# 'fc00::/7', +# //Reserved IP address +# '0.0.0.0/8', +# '100.64.0.0/10', +# '192.0.0.0/24', +# '192.0.2.0/24', +# '198.18.0.0/15', +# '192.88.99.0/24', +# '198.51.100.0/24', +# '203.0.113.0/24', +# '224.0.0.0/4', +# '240.0.0.0/4', +# '255.255.255.255/32', +# '::/128', +# '2001:db8::/32', +# 'ff00::/8', +# ] +# vis_type_timeline.graphiteBlockedIPs: [] + +# opensearchDashboards.branding: +# logo: +# defaultUrl: "" +# darkModeUrl: "" +# mark: +# defaultUrl: "" +# darkModeUrl: "" +# loadingLogo: +# defaultUrl: "" +# darkModeUrl: "" +# faviconUrl: "" +# applicationTitle: "" + +# Set the value of this setting to true to capture region blocked warnings and errors +# for your map rendering services. +# map.showRegionBlockedWarning: false% + +# Set the value of this setting to false to suppress search usage telemetry +# for reducing the load of OpenSearch cluster. +# data.search.usageTelemetry.enabled: false + +# 2.4 renames 'wizard.enabled: false' to 'vis_builder.enabled: false' +# Set the value of this setting to false to disable VisBuilder +# functionality in Visualization. +# vis_builder.enabled: false + +# 2.4 New Experimental Feature +# Set the value of this setting to true to enable the experimental multiple data source +# support feature. Use with caution. +# data_source.enabled: false +# Set the value of these settings to customize crypto materials to encryption saved credentials +# in data sources. +# data_source.encryption.wrappingKeyName: 'changeme' +# data_source.encryption.wrappingKeyNamespace: 'changeme' +# data_source.encryption.wrappingKey: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + +# 2.6 New ML Commons Dashboards Feature +# Set the value of this setting to true to enable the ml commons dashboards +# ml_commons_dashboards.enabled: false + +# 2.12 New experimental Assistant Dashboards Feature +# Set the value of this setting to true to enable the assistant dashboards +# assistant.chat.enabled: false + +# 2.13 New Query Assistant Feature +# Set the value of this setting to false to disable the query assistant +# observability.query_assist.enabled: false + +# 2.14 Enable Ui Metric Collectors in Usage Collector +# Set the value of this setting to true to enable UI Metric collections +# usageCollection.uiMetric.enabled: false + +opensearch.hosts: [ https://localhost:9200 ] +opensearch.ssl.verificationMode: none +opensearch.username: admin +opensearch.password: 'Qazwsxedc!@#123' +opensearch.requestHeadersWhitelist: [ authorization, securitytenant ] + +opensearch_security.multitenancy.enabled: true +opensearch_security.multitenancy.tenants.preferred: [ Private, Global ] +opensearch_security.readonly_mode.roles: [ kibana_read_only ] +# Use this setting if you are running opensearch-dashboards without https +opensearch_security.cookie.secure: false +server.host: '0.0.0.0' diff --git a/dify/0.15.3/conf/volumes/sandbox/conf/config.yaml b/dify/0.15.3/conf/volumes/sandbox/conf/config.yaml new file mode 100644 index 000000000..8c1a1deb5 --- /dev/null +++ b/dify/0.15.3/conf/volumes/sandbox/conf/config.yaml @@ -0,0 +1,14 @@ +app: + port: 8194 + debug: True + key: dify-sandbox +max_workers: 4 +max_requests: 50 +worker_timeout: 5 +python_path: /usr/local/bin/python3 +enable_network: True # please make sure there is no network risk in your environment +allowed_syscalls: # please leave it empty if you have no idea how seccomp works +proxy: + socks5: '' + http: '' + https: '' diff --git a/dify/0.15.3/conf/volumes/sandbox/conf/config.yaml.example b/dify/0.15.3/conf/volumes/sandbox/conf/config.yaml.example new file mode 100644 index 000000000..f92c19e51 --- /dev/null +++ b/dify/0.15.3/conf/volumes/sandbox/conf/config.yaml.example @@ -0,0 +1,35 @@ +app: + port: 8194 + debug: True + key: dify-sandbox +max_workers: 4 +max_requests: 50 +worker_timeout: 5 +python_path: /usr/local/bin/python3 +python_lib_path: + - /usr/local/lib/python3.10 + - /usr/lib/python3.10 + - /usr/lib/python3 + - /usr/lib/x86_64-linux-gnu + - /etc/ssl/certs/ca-certificates.crt + - /etc/nsswitch.conf + - /etc/hosts + - /etc/resolv.conf + - /run/systemd/resolve/stub-resolv.conf + - /run/resolvconf/resolv.conf + - /etc/localtime + - /usr/share/zoneinfo + - /etc/timezone + # add more paths if needed +python_pip_mirror_url: https://pypi.tuna.tsinghua.edu.cn/simple +nodejs_path: /usr/local/bin/node +enable_network: True +allowed_syscalls: + - 1 + - 2 + - 3 + # add all the syscalls which you require +proxy: + socks5: '' + http: '' + https: '' diff --git a/dify/0.15.3/conf/volumes/sandbox/dependencies/python-requirements.txt b/dify/0.15.3/conf/volumes/sandbox/dependencies/python-requirements.txt new file mode 100644 index 000000000..e69de29bb