dify icon indicating copy to clipboard operation
dify copied to clipboard
Published 3 weeks ago verified publisher icon langgenius

Access external knowledge base API return 403 Forbidden

Open vindia9 opened this issue 11 months ago • 12 comments

Self Checks

  • [x] This is only for bug report, if you would like to ask a question, please head to Discussions.
  • [x] I have searched for existing issues search for existing issues, including closed ones.
  • [x] I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
  • [x] [FOR CHINESE USERS] 请务必使用英文提交 Issue,否则会被关闭。谢谢!:)
  • [x] Please do not modify this template :) and fill in all the required fields.

Dify version

v0.15.3

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

I am using an external knowledge base API to access ragflow's KB. I used the following simple command to test if the ragflow interface is working correctly, and I got the correct response:

curl --request POST \
--url http://192.168.1.4:175/api/v1/dify/retrieval \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer ragflow-QyOTEaNmNhZWU2NjExZWZhYmJhMDI0Mm' \
--data '{"knowledge_id":"d8417fb0ea1b11ef9efc0242ac140006","query":"norasdoten"}'

Therefore, I configured it in Dify with the following settings:

API Endpoint: http://192.168.1.4:175/api/v1/dify API Key: ragflow-QyOTEaNmNhZWU2NjExZWZhYmJhMDI0Mm External Knowledge Base ID: d8417fb0ea1b11ef9efc0242ac140006

When performing a retrieval test, I observed the following logs using docker logs -f dify-api-1:

2025-02-19 03:14:31.349 INFO [Dummy-35] [_client.py:1038] - HTTP Request: POST http://192.168.1.4:175/api/v1/dify/retrieval "HTTP/1.1 403 Forbidden"

I modified the squid.conf.template file and added:

acl Safe_ports port 175

And I restarted the ssrf container using docker restart dify-ssrf_proxy-1. After the container restarted, I checked the /etc/squid/squid.conf file and saw the content I added.

However, when I performed the retrieval test again, I still got the same error logs.

2025-02-19 03:14:31.349 INFO [Dummy-35] [_client.py:1038] - HTTP Request: POST http://192.168.1.4:175/api/v1/dify/retrieval "HTTP/1.1 403 Forbidden"

✔️ Expected Behavior

No response

❌ Actual Behavior

No response

vindia9 avatar Feb 19 '25 03:02 vindia9

I found a similar discussion titled "403 Forbidden" which is still open and might be relevant to your issue [1].

The "403 Forbidden" error you're encountering when accessing the external knowledge base API is likely due to missing or incorrect access permissions. Ensure that the API key is correctly included in the Authorization header in the format:

Authorization: Bearer {API_KEY}

Double-check that the API key and its format are correct in your Dify configuration. If the format is incorrect or the API key is missing, you will encounter a "403 Forbidden" error [2].

Additionally, since you've already modified the squid.conf.template to allow port 175 and restarted the SSRF proxy, ensure that the changes are correctly applied. You might want to verify that the proxy settings are not blocking the request due to other configurations or network restrictions [3].

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other

dosubot[bot] avatar Feb 19 '25 03:02 dosubot[bot] 

docker logs -f dify-ssrf_proxy-1

1739945668.368 3 172.19.0.7 TCP_MISS/403 294 POST http://192.168.1.4:175/api/v1/dify/retrieval - HIER_DIRECT/192.168.1.4 application/json

vindia9 avatar Feb 19 '25 06:02 vindia9

兄弟,解决了吗?

qlanto224 avatar Feb 20 '25 07:02 qlanto224

I change squid acl ( file location: /dify/docker/ssrf_proxy/squid.conf.template )like this:


http_access allow Safe_ports
http_access allow CONNECT SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
include /etc/squid/conf.d/*.conf
http_access deny all

then restart docker compose.

it works.

czHero avatar Feb 21 '25 01:02 czHero

version1.0.0 ,[Connect to ragflow external knowledge base error,TCP_MISS/404 309 POST

quchenchen avatar Mar 05 '25 02:03 quchenchen

TCP_MISS/403 295 POST http://120.26.100.227:28080/api/v1/dify/retrieval - HIER_DIRECT/120.26.100.227 application/json

cr7Por avatar Mar 10 '25 10:03 cr7Por

TCP_MISS/403 295 POST http://120.26.100.227:28080/api/v1/dify/retrieval - HIER_DIRECT/120.26.100.227 application/json

麻烦问下这个问题解决了吗?

LYH1921 avatar Mar 12 '25 05:03 LYH1921

Hi, @vindia9. I'm Dosu, and I'm helping the Dify team manage their backlog and am marking this issue as stale.

Issue Summary

  • You reported a "403 Forbidden" error when accessing an external knowledge base API using Dify v0.15.3, self-hosted via Docker.
  • I suggested checking the API key and proxy settings.
  • User czHero resolved the issue by modifying the squid.conf.template file and restarting Docker.
  • Other users, such as cr7Por and LYH1921, reported similar errors, suggesting a common configuration issue.

Next Steps

  • Please confirm if this issue is still relevant to the latest version of the Dify repository. If so, you can keep the discussion open by commenting on the issue.
  • Otherwise, this issue will be automatically closed in 15 days.

Thank you for your understanding and contribution!

dosubot[bot] avatar Apr 12 '25 16:04 dosubot[bot]

I change squid acl ( file location: /dify/docker/ssrf_proxy/squid.conf.template )like this:


http_access allow Safe_ports
http_access allow CONNECT SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
include /etc/squid/conf.d/*.conf
http_access deny all

then restart docker compose.

it works.

not work, maybe i have anyother error, but i think it is a nice manner

VastOcean-Yang avatar Apr 17 '25 08:04 VastOcean-Yang

I change squid acl ( file location: /dify/docker/ssrf_proxy/squid.conf.template )like this:


http_access allow Safe_ports
http_access allow CONNECT SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
include /etc/squid/conf.d/*.conf
http_access deny all

then restart docker compose. it works.

not work, maybe i have anyother error, but i think it is a nice manner

I misconfigured the port for RAGflow - I accidentally used Nginx's port instead of the correct initialization port (9380).

我错误地配置了RAGflow的端口——误用了Nginx的端口,而正确的初始化端口应该是9380。

VastOcean-Yang avatar Apr 17 '25 09:04 VastOcean-Yang

In my case, RAGFlow is running on the port 81. I just add the port to the ssrf_proxy config file(./ssrf_proxy/squid.conf.template) like that.

acl Safe_ports port 81 # http

Then, it works for me.

zlbj1984 avatar Apr 28 '25 09:04 zlbj1984

In my case, RAGFlow is running on the port 81. I just add the port to the ssrf_proxy config file(./ssrf_proxy/squid.conf.template) like that.

acl Safe_ports port 81 # http

Then, it works for me.

Restart the ssrf_proxy. docker compose restart ssrf_proxy

zlbj1984 avatar Apr 28 '25 09:04 zlbj1984