How to setup a proxy for marketplace access while offline docker host mode

[sinopec]

Self Checks

• [x] This is only for bug report, if you would like to ask a question, please head to Discussions.
• [x] I have searched for existing issues search for existing issues, including closed ones.
• [x] I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [x] [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:）
• [x] Please do not modify this template :) and fill in all the required fields.

Dify version

docker build from latest source ，shown 1.0.0

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

Use the latest source to build docker in a offline pc to deploy dify, Cant acess https://marketplace.dify.ai/api/v1/plugins/download directly,but can acess by new LAN proxy. use docker-compose up to bring up dify open web browser to add model provider choose one to add. Fail to access. lookup the log here:

I have try to use proxy in api container alse tried modify the squid conf and dify-sandbox conf ,cant work all

✔️ Expected Behavior

I want to access the marketplace by a proxy setting.

❌ Actual Behavior

WARNING [Dummy-1] [ssrf_proxy.py:61] - Request to URL https://marketplace.dify.ai/api/v1/plugins/download?unique_identifier=langgenius/xinference:0.0.2@04dee9c8396 689421df7537f73ebb4b26efbcb7e0b9c32b7f09236e84bb97b3c failed on attempt 3: timed out

[dosubot[bot]]

To set up a proxy for marketplace access while using Docker in offline host mode, you can configure the SANDBOX_HTTP_PROXY and SANDBOX_HTTPS_PROXY environment variables in your Docker environment. Set these variables to point to your proxy server:

SANDBOX_HTTP_PROXY=http://your_proxy_server:port
SANDBOX_HTTPS_PROXY=http://your_proxy_server:port

Replace your_proxy_server and port with the actual address and port of your proxy server. This configuration will route HTTP and HTTPS requests through the specified proxy, allowing access to the marketplace even in offline host mode ^[1].

Additionally, there are similar discussions that might be helpful:

• How to set up VPN or proxy for dify containers deployed with Docker ^[2].
• How to set the Dify tool to use a proxy ^[3].
• Help with proxy issues for configuring models ^[4].

These discussions might provide further insights or solutions to your issue.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[sinopec]

To set up a proxy for marketplace access while using Docker in offline host mode, you can configure the SANDBOX_HTTP_PROXY and SANDBOX_HTTPS_PROXY environment variables in your Docker environment. Set these variables to point to your proxy server:

SANDBOX_HTTP_PROXY=http://your_proxy_server:port
SANDBOX_HTTPS_PROXY=http://your_proxy_server:port

Replace your_proxy_server and port with the actual address and port of your proxy server. This configuration will route HTTP and HTTPS requests through the specified proxy, allowing access to the marketplace even in offline host mode [1].

Additionally, there are similar discussions that might be helpful:

• How to set up VPN or proxy for dify containers deployed with Docker [2].
• How to set the Dify tool to use a proxy [3].
• Help with proxy issues for configuring models [4].

These discussions might provide further insights or solutions to your issue.

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other

I have tried,but dont work.

It seems there is a proxy chain in the new 1.0.0 version of dify in docker-api-1 ,the request it made to through ssrf_proxy

and then ssrf_proxy's squid proxy turn it to sanbox

is it right ? can I just set a proxy for dify-sandbox service? set SANDBOX_HTTP_PROXY seems dosent work.

[dosubot[bot]]

Yes, your understanding is correct. In Dify 1.0.0, requests are routed through the ssrf_proxy, which uses a Squid proxy to forward requests to the sandbox service. The Squid proxy configuration uses ${SANDBOX_HOST} and ${SANDBOX_PORT} to direct traffic to the sandbox ^[1][2].

To set a proxy for the Dify sandbox service, you should configure the SANDBOX_HTTP_PROXY and SANDBOX_HTTPS_PROXY environment variables. However, if setting these variables doesn't work, ensure that:

1. The proxy server is correctly configured and accessible from the Docker environment.
2. The environment variables are correctly set in the Docker container. You can verify this by checking the container's environment settings.
3. The Squid proxy configuration allows forwarding to your desired proxy server.

If these steps don't resolve the issue, you might need to adjust the Squid configuration to ensure it properly forwards requests to your proxy server.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[sinopec]

Yes, your understanding is correct. In Dify 1.0.0, requests are routed through the ssrf_proxy, which uses a Squid proxy to forward requests to the sandbox service. The Squid proxy configuration uses ${SANDBOX_HOST} and ${SANDBOX_PORT} to direct traffic to the sandbox [1][2].

To set a proxy for the Dify sandbox service, you should configure the SANDBOX_HTTP_PROXY and SANDBOX_HTTPS_PROXY environment variables. However, if setting these variables doesn't work, ensure that:

1. The proxy server is correctly configured and accessible from the Docker environment.
2. The environment variables are correctly set in the Docker container. You can verify this by checking the container's environment settings.
3. The Squid proxy configuration allows forwarding to your desired proxy server.

If these steps don't resolve the issue, you might need to adjust the Squid configuration to ensure it properly forwards requests to your proxy server.

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other

So, when i click add model provider in browser, the request is made through ssrf_proxy to dify-sanbox finnally?
Then my question is , should I setup my own LAN proxy in dify-sanbox or in ssrf_proxy squid conf ?

Directly set SANDBOX_HTTPS_PROXY in docker-compose.yaml dont work

[dosubot[bot]]

When you click "add model provider" in the browser, the request is indeed routed through the ssrf_proxy, which uses the Squid proxy to forward requests to the dify-sandbox. To set up your own LAN proxy, you should configure it in the ssrf_proxy Squid configuration rather than directly in the dify-sandbox.

Here's what you can do:

1. Modify the Squid Configuration: Update the squid.conf.template file used by the ssrf_proxy to include your LAN proxy settings. You can add a cache_peer directive to forward requests to your LAN proxy.

2. Ensure Environment Variables are Set: Double-check that the SANDBOX_HTTP_PROXY and SANDBOX_HTTPS_PROXY environment variables are correctly set in your Docker environment, but focus on configuring the Squid proxy for routing.

3. Restart the Services: After making changes, restart the Docker services to apply the new configuration.

By configuring the Squid proxy in the ssrf_proxy, you ensure that all requests are correctly routed through your LAN proxy before reaching the dify-sandbox ^[1][2].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[utsumi-fj]

I faced the same error when Dify is behind a proxy server. By the following steps, this was resolved and model providers could be installed.

1. Edit docker/ssrf_proxy/squid.conf.template to specify the proxy server to cache_peer directive. See below for further details.
2. Run docker compose down & docker compose up -d.

I edited the latter half of docker/ssrf_proxy/squid.conf.template as follows.

################################## Proxy Server ################################
http_port ${HTTP_PORT}
coredump_dir ${COREDUMP_DIR}
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern .               0       20%     4320


# cache_dir ufs /var/spool/squid 100 16 256
# upstream proxy, set to your own upstream proxy IP to avoid SSRF attacks
cache_peer <proxy server FQDN> parent <proxy server port> 0 no-query no-digest no-netdb-exchange default login=<user>:<password>
never_direct allow all

################################## Reverse Proxy To Sandbox ################################
#http_port ${REVERSE_PROXY_PORT} accel vhost
#cache_peer ${SANDBOX_HOST} parent ${SANDBOX_PORT} 0 no-query originserver
#acl src_all src all
#http_access allow src_all

I added the following lines:

cache_peer <proxy server FQDN> parent <proxy server port> 0 no-query no-digest no-netdb-exchange default login=<user>:<password>
never_direct allow all

And, commented out the lines written under Reverse Proxy To Sandbox. The value of <proxy server FQDN>, <proxy server port>, <user>, and <password> depend on the environment (login=<user>:<password> is only needed if basic authentication is required for the proxy server).

[dosubot[bot]]

Hi, @sinopec. I'm Dosu, and I'm helping the Dify team manage their backlog and am marking this issue as stale.

Issue Summary:

• You faced difficulties accessing the Dify marketplace from an offline Docker host setup with a LAN proxy.
• Attempts included configuring a proxy in the API container and modifying squid and dify-sandbox configurations.
• I suggested setting SANDBOX_HTTP_PROXY and SANDBOX_HTTPS_PROXY environment variables.
• "Utsumi-fj" provided a solution by editing squid.conf.template with cache_peer, which resolved similar issues.

Next Steps:

• Please confirm if this issue is still relevant to the latest version of the Dify repository by commenting here.
• If there is no further activity, this issue will be automatically closed in 15 days.

Thank you for your understanding and contribution!