dify icon indicating copy to clipboard operation
dify copied to clipboard
Published 2 weeks ago verified publisher icon langgenius

the ssrf-proxy service logs keep showing DNS resolution errors for "sandbox"

Open wenyaxu opened this issue 2 weeks ago • 1 comments

Self Checks

  • [x] I have read the Contributing Guide and Language Policy.
  • [x] This is only for bug report, if you would like to ask a question, please head to Discussions.
  • [x] I have searched for existing issues search for existing issues, including closed ones.
  • [x] I confirm that I am using English to submit this report, otherwise it will be closed.
  • [x] 【中文用户 & Non English User】请使用英语提交,否则会被关闭 :)
  • [x] Please do not modify this template :) and fill in all the required fields.

Dify version

1.11.1

Cloud or Self Hosted

Cloud

Steps to reproduce

In Dify version 1.11.1, the ssrf-proxy service logs keep showing DNS resolution errors for "sandbox", even though the sandbox pod itself is running fine. The ssrf-proxy logs are as follows: [root@mapcloud-node-01 env]# kubectl logs -n mapcloud-tour ssrf-769fd747bf-f48k2 -f /bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) [ENTRYPOINT] re-create snakeoil self-signed certificate removed in the build process [ENTRYPOINT] replacing environment variables in the template 2025/12/26 04:56:13| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2025/12/26 04:56:13| Created PID file (/run/squid.pid) 2025/12/26 04:56:13| Set Current Directory to /var/spool/squid 2025/12/26 04:56:13| Creating missing swap directories 2025/12/26 04:56:13| No cache_dir stores are configured. 2025/12/26 04:56:13| Removing PID file (/run/squid.pid) [ENTRYPOINT] starting squid 2025/12/26 04:56:13| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2025/12/26 04:56:13| Created PID file (/run/squid.pid) 2025/12/26 04:56:13| Set Current Directory to /var/spool/squid 2025/12/26 04:56:13| Creating missing swap directories 2025/12/26 04:56:13| No cache_dir stores are configured. 2025/12/26 04:56:13| Removing PID file (/run/squid.pid) 2025/12/26 04:56:13| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2025/12/26 04:56:13| Created PID file (/run/squid.pid) 2025/12/26 04:56:13| Set Current Directory to /var/spool/squid 2025/12/26 04:56:14| Starting Squid Cache version 6.13 for x86_64-pc-linux-gnu... 2025/12/26 04:56:14| Service Name: squid 2025/12/26 04:56:14| Process ID 34 2025/12/26 04:56:14| Process Roles: master worker 2025/12/26 04:56:14| With 1048576 file descriptors available 2025/12/26 04:56:14| Initializing IP Cache... 2025/12/26 04:56:14| DNS IPv6 socket created at [::], FD 8 2025/12/26 04:56:14| DNS IPv4 socket created at 0.0.0.0, FD 9 2025/12/26 04:56:14| Adding domain mapcloud-tour.svc.cluster.local from /etc/resolv.conf 2025/12/26 04:56:14| Adding domain svc.cluster.local from /etc/resolv.conf 2025/12/26 04:56:14| Adding domain cluster.local from /etc/resolv.conf 2025/12/26 04:56:14| Adding domain su.baidu.internal from /etc/resolv.conf 2025/12/26 04:56:14| Adding nameserver 192.168.0.10 from /etc/resolv.conf 2025/12/26 04:56:14| Adding ndots 5 from /etc/resolv.conf 2025/12/26 04:56:14| Logfile: opening log daemon:/var/log/squid/access.log 2025/12/26 04:56:14| Logfile Daemon: opening log /var/log/squid/access.log 2025/12/26 04:56:14| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2025/12/26 04:56:14| Store logging disabled 2025/12/26 04:56:14| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2025/12/26 04:56:14| Target number of buckets: 1008 2025/12/26 04:56:14| Using 8192 Store buckets 2025/12/26 04:56:14| Max Mem size: 262144 KB 2025/12/26 04:56:14| Max Swap size: 0 KB 2025/12/26 04:56:14| Using Least Load store dir selection 2025/12/26 04:56:14| Set Current Directory to /var/spool/squid 2025/12/26 04:56:14| Finished loading MIME types and icons. 2025/12/26 04:56:14| HTCP Disabled. 2025/12/26 04:56:14| Pinger socket opened on FD 15 2025/12/26 04:56:14| Squid plugin modules loaded: 0 2025/12/26 04:56:14| Adaptation support is off. 2025/12/26 04:56:14| Accepting HTTP Socket connections at conn3 local=[::]:3128 remote=[::] FD 12 flags=9 listening port: 3128 2025/12/26 04:56:14| Accepting reverse-proxy HTTP Socket connections at conn5 local=[::]:8194 remote=[::] FD 13 flags=9 listening port: 8194 2025/12/26 04:56:14| Configuring Parent sandbox 2025/12/26 04:56:14| WARNING: DNS lookup for 'sandbox' failed! 2025/12/26 04:56:14 pinger| Initialising ICMP pinger ... 2025/12/26 04:56:14 pinger| ICMP socket opened. 2025/12/26 04:56:14 pinger| ICMPv6 socket opened 2025/12/26 04:56:15| storeLateRelease: released 0 objects 2025/12/26 06:03:00| Logfile: opening log stdio:/var/spool/squid/netdb.state 2025/12/26 06:03:00| Logfile: closing log stdio:/var/spool/squid/netdb.state 2025/12/26 06:03:00| NETDB state saved; 0 entries, 0 msec 1766729871.572 41221 172.16.1.12 TCP_TUNNEL/200 632329 CONNECT marketplace.dify.ai:443 - HIER_DIRECT/104.26.8.156 - 2025/12/26 06:19:07| Configuring Parent sandbox 2025/12/26 06:19:07| WARNING: DNS lookup for 'sandbox' failed! 1766730272.901 402712 172.16.1.12 TCP_TUNNEL/200 217569 CONNECT marketplace.dify.ai:443 - HIER_DIRECT/104.26.8.156 - 1766731678.639 5 172.16.1.12 TCP_MISS/200 350 POST http://ragflow.mapcloud-tour.svc.cluster.local/api/v1/dify/retrieval - HIER_DIRECT/192.168.152.149 application/json 1766731827.736 358 172.16.1.12 TCP_MISS/200 9834 POST http://ragflow.mapcloud-tour.svc.cluster.local/api/v1/dify/retrieval - HIER_DIRECT/192.168.152.149 application/json

env: SANDBOX_API_KEY: "dify-sandbox" SANDBOX_GIN_MODE: "release" SANDBOX_WORKER_TIMEOUT: "40" SANDBOX_ENABLE_NETWORK: "true" SANDBOX_HTTP_PROXY: "http://ssrf_proxy:3128" SANDBOX_HTTPS_PROXY: "http://ssrf_proxy:3128" SANDBOX_PORT: "8194" SSRF_SANDBOX_HOST: "sandbox"

✔️ Expected Behavior

ssr-proxy connects to sandbox without any errors

❌ Actual Behavior

errors

wenyaxu avatar Dec 26 '25 07:12 wenyaxu

Hi @wenyaxu! I'm Dosu and I’m helping the dify team.

The DNS resolution errors for "sandbox" in ssrf-proxy are almost always caused by Kubernetes DNS or service misconfiguration. In Kubernetes, only Services (not Pods) are guaranteed DNS entries. If there is no Service named "sandbox" in the same namespace as ssrf-proxy, DNS resolution will fail even if the pod is running.

To resolve this, check if a Service named "sandbox" exists in your namespace (kubectl get svc -n mapcloud-tour). If not, either create one pointing to your sandbox pod, or set SSRF_SANDBOX_HOST to the correct service name or its full DNS name (like sandbox.mapcloud-tour.svc.cluster.local). You can also exec into the ssrf-proxy pod and use nslookup sandbox or nslookup sandbox.mapcloud-tour.svc.cluster.local to verify DNS resolution. If DNS still fails, inspect /etc/resolv.conf in the pod to ensure it contains the correct search domains and nameserver for Kubernetes service discovery.

These steps should resolve the DNS errors and allow ssrf-proxy to connect to the sandbox service as expected.
Reference 1 | Reference 2

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

dosubot[bot] avatar Dec 26 '25 07:12 dosubot[bot]

in your k8s env, is there a sandbox dns name ?

fatelei avatar Dec 28 '25 13:12 fatelei

这个定位到原因是env中sandbox的url定义式http://sandbox,把这个修改成长域名好了

wenyaxu avatar Dec 29 '25 02:12 wenyaxu