Deployment Overview of Dify on Server¶
Prerequisites and Basic Requirements¶
The deployment of Dify requires the following system specifications and configurations:
-
Operating System: Ubuntu Linux distribution.
-
Privileges: Root access or
sudoprivileges are required for system-wide package installation and Docker management. -
Required Packages:
-
ca-certificates -
curl -
gnupg -
git -
Docker Engine (
docker-ce,docker-ce-cli,containerd.io) -
Docker Buildx Plugin (
docker-buildx-plugin) -
Docker Compose Plugin (
docker-compose-plugin) -
Network Ports:
-
Port
443(HTTPS) for external access via the reverse proxy. -
Port
80(HTTP) for SSL certificate verification and redirection. -
Port
3000(internal) for local communication between the Nginx proxy and the Dify application.
FQDN of the Final Panel¶
The fully qualified domain name (FQDN) for accessing the Dify application panel follows the structure:
-
Domain:
dify<Server ID>.hostkey.in -
Access URL:
https://dify<Server ID>.hostkey.in -
Port: The application is accessible via standard HTTPS port
443.
File and Directory Structure¶
The deployment creates the following directory structure to manage application data, configurations, and certificates:
-
Application Source:
/opt/dify -
Contains the cloned Dify repository and the Docker Compose definition for the application stack.
-
Nginx and Certbot Configuration:
/root/nginx -
Contains the
compose.ymlfile for the reverse proxy and SSL service. -
SSL Certificate Storage:
-
Certificates are stored within the Docker volume
nginx_secretsmapped to/etc/letsencryptinside the container. -
Custom Nginx Configuration:
/data/nginx/user_conf.d -
Stores the site-specific configuration file
dify<Server ID>.hostkey.in.conf. -
Dify Environment Configuration:
/opt/dify/docker/.env -
Contains environment variables governing the Dify stack behavior.
Application Installation Process¶
The application is installed and configured as a Docker-based containerized stack. The process involves cloning the official repository to a specific version and configuring the environment variables for local binding.
-
Repository:
https://github.com/langgenius/dify.git -
Target Version:
1.12.1 -
Installation Steps:
-
Clone the repository to
/opt/difyat version1.12.1. -
Navigate to
/opt/dify/dockerand copy.env.exampleto.envif the file does not exist. -
Configure the
.envfile to bind the Nginx port to localhost to prevent conflicts with the external proxy. -
Disable internal HTTPS within Dify as TLS is terminated by the external Nginx container.
-
Launch the stack using Docker Compose.
Docker Containers and Their Deployment¶
The deployment utilizes two distinct Docker Compose stacks: one for the Dify application and another for the reverse proxy and SSL management.
Dify Application Stack¶
Located in /opt/dify/docker, this stack runs the core application services. It is started using the following command:
Nginx and Certbot Stack¶
Located in /root/nginx, this stack manages the reverse proxy (nginx-certbot) and handles SSL certificate generation and renewal.
-
Compose File:
/root/nginx/compose.yml -
Container Name:
nginx-certbot -
Image:
jonasal/nginx-certbot:latest -
Network Mode:
host -
Volumes:
-
nginx_secrets(mapped to/etc/letsencrypt) -
/data/nginx/user_conf.d(mapped to/etc/nginx/user_conf.d) -
Execution Command:
Proxy Servers¶
An external Nginx instance running in a container acts as a reverse proxy and SSL terminator for the Dify application.
-
Proxy Container:
nginx-certbot -
SSL Management: Utilizes
certbotto obtain and renew certificates automatically via the webroot method. -
Redirect Logic:
-
HTTP traffic on port
80is redirected to HTTPS with a301status code. -
HTTPS traffic on port
443is proxied to the internal Dify service. -
Proxy Settings:
-
Upstream Host:
127.0.0.1 -
Upstream Port:
3000 -
Headers Passed:
Host,X-Real-IP,X-Forwarded-For,X-Forwarded-Proto. -
Certificate Storage: Certificates are retrieved from Let's Encrypt and stored in
/etc/letsencrypt/live/dify<Server ID>.hostkey.in/.
Configuration Files and Data¶
The following configuration files control the behavior of the deployed system:
| File Path | Description |
|---|---|
/opt/dify/docker/.env | Environment variables for the Dify stack. Configured to expose ports only on 127.0.0.1 and disable internal HTTPS. |
/root/nginx/compose.yml | Docker Compose definition for the Nginx-Certbot service. |
/data/nginx/user_conf.d/dify<Server ID>.hostkey.in.conf | Nginx server block configuration defining the proxy rules and SSL paths. |
/root/nginx/nginx-certbot.env | Environment variables for the Certbot container (e.g., CERTBOT_EMAIL). |
Key settings in /opt/dify/docker/.env:
-
EXPOSE_NGINX_PORT: Set to127.0.0.1:3000. -
EXPOSE_NGINX_SSL_PORT: Set to127.0.0.1:42743(calculated as internal port + 27443). -
NGINX_HTTPS_ENABLED: Set tofalse.
Access Rights and Security¶
-
SSL/TLS: All external communication is encrypted via TLS. The system enforces HTTP-to-HTTPS redirection.
-
Local Binding: The Dify application's internal Nginx is bound strictly to
127.0.0.1, making it inaccessible from outside the host without the external proxy. -
Certificate Email: SSL certificates are issued under the email
[email protected].
Starting, Stopping, and Updating¶
Service management is performed using standard Docker Compose commands in their respective directories.
Start Services¶
To start the Dify application:
To start the Nginx proxy:
Stop Services¶
To stop the Dify application:
To stop the Nginx proxy:
Update Services¶
To update the Nginx proxy configuration or restart the container:
To force recreate the Nginx container within the Dify stack (if necessary):
Available Ports for Connection¶
| Port | Protocol | Access Type | Destination |
|---|---|---|---|
| 443 | HTTPS | External (Public) | Nginx Proxy (Reverse Proxy) |
| 80 | HTTP | External (Public) | Nginx Proxy (Redirect only) |
| 3000 | HTTP | Internal (Localhost) | Dify Application |
| 42743 | HTTPS | Internal (Localhost) | Dify Application (SSL disabled) |