Deployment Overview of Dify on Server¶
Prerequisites and Basic Requirements¶
The deployment requires a server running Ubuntu with the following specifications: - Operating System: Ubuntu (specific version codename detected via /etc/os-release). - Privileges: Root access or sudo privileges are required to install system packages and manage Docker services. - Domain: A valid domain name (final_domain) must be configured and pointed to the server's IP address. - Ports: - Port 80 and 443 must be open for the external Nginx reverse proxy and SSL certificate validation. - Internal ports are bound to 127.0.0.1 to prevent external conflicts, specifically port 3000 for the Dify application and a secondary port calculated as internal_port + 27443 for internal SSL handling.
File and Directory Structure¶
The deployment utilizes the following directory structure for configuration, data, and certificates: - /root/nginx: Contains the Docker Compose configuration for the reverse proxy (compose.yml). - /data/nginx/user_conf.d: Stores the Nginx server block configuration files (e.g., final_domain.conf). - /data/nginx/nginx-certbot.env: Environment file for the Nginx-Certbot container. - /etc/letsencrypt: Volume mount for SSL certificates managed by Certbot. - dify_dir/docker: The root directory for the Dify application, containing the .env configuration file and Docker Compose setup. - /etc/apt/keyrings/docker.gpg: GPG key for the Docker repository. - /etc/apt/sources.list.d/docker.list: Docker repository source list.
Application Installation Process¶
The installation involves setting up the Docker Engine, cloning the Dify repository, and configuring the environment: 1. Install base packages including ca-certificates, curl, gnupg, and git. 2. Add the official Docker GPG key and repository to the system. 3. Install Docker Engine components: docker-ce, docker-ce-cli, containerd.io, docker-buildx-plugin, and docker-compose-plugin. 4. Enable and start the Docker service. 5. Clone the Dify repository into the designated directory (dify_dir) at a specific version tag. 6. Generate the .env file in the dify_dir/docker directory by copying .env.example if it does not already exist. 7. Configure the .env file to bind the internal Nginx ports to 127.0.0.1 and disable internal HTTPS, as TLS is handled externally.
Docker Containers and Their Deployment¶
The system deploys two distinct Docker environments: the Dify application stack and the external Nginx-Certbot proxy.
Dify Application Stack: - Deployed using docker compose within the dify_dir/docker directory. - The docker compose up -d command starts all required services for the Dify application. - The internal Nginx service within this stack is configured to listen only on localhost.
Nginx-Certbot Proxy: - Deployed using a separate docker compose file located at /root/nginx/compose.yml. - The container is named nginx-certbot and uses the image jonasal/nginx-certbot:latest. - The container runs in host network mode. - It mounts the nginx_secrets volume to /etc/letsencrypt and the user configuration directory to /etc/nginx/user_conf.d. - The service is started with docker compose up -d from the /root/nginx directory.
Proxy Servers¶
An external Nginx reverse proxy handles SSL termination and traffic routing for the Dify application: - Configuration: The server block is defined in /data/nginx/user_conf.d/final_domain.conf. - HTTP Redirect: Traffic on port 80 is redirected to HTTPS (port 443) with a 301 status code. - SSL Configuration: - Certificates are stored at /etc/letsencrypt/live/final_domain/. - The configuration utilizes fullchain.pem, privkey.pem, chain.pem, and dhparam.pem. - Proxy Settings: - All traffic is proxied to http://127.0.0.1:3000. - Headers Host, X-Real-IP, X-Forwarded-For, and X-Forwarded-Proto are forwarded to the backend. - SSL Certificate Management: - Certificates are obtained using Certbot via the webroot method. - The command executed inside the container is certbot certonly --webroot -w /var/www/letsencrypt -d final_domain. - The email address used for notifications is [email protected]. - After obtaining the certificate, the nginx-certbot container is restarted to load the new SSL configuration.
Starting, Stopping, and Updating¶
Service management is performed using Docker Compose commands specific to each deployment directory:
- Starting Dify:
- Starting the Proxy:
- Updating the Proxy: To apply changes to the Nginx configuration or SSL certificates, the proxy container is restarted:
- Recreating Dify Nginx: If port bindings or internal configurations change, the Dify Nginx service is force-recreated: