Skip to content

Deployment Overview of Dify on Server

Prerequisites and Basic Requirements

The following requirements must be met on the target server before deploying the application:

  • Operating System: Ubuntu (compatible with apt package manager).

  • Privileges: Root access or sudo privileges are required to install Docker, manage system services, and configure the firewall.

  • Domain Configuration: A valid domain name must be configured to point to the server's IP address.

  • Ports: The server must allow inbound traffic on port 80 (HTTP) and port 443 (HTTPS) for the reverse proxy and SSL certificate issuance.

FQDN of the Final Panel

The application is accessible via the following Fully Qualified Domain Name (FQDN) format:

  • dify<Server ID>.hostkey.in:443

Replace <Server ID> with the specific identifier assigned to the server instance. The application is served over HTTPS.

File and Directory Structure

The deployment utilizes the following directory structure for configuration, data, and application files:

  • /opt/dify: The root directory containing the Dify application source code and Docker configuration.

  • /opt/dify/docker: Contains the docker-compose.yml file and the .env configuration file for the application stack.

  • /root/nginx: Contains the Docker Compose file and configuration for the external reverse proxy and SSL management.

  • /data/nginx/user_conf.d: Stores the specific Nginx server block configuration for the Dify domain.

  • /data/nginx/nginx-certbot.env: Environment file for the Nginx-Certbot container.

  • /etc/letsencrypt: Managed by the nginx-certbot container to store SSL certificates and keys.

Application Installation Process

The application is deployed using Docker Compose with the following version and repository details:

  • Repository: https://github.com/langgenius/dify.git

  • Version: 1.12.1

  • Installation Method: The application is cloned from the repository into /opt/dify and started using the docker compose command within the /opt/dify/docker directory.

Access Rights and Security

Security measures are implemented through the following configurations:

  • Firewall: External traffic on ports 80 and 443 is handled by the reverse proxy.

  • Internal Binding: The internal Dify Nginx container is bound to 127.0.0.1 only, preventing direct external access to the application container.

  • SSL Termination: TLS termination is handled by an external nginx-certbot container, while the internal Dify Nginx has HTTPS disabled (NGINX_HTTPS_ENABLED=false).

Databases

The database configuration is managed internally by the Docker Compose stack defined in /opt/dify/docker/docker-compose.yml. The database container runs within the isolated Docker network and is not directly exposed to the host network.

Docker Containers and Their Deployment

The deployment consists of two primary Docker Compose stacks:

  1. Dify Application Stack

  2. Location: /opt/dify/docker

  3. Command: docker compose up -d

  4. Components: Includes the Dify API, web frontend, worker, and internal Nginx.

  5. Reverse Proxy and SSL Stack

  6. Location: /root/nginx

  7. Command: docker compose up -d

  8. Components:

    • nginx-certbot: A container running jonasal/nginx-certbot:latest to handle SSL certificates and reverse proxy traffic.

    • Network Mode: host

    • Volumes: Mounts nginx_secrets for Let's Encrypt certificates and /data/nginx/user_conf.d for custom Nginx configurations.

Proxy Servers

An external Nginx reverse proxy is configured to handle incoming traffic and SSL termination:

  • Image: jonasal/nginx-certbot:latest

  • Configuration File: /data/nginx/user_conf.d/dify<Server ID>.hostkey.in.conf

  • SSL Certificates: Automatically obtained and renewed via Certbot using the webroot method.

  • Proxy Rules:

  • Listens on ports 80 and 443.

  • Redirects HTTP traffic to HTTPS.

  • Proxies all requests to the internal Dify Nginx at http://127.0.0.1:3000.

  • Sets headers Host, X-Real-IP, X-Forwarded-For, and X-Forwarded-Proto.

Permission Settings

The following permissions are applied to critical directories:

  • /root/nginx: 0755 (Owner: root, Group: root)

  • /data/nginx/user_conf.d: 0755 (Owner: root, Group: root)

  • Nginx configuration files: 0644 (Owner: root, Group: root)

  • Docker Compose files: 0644 (Owner: root, Group: root)

Location of Configuration Files and Data

Key configuration files are located at the following paths:

  • Application Environment: /opt/dify/docker/.env

  • Application Docker Compose: /opt/dify/docker/docker-compose.yml

  • Proxy Docker Compose: /root/nginx/compose.yml

  • Proxy Nginx Config: /data/nginx/user_conf.d/dify<Server ID>.hostkey.in.conf

  • Proxy Environment: /data/nginx/nginx-certbot.env

Available Ports for Connection

The following ports are configured for the deployment:

  • Port 443: HTTPS traffic for the Dify application (External).

  • Port 80: HTTP traffic for SSL redirection (External).

  • Port 3000: Internal HTTP traffic for Dify Nginx (Bound to 127.0.0.1 only).

  • Port 27443: Internal HTTPS traffic for Dify Nginx (Bound to 127.0.0.1 only, disabled in .env).

Starting, Stopping, and Updating

Service management is performed using Docker Compose commands in the respective directories:

  • Start Dify Application: 

    cd /opt/dify/docker
docker compose up -d

  • Stop Dify Application: 

    cd /opt/dify/docker
docker compose down

  • Update Dify Application: To update the application, pull the latest changes from the repository and restart the containers: 

    cd /opt/dify
git pull
cd docker
docker compose up -d

  • Start Reverse Proxy: 

    cd /root/nginx
docker compose up -d

  • Stop Reverse Proxy: 

    cd /root/nginx
docker compose down

  • Restart Nginx Container: 

    docker restart nginx-certbot

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×