记录一次基于spring boot3.x 的透明代理实践(代理转发dify0.15.3工作室)
本文介绍了针对Dify 0.15.3版本安全问题的解决方案。通过将Dify部署在内网作为核心服务,业务系统作为外网接口层,实现了权限控制与业务逻辑的分离。核心方案采用基于ProxyServlet.java的透明代理机制,并针对SpringBoot 3.0进行了适配改造。文章详细阐述了代理配置、路由映射、请求过滤等关键组件的实现方法,包括配置文件设置、动态路由解析、资源请求拦截等。同时提供了Ngin
·
由于dify0.15.3存在鉴权体系不够完善,安全系数较低,开放工作室可无权限分享访问等问题,我在项目实践中采用了业务系统作为外围系统可外网访问,dify底座作为内网核心底座,仅供内网调用的方案。
一切登录权限和业务体系都在业务系统上自行开发完善,而访问内网dify的方式则是通过一个透明代理体系实现。
代理的核心是ProxyServlet.java,这是个开源组件smiley-http-proxy-servlet的关键部分,我们只需要这一个java类文件即可,但是目前最新支持仍是springboot2.x,而实际项目用的是spring boot3框架,还好我在网上找到了网友升级版https://blog.csdn.net/u011410254/article/details/129745798,其实只是把javax替换为jakarta即可。
ProxyServlet.java代码如下:
import jakarta.servlet.ServletException;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.SneakyThrows;
import org.apache.http.*;
import org.apache.http.client.HttpClient;
import org.apache.http.client.config.CookieSpecs;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.AbortableHttpRequest;
import org.apache.http.client.utils.URIUtils;
import org.apache.http.config.SocketConfig;
import org.apache.http.entity.InputStreamEntity;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.message.BasicHeader;
import org.apache.http.message.BasicHttpEntityEnclosingRequest;
import org.apache.http.message.BasicHttpRequest;
import org.apache.http.message.HeaderGroup;
import org.apache.http.util.EntityUtils;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.HttpCookie;
import java.net.URI;
import java.util.BitSet;
import java.util.Enumeration;
import java.util.Formatter;
/**
* 一个基于HttpServlet的透明代理类,从别人maven源码中复制的,原版不适用,本版本主要修改适配了springboot3版本
* @author 一夕之言
* 通过参数决定是否启用
*/
@SuppressWarnings({"deprecation", "serial", "WeakerAccess"})
@ConditionalOnProperty(prefix = "dify-proxy",name = {"enabled"}, havingValue = "true")
public class ProxyServlet extends HttpServlet {
/* INIT PARAMETER NAME CONSTANTS */
/** A boolean parameter name to enable logging of input and target URLs to the servlet log. */
public static final String P_LOG = "log";
/** A boolean parameter name to enable forwarding of the client IP */
public static final String P_FORWARDEDFOR = "forwardip";
/** A boolean parameter name to keep HOST parameter as-is */
public static final String P_PRESERVEHOST = "preserveHost";
/** A boolean parameter name to keep COOKIES as-is */
public static final String P_PRESERVECOOKIES = "preserveCookies";
/** A boolean parameter name to keep COOKIE path as-is */
public static final String P_PRESERVECOOKIEPATH = "preserveCookiePath";
/** A boolean parameter name to have auto-handle redirects */
public static final String P_HANDLEREDIRECTS = "http.protocol.handle-redirects"; // ClientPNames.HANDLE_REDIRECTS
/** An integer parameter name to set the socket connection timeout (millis) */
public static final String P_CONNECTTIMEOUT = "http.socket.timeout"; // CoreConnectionPNames.SO_TIMEOUT
/** An integer parameter name to set the socket read timeout (millis) */
public static final String P_READTIMEOUT = "http.read.timeout";
/** An integer parameter name to set the connection request timeout (millis) */
public static final String P_CONNECTIONREQUESTTIMEOUT = "http.connectionrequest.timeout";
/** An integer parameter name to set max connection number */
public static final String P_MAXCONNECTIONS = "http.maxConnections";
/** A boolean parameter whether to use JVM-defined system properties to configure various networking aspects. */
public static final String P_USESYSTEMPROPERTIES = "useSystemProperties";
/** A boolean parameter to enable handling of compression in the servlet. If it is false, compressed streams are passed through unmodified. */
public static final String P_HANDLECOMPRESSION = "handleCompression";
/** The parameter name for the target (destination) URI to proxy to. */
public static final String P_TARGET_URI = "targetUri";
protected static final String ATTR_TARGET_URI =
ProxyServlet.class.getSimpleName() + ".targetUri";
protected static final String ATTR_TARGET_HOST =
ProxyServlet.class.getSimpleName() + ".targetHost";
/* MISC */
protected boolean doLog = false;
protected boolean doForwardIP = true;
/** User agents shouldn't send the url fragment but what if it does? */
protected boolean doSendUrlFragment = true;
protected boolean doPreserveHost = false;
protected boolean doPreserveCookies = false;
protected boolean doPreserveCookiePath = false;
protected boolean doHandleRedirects = false;
protected boolean useSystemProperties = true;
protected boolean doHandleCompression = false;
protected int connectTimeout = -1;
protected int readTimeout = -1;
protected int connectionRequestTimeout = -1;
protected int maxConnections = -1;
//These next 3 are cached here, and should only be referred to in initialization logic. See the
// ATTR_* parameters.
/** From the configured parameter "targetUri". */
protected String targetUri;
protected URI targetUriObj;//new URI(targetUri)
protected HttpHost targetHost;//URIUtils.extractHost(targetUriObj);
public HttpClient proxyClient;
@Override
public String getServletInfo() {
return "A proxy servlet by David Smiley, dsmiley@apache.org";
}
protected String getTargetUri(HttpServletRequest servletRequest) {
return (String) servletRequest.getAttribute(ATTR_TARGET_URI);
}
protected HttpHost getTargetHost(HttpServletRequest servletRequest) {
return (HttpHost) servletRequest.getAttribute(ATTR_TARGET_HOST);
}
/**
* Reads a configuration parameter. By default it reads servlet init parameters but
* it can be overridden.
*/
protected String getConfigParam(String key) {
return getServletConfig().getInitParameter(key);
}
@SneakyThrows
@Override
public void init() {
String doLogStr = getConfigParam(P_LOG);
if (doLogStr != null) {
this.doLog = Boolean.parseBoolean(doLogStr);
}
String doForwardIPString = getConfigParam(P_FORWARDEDFOR);
if (doForwardIPString != null) {
this.doForwardIP = Boolean.parseBoolean(doForwardIPString);
}
String preserveHostString = getConfigParam(P_PRESERVEHOST);
if (preserveHostString != null) {
this.doPreserveHost = Boolean.parseBoolean(preserveHostString);
}
String preserveCookiesString = getConfigParam(P_PRESERVECOOKIES);
if (preserveCookiesString != null) {
this.doPreserveCookies = Boolean.parseBoolean(preserveCookiesString);
}
String preserveCookiePathString = getConfigParam(P_PRESERVECOOKIEPATH);
if (preserveCookiePathString != null) {
this.doPreserveCookiePath = Boolean.parseBoolean(preserveCookiePathString);
}
String handleRedirectsString = getConfigParam(P_HANDLEREDIRECTS);
if (handleRedirectsString != null) {
this.doHandleRedirects = Boolean.parseBoolean(handleRedirectsString);
}
String connectTimeoutString = getConfigParam(P_CONNECTTIMEOUT);
if (connectTimeoutString != null) {
this.connectTimeout = Integer.parseInt(connectTimeoutString);
}
String readTimeoutString = getConfigParam(P_READTIMEOUT);
if (readTimeoutString != null) {
this.readTimeout = Integer.parseInt(readTimeoutString);
}
String connectionRequestTimeout = getConfigParam(P_CONNECTIONREQUESTTIMEOUT);
if (connectionRequestTimeout != null) {
this.connectionRequestTimeout = Integer.parseInt(connectionRequestTimeout);
}
String maxConnections = getConfigParam(P_MAXCONNECTIONS);
if (maxConnections != null) {
this.maxConnections = Integer.parseInt(maxConnections);
}
String useSystemPropertiesString = getConfigParam(P_USESYSTEMPROPERTIES);
if (useSystemPropertiesString != null) {
this.useSystemProperties = Boolean.parseBoolean(useSystemPropertiesString);
}
String doHandleCompression = getConfigParam(P_HANDLECOMPRESSION);
if (doHandleCompression != null) {
this.doHandleCompression = Boolean.parseBoolean(doHandleCompression);
}
initTarget();//sets target*
proxyClient = createHttpClient();
}
/**
* Sub-classes can override specific behaviour of {@link org.apache.http.client.config.RequestConfig}.
*/
protected RequestConfig buildRequestConfig() {
return RequestConfig.custom()
.setRedirectsEnabled(doHandleRedirects)
.setCookieSpec(CookieSpecs.IGNORE_COOKIES) // we handle them in the servlet instead
.setConnectTimeout(connectTimeout)
.setSocketTimeout(readTimeout)
.setConnectionRequestTimeout(connectionRequestTimeout)
.build();
}
/**
* Sub-classes can override specific behaviour of {@link org.apache.http.config.SocketConfig}.
*/
protected SocketConfig buildSocketConfig() {
if (readTimeout < 1) {
return null;
}
return SocketConfig.custom()
.setSoTimeout(readTimeout)
.build();
}
protected void initTarget() throws ServletException {
targetUri = getConfigParam(P_TARGET_URI);
if (targetUri == null) {
throw new ServletException(P_TARGET_URI+" is required.");
}
//test it's valid
try {
targetUriObj = new URI(targetUri);
} catch (Exception e) {
throw new ServletException("Trying to process targetUri init parameter: "+e,e);
}
targetHost = URIUtils.extractHost(targetUriObj);
}
/**
* Called from {@link #(javax.servlet.ServletConfig)}.
* HttpClient offers many opportunities for customization.
* In any case, it should be thread-safe.
*/
protected HttpClient createHttpClient() {
HttpClientBuilder clientBuilder = getHttpClientBuilder()
.setDefaultRequestConfig(buildRequestConfig())
.setDefaultSocketConfig(buildSocketConfig());
clientBuilder.setMaxConnTotal(maxConnections);
clientBuilder.setMaxConnPerRoute(maxConnections);
if(! doHandleCompression) {
clientBuilder.disableContentCompression();
}
if (useSystemProperties) {
clientBuilder = clientBuilder.useSystemProperties();
}
return buildHttpClient(clientBuilder);
}
/**
* Creates a HttpClient from the given builder. Meant as postprocessor
* to possibly adapt the client builder prior to creating the
* HttpClient.
*
* @param clientBuilder pre-configured client builder
* @return HttpClient
*/
protected HttpClient buildHttpClient(HttpClientBuilder clientBuilder) {
return clientBuilder.build();
}
/**
* Creates a {@code HttpClientBuilder}. Meant as preprocessor to possibly
* adapt the client builder prior to any configuration got applied.
*
* @return HttpClient builder
*/
protected HttpClientBuilder getHttpClientBuilder() {
return HttpClientBuilder.create();
}
/**
* The http client used.
* @see #createHttpClient()
*/
protected HttpClient getProxyClient() {
return proxyClient;
}
@Override
public void destroy() {
//Usually, clients implement Closeable:
if (proxyClient instanceof Closeable) {
try {
((Closeable) proxyClient).close();
} catch (IOException e) {
log("While destroying servlet, shutting down HttpClient: "+e, e);
}
} else {
//Older releases require we do this:
if (proxyClient != null) {
proxyClient.getConnectionManager().shutdown();
}
}
super.destroy();
}
@SneakyThrows
@Override
protected void service(HttpServletRequest servletRequest, HttpServletResponse servletResponse) {
//initialize request attributes from caches if unset by a subclass by this point
if (servletRequest.getAttribute(ATTR_TARGET_URI) == null) {
servletRequest.setAttribute(ATTR_TARGET_URI, targetUri);
}
if (servletRequest.getAttribute(ATTR_TARGET_HOST) == null) {
servletRequest.setAttribute(ATTR_TARGET_HOST, targetHost);
}
// Make the Request
//note: we won't transfer the protocol version because I'm not sure it would truly be compatible
String method = servletRequest.getMethod();
String proxyRequestUri = rewriteUrlFromRequest(servletRequest);
HttpRequest proxyRequest;
//spec: RFC 2616, sec 4.3: either of these two headers signal that there is a message body.
if (servletRequest.getHeader(HttpHeaders.CONTENT_LENGTH) != null ||
servletRequest.getHeader(HttpHeaders.TRANSFER_ENCODING) != null) {
proxyRequest = newProxyRequestWithEntity(method, proxyRequestUri, servletRequest);
} else {
proxyRequest = new BasicHttpRequest(method, proxyRequestUri);
}
copyRequestHeaders(servletRequest, proxyRequest);
setXForwardedForHeader(servletRequest, proxyRequest);
HttpResponse proxyResponse = null;
try {
// Execute the request
proxyResponse = doExecute(servletRequest, servletResponse, proxyRequest);
// Process the response:
// Pass the response code. This method with the "reason phrase" is deprecated but it's the
// only way to pass the reason along too.
int statusCode = proxyResponse.getStatusLine().getStatusCode();
//noinspection deprecation
servletResponse.setStatus(statusCode);
// Copying response headers to make sure SESSIONID or other Cookie which comes from the remote
// server will be saved in client when the proxied url was redirected to another one.
// See issue [#51](https://github.com/mitre/HTTP-Proxy-Servlet/issues/51)
copyResponseHeaders(proxyResponse, servletRequest, servletResponse);
if (statusCode == HttpServletResponse.SC_NOT_MODIFIED) {
// 304 needs special handling. See:
// http://www.ics.uci.edu/pub/ietf/http/rfc1945.html#Code304
// Don't send body entity/content!
servletResponse.setIntHeader(HttpHeaders.CONTENT_LENGTH, 0);
} else {
// Send the content to the client
copyResponseEntity(proxyResponse, servletResponse, proxyRequest, servletRequest);
}
} catch (Exception e) {
handleRequestException(proxyRequest, proxyResponse, e);
} finally {
// make sure the entire entity was consumed, so the connection is released
if (proxyResponse != null) {
EntityUtils.consumeQuietly(proxyResponse.getEntity());
}
//Note: Don't need to close servlet outputStream:
// http://stackoverflow.com/questions/1159168/should-one-call-close-on-httpservletresponse-getoutputstream-getwriter
}
}
protected void handleRequestException(HttpRequest proxyRequest, HttpResponse proxyResonse, Exception e) throws ServletException, IOException {
//abort request, according to best practice with HttpClient
if (proxyRequest instanceof AbortableHttpRequest) {
AbortableHttpRequest abortableHttpRequest = (AbortableHttpRequest) proxyRequest;
abortableHttpRequest.abort();
}
// If the response is a chunked response, it is read to completion when
// #close is called. If the sending site does not timeout or keeps sending,
// the connection will be kept open indefinitely. Closing the respone
// object terminates the stream.
if (proxyResonse instanceof Closeable) {
((Closeable) proxyResonse).close();
}
if (e instanceof RuntimeException) {
throw (RuntimeException)e;
}
if (e instanceof ServletException) {
throw (ServletException)e;
}
//noinspection ConstantConditions
if (e instanceof IOException) {
throw (IOException) e;
}
throw new RuntimeException(e);
}
protected HttpResponse doExecute(HttpServletRequest servletRequest, HttpServletResponse servletResponse,
HttpRequest proxyRequest) throws IOException {
if (doLog) {
log("proxy " + servletRequest.getMethod() + " uri: " + servletRequest.getRequestURI() + " -- " +
proxyRequest.getRequestLine().getUri());
}
return proxyClient.execute(getTargetHost(servletRequest), proxyRequest);
}
protected HttpRequest newProxyRequestWithEntity(String method, String proxyRequestUri,
HttpServletRequest servletRequest)
throws IOException {
HttpEntityEnclosingRequest eProxyRequest =
new BasicHttpEntityEnclosingRequest(method, proxyRequestUri);
// Add the input entity (streamed)
// note: we don't bother ensuring we close the servletInputStream since the container handles it
eProxyRequest.setEntity(
new InputStreamEntity(servletRequest.getInputStream(), getContentLength(servletRequest)));
return eProxyRequest;
}
// Get the header value as a long in order to more correctly proxy very large requests
private long getContentLength(HttpServletRequest request) {
String contentLengthHeader = request.getHeader("Content-Length");
if (contentLengthHeader != null) {
return Long.parseLong(contentLengthHeader);
}
return -1L;
}
protected void closeQuietly(Closeable closeable) {
try {
closeable.close();
} catch (IOException e) {
log(e.getMessage(), e);
}
}
/** These are the "hop-by-hop" headers that should not be copied.
* http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
* I use an HttpClient HeaderGroup class instead of Set<String> because this
* approach does case insensitive lookup faster.
*/
protected static final HeaderGroup hopByHopHeaders;
static {
hopByHopHeaders = new HeaderGroup();
String[] headers = new String[] {
"Connection", "Keep-Alive", "Proxy-Authenticate", "Proxy-Authorization",
"TE", "Trailers", "Transfer-Encoding", "Upgrade" };
for (String header : headers) {
hopByHopHeaders.addHeader(new BasicHeader(header, null));
}
}
/**
* Copy request headers from the servlet client to the proxy request.
* This is easily overridden to add your own.
*/
protected void copyRequestHeaders(HttpServletRequest servletRequest, HttpRequest proxyRequest) {
// Get an Enumeration of all of the header names sent by the client
@SuppressWarnings("unchecked")
Enumeration<String> enumerationOfHeaderNames = servletRequest.getHeaderNames();
while (enumerationOfHeaderNames.hasMoreElements()) {
String headerName = enumerationOfHeaderNames.nextElement();
copyRequestHeader(servletRequest, proxyRequest, headerName);
}
}
/**
* Copy a request header from the servlet client to the proxy request.
* This is easily overridden to filter out certain headers if desired.
*/
protected void copyRequestHeader(HttpServletRequest servletRequest, HttpRequest proxyRequest,
String headerName) {
//Instead the content-length is effectively set via InputStreamEntity
if (headerName.equalsIgnoreCase(HttpHeaders.CONTENT_LENGTH)) {
return;
}
if (hopByHopHeaders.containsHeader(headerName)) {
return;
}
// If compression is handled in the servlet, apache http client needs to
// control the Accept-Encoding header, not the client
if (doHandleCompression && headerName.equalsIgnoreCase(HttpHeaders.ACCEPT_ENCODING)) {
return;
}
@SuppressWarnings("unchecked")
Enumeration<String> headers = servletRequest.getHeaders(headerName);
while (headers.hasMoreElements()) {//sometimes more than one value
String headerValue = headers.nextElement();
// In case the proxy host is running multiple virtual servers,
// rewrite the Host header to ensure that we get content from
// the correct virtual server
if (!doPreserveHost && headerName.equalsIgnoreCase(HttpHeaders.HOST)) {
HttpHost host = getTargetHost(servletRequest);
headerValue = host.getHostName();
if (host.getPort() != -1) {
headerValue += ":"+host.getPort();
}
} else if (!doPreserveCookies && headerName.equalsIgnoreCase(org.apache.http.cookie.SM.COOKIE)) {
headerValue = getRealCookie(headerValue);
}
proxyRequest.addHeader(headerName, headerValue);
}
}
private void setXForwardedForHeader(HttpServletRequest servletRequest,
HttpRequest proxyRequest) {
if (doForwardIP) {
String forHeaderName = "X-Forwarded-For";
String forHeader = servletRequest.getRemoteAddr();
String existingForHeader = servletRequest.getHeader(forHeaderName);
if (existingForHeader != null) {
forHeader = existingForHeader + ", " + forHeader;
}
proxyRequest.setHeader(forHeaderName, forHeader);
String protoHeaderName = "X-Forwarded-Proto";
String protoHeader = servletRequest.getScheme();
proxyRequest.setHeader(protoHeaderName, protoHeader);
}
}
/** Copy proxied response headers back to the servlet client. */
protected void copyResponseHeaders(HttpResponse proxyResponse, HttpServletRequest servletRequest,
HttpServletResponse servletResponse) {
for (Header header : proxyResponse.getAllHeaders()) {
copyResponseHeader(servletRequest, servletResponse, header);
}
}
/** Copy a proxied response header back to the servlet client.
* This is easily overwritten to filter out certain headers if desired.
*/
protected void copyResponseHeader(HttpServletRequest servletRequest,
HttpServletResponse servletResponse, Header header) {
String headerName = header.getName();
if (hopByHopHeaders.containsHeader(headerName)) {
return;
}
String headerValue = header.getValue();
if (headerName.equalsIgnoreCase(org.apache.http.cookie.SM.SET_COOKIE) ||
headerName.equalsIgnoreCase(org.apache.http.cookie.SM.SET_COOKIE2)) {
copyProxyCookie(servletRequest, servletResponse, headerValue);
} else if (headerName.equalsIgnoreCase(HttpHeaders.LOCATION)) {
// LOCATION Header may have to be rewritten.
servletResponse.addHeader(headerName, rewriteUrlFromResponse(servletRequest, headerValue));
} else {
servletResponse.addHeader(headerName, headerValue);
}
}
/**
* Copy cookie from the proxy to the servlet client.
* Replaces cookie path to local path and renames cookie to avoid collisions.
*/
protected void copyProxyCookie(HttpServletRequest servletRequest,
HttpServletResponse servletResponse, String headerValue) {
for (HttpCookie cookie : HttpCookie.parse(headerValue)) {
Cookie servletCookie = createProxyCookie(servletRequest, cookie);
servletResponse.addCookie(servletCookie);
}
}
/**
* Creates a proxy cookie from the original cookie.
*
* @param servletRequest original request
* @param cookie original cookie
* @return proxy cookie
*/
protected Cookie createProxyCookie(HttpServletRequest servletRequest, HttpCookie cookie) {
String proxyCookieName = getProxyCookieName(cookie);
Cookie servletCookie = new Cookie(proxyCookieName, cookie.getValue());
servletCookie.setPath(this.doPreserveCookiePath ?
cookie.getPath() : // preserve original cookie path
buildProxyCookiePath(servletRequest) //set to the path of the proxy servlet
);
// servletCookie.setComment(cookie.getComment());
servletCookie.setMaxAge((int) cookie.getMaxAge());
// don't set cookie domain
servletCookie.setSecure(servletRequest.isSecure() && cookie.getSecure());
// servletCookie.setVersion(cookie.getVersion());
servletCookie.setHttpOnly(cookie.isHttpOnly());
return servletCookie;
}
/**
* Set cookie name prefixed with a proxy value so it won't collide with other cookies.
*
* @param cookie cookie to get proxy cookie name for
* @return non-conflicting proxy cookie name
*/
protected String getProxyCookieName(HttpCookie cookie) {
//
return doPreserveCookies ? cookie.getName() : getCookieNamePrefix(cookie.getName()) + cookie.getName();
}
/**
* Create path for proxy cookie.
*
* @param servletRequest original request
* @return proxy cookie path
*/
protected String buildProxyCookiePath(HttpServletRequest servletRequest) {
String path = servletRequest.getContextPath(); // path starts with / or is empty string
path += servletRequest.getServletPath(); // servlet path starts with / or is empty string
if (path.isEmpty()) {
path = "/";
}
return path;
}
/**
* Take any client cookies that were originally from the proxy and prepare them to send to the
* proxy. This relies on cookie headers being set correctly according to RFC 6265 Sec 5.4.
* This also blocks any local cookies from being sent to the proxy.
*/
protected String getRealCookie(String cookieValue) {
StringBuilder escapedCookie = new StringBuilder();
String cookies[] = cookieValue.split("[;,]");
for (String cookie : cookies) {
String cookieSplit[] = cookie.split("=");
if (cookieSplit.length == 2) {
String cookieName = cookieSplit[0].trim();
if (cookieName.startsWith(getCookieNamePrefix(cookieName))) {
cookieName = cookieName.substring(getCookieNamePrefix(cookieName).length());
if (escapedCookie.length() > 0) {
escapedCookie.append("; ");
}
escapedCookie.append(cookieName).append("=").append(cookieSplit[1].trim());
}
}
}
return escapedCookie.toString();
}
/** The string prefixing rewritten cookies. */
protected String getCookieNamePrefix(String name) {
return "!Proxy!" + getServletConfig().getServletName();
}
/** Copy response body data (the entity) from the proxy to the servlet client. */
protected void copyResponseEntity(HttpResponse proxyResponse, HttpServletResponse servletResponse,
HttpRequest proxyRequest, HttpServletRequest servletRequest)
throws IOException {
HttpEntity entity = proxyResponse.getEntity();
if (entity != null) {
if (entity.isChunked()) {
// Flush intermediate results before blocking on input -- needed for SSE
InputStream is = entity.getContent();
OutputStream os = servletResponse.getOutputStream();
byte[] buffer = new byte[10 * 1024];
int read;
while ((read = is.read(buffer)) != -1) {
os.write(buffer, 0, read);
/*-
* Issue in Apache http client/JDK: if the stream from client is
* compressed, apache http client will delegate to GzipInputStream.
* The #available implementation of InflaterInputStream (parent of
* GzipInputStream) return 1 until EOF is reached. This is not
* consistent with InputStream#available, which defines:
*
* A single read or skip of this many bytes will not block,
* but may read or skip fewer bytes.
*
* To work around this, a flush is issued always if compression
* is handled by apache http client
*/
if (doHandleCompression || is.available() == 0 /* next is.read will block */) {
os.flush();
}
}
// Entity closing/cleanup is done in the caller (#service)
} else {
OutputStream servletOutputStream = servletResponse.getOutputStream();
entity.writeTo(servletOutputStream);
}
}
}
/**
* Reads the request URI from {@code servletRequest} and rewrites it, considering targetUri.
* It's used to make the new request.
*/
protected String rewriteUrlFromRequest(HttpServletRequest servletRequest) {
StringBuilder uri = new StringBuilder(500);
uri.append(getTargetUri(servletRequest));
// Handle the path given to the servlet
String pathInfo = rewritePathInfoFromRequest(servletRequest);
if (pathInfo != null) {//ex: /my/path.html
// getPathInfo() returns decoded string, so we need encodeUriQuery to encode "%" characters
uri.append(encodeUriQuery(pathInfo, true));
}
// Handle the query string & fragment
String queryString = servletRequest.getQueryString();//ex:(following '?'): name=value&foo=bar#fragment
String fragment = null;
//split off fragment from queryString, updating queryString if found
if (queryString != null) {
int fragIdx = queryString.indexOf('#');
if (fragIdx >= 0) {
fragment = queryString.substring(fragIdx + 1);
queryString = queryString.substring(0,fragIdx);
}
}
queryString = rewriteQueryStringFromRequest(servletRequest, queryString);
if (queryString != null && queryString.length() > 0) {
uri.append('?');
// queryString is not decoded, so we need encodeUriQuery not to encode "%" characters, to avoid double-encoding
uri.append(encodeUriQuery(queryString, false));
}
if (doSendUrlFragment && fragment != null) {
uri.append('#');
// fragment is not decoded, so we need encodeUriQuery not to encode "%" characters, to avoid double-encoding
uri.append(encodeUriQuery(fragment, false));
}
return uri.toString();
}
protected String rewriteQueryStringFromRequest(HttpServletRequest servletRequest, String queryString) {
return queryString;
}
/**
* Allow overrides of {@link javax.servlet.http.HttpServletRequest#getPathInfo()}.
* Useful when url-pattern of servlet-mapping (web.xml) requires manipulation.
*/
protected String rewritePathInfoFromRequest(HttpServletRequest servletRequest) {
return servletRequest.getPathInfo();
}
/**
* For a redirect response from the target server, this translates {@code theUrl} to redirect to
* and translates it to one the original client can use.
*/
protected String rewriteUrlFromResponse(HttpServletRequest servletRequest, String theUrl) {
//TODO document example paths
final String targetUri = getTargetUri(servletRequest);
if (theUrl.startsWith(targetUri)) {
/*-
* The URL points back to the back-end server.
* Instead of returning it verbatim we replace the target path with our
* source path in a way that should instruct the original client to
* request the URL pointed through this Proxy.
* We do this by taking the current request and rewriting the path part
* using this servlet's absolute path and the path from the returned URL
* after the base target URL.
*/
StringBuffer curUrl = servletRequest.getRequestURL();//no query
int pos;
// Skip the protocol part
if ((pos = curUrl.indexOf("://"))>=0) {
// Skip the authority part
// + 3 to skip the separator between protocol and authority
if ((pos = curUrl.indexOf("/", pos + 3)) >=0) {
// Trim everything after the authority part.
curUrl.setLength(pos);
}
}
// Context path starts with a / if it is not blank
curUrl.append(servletRequest.getContextPath());
// Servlet path starts with a / if it is not blank
curUrl.append(servletRequest.getServletPath());
curUrl.append(theUrl, targetUri.length(), theUrl.length());
return curUrl.toString();
}
return theUrl;
}
/** The target URI as configured. Not null. */
public String getTargetUri() { return targetUri; }
/**
* Encodes characters in the query or fragment part of the URI.
*
* <p>Unfortunately, an incoming URI sometimes has characters disallowed by the spec. HttpClient
* insists that the outgoing proxied request has a valid URI because it uses Java's {@link URI}.
* To be more forgiving, we must escape the problematic characters. See the URI class for the
* spec.
*
* @param in example: name=value&foo=bar#fragment
* @param encodePercent determine whether percent characters need to be encoded
*/
protected CharSequence encodeUriQuery(CharSequence in, boolean encodePercent) {
//Note that I can't simply use URI.java to encode because it will escape pre-existing escaped things.
StringBuilder outBuf = null;
Formatter formatter = null;
for(int i = 0; i < in.length(); i++) {
char c = in.charAt(i);
boolean escape = true;
if (c < 128) {
if (asciiQueryChars.get(c) && !(encodePercent && c == '%')) {
escape = false;
}
} else if (!Character.isISOControl(c) && !Character.isSpaceChar(c)) {//not-ascii
escape = false;
}
if (!escape) {
if (outBuf != null) {
outBuf.append(c);
}
} else {
//escape
if (outBuf == null) {
outBuf = new StringBuilder(in.length() + 5*3);
outBuf.append(in,0,i);
formatter = new Formatter(outBuf);
}
//leading %, 0 padded, width 2, capital hex
formatter.format("%%%02X",(int)c);//TODO
}
}
return outBuf != null ? outBuf : in;
}
protected static final BitSet asciiQueryChars;
static {
char[] c_unreserved = "_-!.~'()*".toCharArray();//plus alphanum
char[] c_punct = ",;:$&+=".toCharArray();
char[] c_reserved = "/@".toCharArray();//plus punct. Exclude '?'; RFC-2616 3.2.2. Exclude '[', ']'; https://www.ietf.org/rfc/rfc1738.txt, unsafe characters
asciiQueryChars = new BitSet(128);
for(char c = 'a'; c <= 'z'; c++) {
asciiQueryChars.set(c);
}
for(char c = 'A'; c <= 'Z'; c++) {
asciiQueryChars.set(c);
}
for(char c = '0'; c <= '9'; c++) {
asciiQueryChars.set(c);
}
for(char c : c_unreserved) {
asciiQueryChars.set(c);
}
for(char c : c_punct) {
asciiQueryChars.set(c);
}
for(char c : c_reserved) {
asciiQueryChars.set(c);
}
asciiQueryChars.set('%');//leave existing percent escapes in place
}
}接下来,为了方便配置代理的开关,我们往application.yml之类的项目配置文件里写入配置,配置内容严格按照注释填写(需要注意的是,项目后台自身的接口前缀一定不能和dify接口前缀/api/一致,否则无法放入白名单排除):
--- # dify代理配置
dify-proxy:
# 是否开启代理,默认true
enabled: true
# 后端服务nginx前缀,不存在则配空字符串!!!
nginxPath: "/back-api"
# 监听后台服务dify路径标识,必须有
proxyPath: "/difyProxy/"
# 目前这里只能配置一个dify后台
routeMappings:
# 路由映射,必须有,对应dify后台转发路由标识
- sourcePath: "/fromDify/"
# 目标dify服务地址,必须有,对应dify后台地址,请自行替换你部署的dify内网ip和端口
targetUrl: "http://ip:port/"
# dify账号密码,自行修改
email: "xxx@xxx.com"
password: "xxx"
## 白名单放行接口前缀,本系统后端所有接口前缀,一定要排除代理!!!
reservedPrefixes:
- /back/api/对应配置类代码:
import com.example.dify.api.business.dify.model.dto.RouteMappingDTO;
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
/**
* dify配置类
* @author 一夕之言
*/
@Component
@ConfigurationProperties(prefix = "dify-proxy")
@Data
public class DifyProxyProperties {
/**
* 默认开启代理
* */
private boolean enabled = true;
/**
* nginx路径前缀
* */
private String nginxPath;
/**
* 代理路径前缀
* */
private String proxyPath;
/**
* 保留路径前缀(直接使用)
* */
private List<String> reservedPrefixes = new ArrayList<>();
/**
* 解析后的路由映射(缓存)
* */
private List<RouteMappingDTO> routeMappings;
}编写一个路由用DTO,命名为RouteMappingDTO.java:
import lombok.Data;
import java.io.Serializable;
/**
* @author 一夕之言
*/
@Data
public class RouteMappingDTO implements Serializable {
private String sourcePath;
private String targetUrl;
private String email;
private String password;
}编写一个子类PerfectProxyServlet.java继承ProxyServlet.java:
import cn.hutool.core.collection.CollectionUtil;
import cn.hutool.core.util.StrUtil;
import com.example.dify.api.business.dify.config.DifyProxyProperties;
import com.example.dify.api.business.dify.service.DynamicRouteResolver;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.http.*;
import org.apache.http.client.utils.URIUtils;
import org.apache.http.entity.InputStreamEntity;
import org.apache.http.message.BasicHeader;
import org.apache.http.message.BasicHttpEntityEnclosingRequest;
import org.apache.http.protocol.HTTP;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import java.io.IOException;
import java.io.OutputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
/**
* 用Servlet方式处理所有dify代理请求,作为透明代理转发到dify服务
* @author 一夕之言
* 通过参数决定是否启用
*/
@ConditionalOnProperty(prefix = "dify-proxy",name = {"enabled"}, havingValue = "true")
public class PerfectProxyServlet extends ProxyServlet {
private final DynamicRouteResolver routeResolver;
private final DifyProxyProperties proxyProperties;
public PerfectProxyServlet(DynamicRouteResolver routeResolver, DifyProxyProperties proxyProperties) {
this.routeResolver = routeResolver;
this.proxyProperties = proxyProperties;
this.proxyProperties.setNginxPath(StrUtil.isBlank(this.proxyProperties.getNginxPath())?this.proxyProperties.getNginxPath():"");
}
@Override
public void init() {
// 跳过父类的静态目标URI初始化
initWithoutStaticTarget();
}
private void initWithoutStaticTarget() {
// 初始化所有配置参数(从父类复制)
String doLogStr = getConfigParam(P_LOG);
if (doLogStr != null) {
this.doLog = Boolean.parseBoolean(doLogStr);
}
// 初始化其他参数...
// 创建HTTP客户端
proxyClient = createHttpClient();
}
@Override
protected void service(HttpServletRequest servletRequest, HttpServletResponse servletResponse){
try {
// 获取完整请求路径
String requestPath = servletRequest.getRequestURI().replace(this.proxyProperties.getNginxPath(),"");
String queryString = servletRequest.getQueryString();
String fullPath = requestPath + (queryString != null ? "?" + queryString : "");
// 解析目标URI
URI targetUri = routeResolver.resolveTargetUri(fullPath);
// 设置目标URI和Host
servletRequest.setAttribute(ATTR_TARGET_URI, targetUri.toString());
servletRequest.setAttribute(ATTR_TARGET_HOST, URIUtils.extractHost(targetUri));
super.service(servletRequest, servletResponse);
} catch (Exception e) {
try {
servletResponse.sendError(HttpServletResponse.SC_NOT_FOUND, "Route not found");
}catch (IOException ex){
ex.printStackTrace();
}
}
}
@Override
protected String rewriteUrlFromRequest(HttpServletRequest servletRequest) {
// 直接使用动态设置的目标URI
return getTargetUri(servletRequest);
}
@Override
protected void copyRequestHeaders(HttpServletRequest servletRequest, HttpRequest proxyRequest) {
// 复制所有请求头
Enumeration<String> headerNames = servletRequest.getHeaderNames();
while (headerNames.hasMoreElements()) {
String headerName = headerNames.nextElement();
// 跳过某些敏感头
if (HTTP.CONTENT_LEN.equalsIgnoreCase(headerName)) {
continue;
}
if (hopByHopHeaders.containsHeader(headerName)) {
continue;
}
Enumeration<String> values = servletRequest.getHeaders(headerName);
while (values.hasMoreElements()) {
String value = values.nextElement();
proxyRequest.addHeader(new BasicHeader(headerName, value));
}
}
// 设置正确的Host头
HttpHost targetHost = getTargetHost(servletRequest);
proxyRequest.setHeader(HTTP.TARGET_HOST, targetHost.getHostName());
}
@Override
protected void copyResponseHeaders(HttpResponse proxyResponse, HttpServletRequest servletRequest,
HttpServletResponse servletResponse) {
// 复制所有响应头
for (Header header : proxyResponse.getAllHeaders()) {
if (hopByHopHeaders.containsHeader(header.getName())) {
continue;
}
// 特殊处理Location头(重定向)
if ("Location".equalsIgnoreCase(header.getName())) {
String location = header.getValue();
try {
// 将重定向地址转换为代理地址
String proxyLocation = routeResolver.convertToProxyUrl(location);
servletResponse.setHeader("Location", proxyLocation);
} catch (URISyntaxException e) {
// 如果转换失败,使用原始地址
servletResponse.setHeader(header.getName(), header.getValue());
}
} else {
servletResponse.setHeader(header.getName(), header.getValue());
}
}
// 移除可能泄露目标服务器的头
servletResponse.setHeader("Server", "ProxyServer");
servletResponse.setHeader("X-Powered-By", null);
}
@Override
protected void copyResponseEntity(HttpResponse proxyResponse, HttpServletResponse servletResponse,
HttpRequest proxyRequest, HttpServletRequest servletRequest)
throws IOException {
// 完全透明地转发响应体
HttpEntity entity = proxyResponse.getEntity();
if (entity != null) {
try (OutputStream out = servletResponse.getOutputStream()) {
entity.writeTo(out);
}
}
}
@Override
protected HttpRequest newProxyRequestWithEntity(String method, String proxyRequestUri,
HttpServletRequest servletRequest)
throws IOException {
// 创建包含实体的请求
HttpEntityEnclosingRequest request = new BasicHttpEntityEnclosingRequest(method, proxyRequestUri);
// 设置请求实体
request.setEntity(new InputStreamEntity(
servletRequest.getInputStream(),
servletRequest.getContentLength()
));
return request;
}
}编写一个路由工具类DynamicRouteResolver.java,由于路由相关方法的编写:
import cn.hutool.core.collection.CollectionUtil;
import cn.hutool.core.util.StrUtil;
import com.example.dify.api.business.dify.config.DifyProxyProperties;
import com.example.dify.api.business.dify.model.dto.RouteMappingDTO;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.stereotype.Component;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
/**
* dify路由配置类,提供一系列转发方法
* @author 一夕之言
* 通过参数决定是否启用
*/
@ConditionalOnProperty(prefix = "dify-proxy",name = {"enabled"}, havingValue = "true")
@Component
public class DynamicRouteResolver {
public final Map<String, String> routeMappings = new ConcurrentHashMap<>();
private final Set<String> reservedPrefixes = new HashSet<>();
private DifyProxyProperties proxyProperties;
public DynamicRouteResolver(DifyProxyProperties proxyProperties) {
this.proxyProperties = proxyProperties;
this.proxyProperties.setNginxPath(StrUtil.isBlank(this.proxyProperties.getNginxPath())?this.proxyProperties.getNginxPath():"");
// 添加保留前缀(自有项目接口)
if(CollectionUtil.isNotEmpty(proxyProperties.getReservedPrefixes())) {
proxyProperties.getReservedPrefixes().forEach(s ->{
addReservedPrefix(s);
});
}
if(CollectionUtil.isNotEmpty(proxyProperties.getRouteMappings())) {
for(RouteMappingDTO routeMapping : proxyProperties.getRouteMappings()){
// 示例路由配置
addRouteMapping(routeMapping.getSourcePath(), routeMapping.getTargetUrl());
}
}
}
public void addReservedPrefix(String prefix) {
if (!prefix.startsWith("/")) {
prefix = "/" + prefix;
}
if (!prefix.endsWith("/")) {
prefix += "/";
}
reservedPrefixes.add(prefix);
}
public void addRouteMapping(String proxyPath, String targetUrl) {
// 确保路径格式正确
if (!proxyPath.startsWith("/")) {
proxyPath = "/" + proxyPath;
}
if (!proxyPath.endsWith("/")) {
proxyPath += "/";
}
if (!targetUrl.endsWith("/")) {
targetUrl += "/";
}
// 检查是否与保留前缀冲突
if (reservedPrefixes.contains(proxyPath)) {
throw new IllegalArgumentException("Proxy path conflicts with reserved prefix: " + proxyPath);
}
routeMappings.put(proxyPath, targetUrl);
}
public URI resolveTargetUri(String fullRequestPath) throws RuntimeException, URISyntaxException {
// 格式: /difyProxy/{routeKey}/path/to/resource
if (!fullRequestPath.replace(this.proxyProperties.getNginxPath(),"").startsWith(this.proxyProperties.getProxyPath())) {
throw new RuntimeException("Invalid proxy path");
}
// 提取路由键
String[] parts = fullRequestPath.replace(this.proxyProperties.getNginxPath(),"").substring(this.proxyProperties.getProxyPath().length()).split("/", 2);
if (parts.length < 1) {
throw new RuntimeException("Missing route key");
}
String routeKey = parts[0];
if (!routeKey.startsWith("/")) {
routeKey = "/" + routeKey;
}
if (!routeKey.endsWith("/")) {
routeKey += "/";
}
String targetBase = routeMappings.get(routeKey);
if (targetBase == null) {
throw new RuntimeException("Route not found: " + routeKey);
}
// 构建目标路径
String targetPath = (parts.length > 1) ? parts[1] : "";
String url = targetBase + targetPath;
return new URI(url);
}
public String convertToProxyUrl(String targetUrl) throws URISyntaxException {
// 将目标URL转换为代理URL
for (Map.Entry<String, String> entry : routeMappings.entrySet()) {
String targetBase = entry.getValue();
if (targetUrl.replace(this.proxyProperties.getNginxPath(),"").startsWith(targetBase)) {
String proxyPrefix = entry.getKey();
String relativePath = targetUrl.replace(this.proxyProperties.getNginxPath(),"").substring(targetBase.length());
return this.proxyProperties.getNginxPath()+proxyPrefix + relativePath;
}
}
return targetUrl; // 如果无法转换,返回原始URL
}
}写一个拦截器ResourceRequestFilter.java拦截所有请求,筛选出dify转发部分进行处理,其他请求放行:
import cn.hutool.core.util.StrUtil;
import com.example.dify.api.business.dify.config.DifyProxyProperties;
import com.example.dify.api.business.dify.service.DynamicRouteResolver;
import jakarta.servlet.*;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import java.io.IOException;
/**
* 拦截所有请求,并将识别出的dify代理请求转发至PerfectProxyServlet处理,特别是dify页面中的请求
* @author: 一夕之言
* 通过参数决定是否启用
* */
@Slf4j
@ConditionalOnProperty(prefix = "dify-proxy",name = {"enabled"}, havingValue = "true")
public class ResourceRequestFilter implements Filter {
private final DynamicRouteResolver routeResolver;
private final DifyProxyProperties proxyProperties;
public ResourceRequestFilter(DynamicRouteResolver routeResolver, DifyProxyProperties proxyProperties) {
this.routeResolver = routeResolver;
this.proxyProperties = proxyProperties;
this.proxyProperties.setNginxPath(StrUtil.isBlank(this.proxyProperties.getNginxPath())?this.proxyProperties.getNginxPath():"");
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String path = httpRequest.getRequestURI().replace(this.proxyProperties.getNginxPath(),"");
if(path.contains(this.proxyProperties.getProxyPath())){
log.info("请求路径:{}",path);
}
// 创建包装器并传递修改后的路径
// 跳过自有接口路径
if (isReservedPath(path.replace(this.proxyProperties.getNginxPath(),""))) {
chain.doFilter(httpRequest, response); // 传递包装后的请求
return;
}
// 跳过代理路径
if (path.replace(this.proxyProperties.getNginxPath(),"").startsWith(this.proxyProperties.getProxyPath())) {
chain.doFilter(httpRequest, response);
return;
}
// 处理资源请求
handleResourceRequest(httpRequest, (HttpServletResponse) response, chain);
}
private void handleResourceRequest(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws IOException, ServletException {
String referer = request.getHeader("Referer");
referer = StrUtil.isNotBlank(referer)?referer.replace(this.proxyProperties.getNginxPath(),""): "";
String url = request.getRequestURI().replace(this.proxyProperties.getNginxPath(),"");
if (StrUtil.isBlank(referer) || !(referer.contains(this.proxyProperties.getProxyPath()) ||
(url.endsWith(".svg")
||url.endsWith(".js")
||url.endsWith(".ttf")
||url.endsWith(".map")))) {
chain.doFilter(request, response);
return;
}
// 从Referer提取路由键
String routeKey = extractRouteKeyFromUrl(referer);
if (routeKey == null &&
!(url.endsWith(".svg")
||url.endsWith(".js")
||url.endsWith(".ttf")
||url.endsWith(".map"))) {
chain.doFilter(request, response);
return;
}
if(url.endsWith(".svg")
||url.endsWith(".js")
||url.endsWith(".ttf")
||url.endsWith(".map")){
routeKey = routeResolver.routeMappings.keySet().stream().findFirst().get().replace("/","");
}
// 构建新的代理资源路径
String newPath = this.proxyProperties.getNginxPath()+this.proxyProperties.getProxyPath() + routeKey + url;
// 内部重定向到代理路径
request.getRequestDispatcher(newPath).forward(request, response);
}
private String extractRouteKeyFromUrl(String url) {
if (url.contains(this.proxyProperties.getProxyPath())) {
int start = url.indexOf(this.proxyProperties.getProxyPath()) + this.proxyProperties.getProxyPath().length();
int end = url.indexOf("/",start);
if (end == -1) {
end = url.length();
}
return url.substring(start, end);
}
return null;
}
private boolean isReservedPath(String path) {
return proxyProperties.getReservedPrefixes().stream()
.anyMatch(prefix -> path.contains(prefix));
}
}写一个代理配置类ProxyConfig.java,随服务启动时注入过滤器和servlet:
import cn.hutool.core.util.StrUtil;
import com.example.dify.api.business.dify.filter.ResourceRequestFilter;
import com.example.dify.api.business.dify.serverlet.PerfectProxyServlet;
import com.example.dify.api.business.dify.service.DynamicRouteResolver;
import com.example.dify.api.business.dify.service.RouteManagementService;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
/**
* 初始化注入配置类,注入ResourceRequestFilter和PerfectProxyServlet,拦截指定路径
* @author lyx
* 通过参数决定是否启用
*/
@ConditionalOnProperty(prefix = "dify-proxy",name = {"enabled"}, havingValue = "true")
@Configuration
public class ProxyConfig {
private final DifyProxyProperties proxyProperties;
public ProxyConfig(DifyProxyProperties proxyProperties) {
this.proxyProperties = proxyProperties;
this.proxyProperties.setNginxPath(StrUtil.isBlank(this.proxyProperties.getNginxPath())?this.proxyProperties.getNginxPath():"");
}
@Bean
public DynamicRouteResolver dynamicRouteResolver(RouteManagementService routeService) {
DynamicRouteResolver resolver = new DynamicRouteResolver(proxyProperties);
// 初始化路由
routeService.getAllRoutes().forEach((routeKey, targetUrl) -> {
resolver.addRouteMapping(this.proxyProperties.getProxyPath() + routeKey + "/", targetUrl);
});
return resolver;
}
@Bean
public ServletRegistrationBean<PerfectProxyServlet> proxyServlet(DynamicRouteResolver routeResolver) {
ServletRegistrationBean<PerfectProxyServlet> reg =
new ServletRegistrationBean<>(new PerfectProxyServlet(routeResolver, proxyProperties, difyApiService, difyAuthService), this.proxyProperties.getNginxPath()+this.proxyProperties.getProxyPath()+"*");
// 关键配置
reg.addInitParameter("preserveHost", "false");
reg.addInitParameter("forwardip", "true");
reg.addInitParameter("http.protocol.handle-redirects", "true");
reg.addInitParameter("log", "false");
return reg;
}
@Bean
public FilterRegistrationBean<ResourceRequestFilter> resourceRequestFilter(DynamicRouteResolver routeResolver) {
FilterRegistrationBean<ResourceRequestFilter> reg = new FilterRegistrationBean<>();
reg.setFilter(new ResourceRequestFilter(routeResolver, proxyProperties));
reg.addUrlPatterns("/*");
// 最高优先级
reg.setOrder(Ordered.HIGHEST_PRECEDENCE);
return reg;
}
}好了,以上基本上代码都给出了,接下来鉴权就看你想写在哪里,可以直接拦截/difyProxy/路径标识的内容后再写鉴权逻辑,比如使用sa-token的项目,可以在实现WebMvcConfigurer的类似SecurityConfig类中,注入Bean,随服务启动拦截鉴权,这里采用路径传参token:
/**
* 启动注入,对 proxy dify代理接口 做token鉴权
* 通过参数决定是否启用
*/
@Bean
@ConditionalOnProperty(prefix = "dify-proxy",name = {"enabled"}, havingValue = "true")
public SaServletFilter getProxyFilter() {
final SecurityDifyProxyProperties proxyProperties = getProxyProperties();
return new SaServletFilter()
.addInclude(proxyProperties.getProxyPath(), proxyProperties.getProxyPath()+"**")
.setAuth(obj -> {
//先检url传参
String token = ServletUtils.getRequest().getParameter("token");
if (StringUtils.isNotEmpty(token)) {
SaHolder.getStorage().set(StpUtil.getStpLogic().splicingKeyJustCreatedSave(), "Bearer "+token);
}
StpUtil.checkLogin();
})
.setError(e -> SaResult.error(e.getMessage()).setCode(HttpStatus.UNAUTHORIZED));
}
/**
* dify配置类注入
* 通过参数决定是否启用
* */
@ConditionalOnProperty(prefix = "dify-proxy",name = {"enabled"}, havingValue = "true")
public SecurityDifyProxyProperties getProxyProperties() {
return SpringUtils.getBean(SecurityDifyProxyProperties.class);
}最后,关键部分,由于转发后的地址会请求静态资源,以及相关前端js也会自行请求资源,这些后发的请求并不会被转发,这时候需要走反向代理处理一下,识别出这些请求的上一个请求是否包含代理路径标识,这在请求中包含在头部Referer里,我这里使用nginx,参考配置如下:
server {
listen 8081;
listen [::]:8081;
server_name _;
#charset koi8-r;
#access_log logs/host.access.log main;
location ^~/back-api/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://127.0.0.1:8080/;
proxy_http_version 1.1;
}
# 特殊处理:识别dify代理资源请求
location ^~/_next/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
}
# 特殊处理:识别dify代理资源请求
location / {
# 检查Referer是否包含difyProxy
if ($http_referer ~* "/difyProxy/") {
# 转发到统一代理入口
rewrite ^(.*)$ /back-api$1 last;
}
# 非代理资源由前端处理,保持原样
root html;
index diff.html;
try_files $uri /$uri /diff.html;
}
# API
location ^~/api/ {
# 检查Referer是否包含difyProxy 代理前缀
if ($http_referer ~* "/difyProxy/") {
# 转发到统一代理入口
rewrite ^(.*)$ /back-api$1 last;
}
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_connect_timeout 7d;
proxy_read_timeout 7d;
proxy_send_timeout 7d;
proxy_buffering off;
add_header 'Access-Control-Allow-Origin' '*';
}
}可能涉及的maven依赖:
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-json</artifactId>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.14</version>
<scope>compile</scope>
</dependency>
</dependencies>终于,一切准备就绪,访问方式如下:
我们进入dify后台,找到一个工作室智能体,点开监测,看到公开访问URL,得到类似这样一个地址:
http://ip:port/chat/pDMCGrKie3Kt7enV
然后我们取后面这一截:chat/pDMCGrKie3Kt7enV
拼接到业务系统后端请求中,拼接结果如下(back-api是nginx的后端前缀,/difyProxy/fromDify/则是yml文件配置好的路径标识和路由标识):
http://127.0.0.1:8081/back-api/difyProxy/fromDify/chat/pDMCGrKie3Kt7enV?token=xxxx
即可访问通过后端服务代理访问到对应工作室智能体,并加入对应鉴权。至于每个工作室都做成固定权限,则靠你自行开发对应逻辑(可以通过dify后台接口拿到工作室列表和工作室详情,并不复杂,自行开发即可)
火山引擎开发者社区是火山引擎打造的AI技术生态平台,聚焦Agent与大模型开发,提供豆包系列模型(图像/视频/视觉)、智能分析与会话工具,并配套评测集、动手实验室及行业案例库。社区通过技术沙龙、挑战赛等活动促进开发者成长,新用户可领50万Tokens权益,助力构建智能应用。
更多推荐
10
0- 0
已为社区贡献2条内容
所有评论(0)