From 7c27d4b2024126e54f260fee8b9ec53865fc887b Mon Sep 17 00:00:00 2001
From: sho-takano-dev <shota.takano.dev@gmail.com>
Date: Fri, 14 Mar 2025 11:05:37 +0900
Subject: [PATCH] feat: add Http Request Node to skip ssl verify function
 #15177 (#15664)

---
 api/.env.example                |  1 +
 api/configs/feature/__init__.py |  5 +++++
 api/core/helper/ssrf_proxy.py   | 19 ++++++++++++++++---
 docker/.env.example             |  1 +
 docker/docker-compose.yaml      |  1 +
 5 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/api/.env.example b/api/.env.example
index 880453161e..2ae66c1970 100644
--- a/api/.env.example
+++ b/api/.env.example
@@ -378,6 +378,7 @@ HTTP_REQUEST_MAX_READ_TIMEOUT=600
 HTTP_REQUEST_MAX_WRITE_TIMEOUT=600
 HTTP_REQUEST_NODE_MAX_BINARY_SIZE=10485760
 HTTP_REQUEST_NODE_MAX_TEXT_SIZE=1048576
+HTTP_REQUEST_NODE_SSL_VERIFY=True
 
 # Respect X-* headers to redirect clients
 RESPECT_XFORWARD_HEADERS_ENABLED=false
diff --git a/api/configs/feature/__init__.py b/api/configs/feature/__init__.py
index c06269c199..a13a5997a7 100644
--- a/api/configs/feature/__init__.py
+++ b/api/configs/feature/__init__.py
@@ -332,6 +332,11 @@ class HttpConfig(BaseSettings):
         default=1 * 1024 * 1024,
     )
 
+    HTTP_REQUEST_NODE_SSL_VERIFY: bool = Field(
+        description="Enable or disable SSL verification for HTTP requests",
+        default=True,
+    )
+
     SSRF_DEFAULT_MAX_RETRIES: PositiveInt = Field(
         description="Maximum number of retries for network requests (SSRF)",
         default=3,
diff --git a/api/core/helper/ssrf_proxy.py b/api/core/helper/ssrf_proxy.py
index c8243b29d0..6367e45638 100644
--- a/api/core/helper/ssrf_proxy.py
+++ b/api/core/helper/ssrf_proxy.py
@@ -11,6 +11,19 @@ from configs import dify_config
 
 SSRF_DEFAULT_MAX_RETRIES = dify_config.SSRF_DEFAULT_MAX_RETRIES
 
+HTTP_REQUEST_NODE_SSL_VERIFY = True  # Default value for HTTP_REQUEST_NODE_SSL_VERIFY is True
+try:
+    HTTP_REQUEST_NODE_SSL_VERIFY = dify_config.HTTP_REQUEST_NODE_SSL_VERIFY
+    http_request_node_ssl_verify_lower = str(HTTP_REQUEST_NODE_SSL_VERIFY).lower()
+    if http_request_node_ssl_verify_lower == "true":
+        HTTP_REQUEST_NODE_SSL_VERIFY = True
+    elif http_request_node_ssl_verify_lower == "false":
+        HTTP_REQUEST_NODE_SSL_VERIFY = False
+    else:
+        raise ValueError("Invalid value. HTTP_REQUEST_NODE_SSL_VERIFY should be 'True' or 'False'")
+except NameError:
+    HTTP_REQUEST_NODE_SSL_VERIFY = True
+
 BACKOFF_FACTOR = 0.5
 STATUS_FORCELIST = [429, 500, 502, 503, 504]
 
@@ -39,17 +52,17 @@ def make_request(method, url, max_retries=SSRF_DEFAULT_MAX_RETRIES, **kwargs):
     while retries <= max_retries:
         try:
             if dify_config.SSRF_PROXY_ALL_URL:
-                with httpx.Client(proxy=dify_config.SSRF_PROXY_ALL_URL) as client:
+                with httpx.Client(proxy=dify_config.SSRF_PROXY_ALL_URL, verify=HTTP_REQUEST_NODE_SSL_VERIFY) as client:
                     response = client.request(method=method, url=url, **kwargs)
             elif dify_config.SSRF_PROXY_HTTP_URL and dify_config.SSRF_PROXY_HTTPS_URL:
                 proxy_mounts = {
                     "http://": httpx.HTTPTransport(proxy=dify_config.SSRF_PROXY_HTTP_URL),
                     "https://": httpx.HTTPTransport(proxy=dify_config.SSRF_PROXY_HTTPS_URL),
                 }
-                with httpx.Client(mounts=proxy_mounts) as client:
+                with httpx.Client(mounts=proxy_mounts, verify=HTTP_REQUEST_NODE_SSL_VERIFY) as client:
                     response = client.request(method=method, url=url, **kwargs)
             else:
-                with httpx.Client() as client:
+                with httpx.Client(verify=HTTP_REQUEST_NODE_SSL_VERIFY) as client:
                     response = client.request(method=method, url=url, **kwargs)
 
             if response.status_code not in STATUS_FORCELIST:
diff --git a/docker/.env.example b/docker/.env.example
index def2f4d41e..41cf78ab06 100644
--- a/docker/.env.example
+++ b/docker/.env.example
@@ -716,6 +716,7 @@ WORKFLOW_FILE_UPLOAD_LIMIT=10
 # HTTP request node in workflow configuration
 HTTP_REQUEST_NODE_MAX_BINARY_SIZE=10485760
 HTTP_REQUEST_NODE_MAX_TEXT_SIZE=1048576
+HTTP_REQUEST_NODE_SSL_VERIFY=True
 
 # SSRF Proxy server HTTP URL
 SSRF_PROXY_HTTP_URL=http://ssrf_proxy:3128
diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml
index fca95d3946..1e36721964 100644
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@@ -310,6 +310,7 @@ x-shared-env: &shared-api-worker-env
   WORKFLOW_FILE_UPLOAD_LIMIT: ${WORKFLOW_FILE_UPLOAD_LIMIT:-10}
   HTTP_REQUEST_NODE_MAX_BINARY_SIZE: ${HTTP_REQUEST_NODE_MAX_BINARY_SIZE:-10485760}
   HTTP_REQUEST_NODE_MAX_TEXT_SIZE: ${HTTP_REQUEST_NODE_MAX_TEXT_SIZE:-1048576}
+  HTTP_REQUEST_NODE_SSL_VERIFY: ${HTTP_REQUEST_NODE_SSL_VERIFY:-True}
   SSRF_PROXY_HTTP_URL: ${SSRF_PROXY_HTTP_URL:-http://ssrf_proxy:3128}
   SSRF_PROXY_HTTPS_URL: ${SSRF_PROXY_HTTPS_URL:-http://ssrf_proxy:3128}
   LOOP_NODE_MAX_COUNT: ${LOOP_NODE_MAX_COUNT:-100}