第 27 期:生产环境高可用部署

更新于 2026/4/6

生产架构

graph TB
    subgraph "负载均衡层"
        LB[Cloud Load Balancer / Nginx]
    end
    
    subgraph "应用层 (K8s)"
        API1[API Pod x3]
        API2[Worker Pod x2]
        Web1[Web Pod x2]
    end
    
    subgraph "数据层 (托管服务)"
        PG[(PostgreSQL RDS)]
        Redis[(Redis ElastiCache)]
        S3[(S3 / MinIO)]
        Vector[(Qdrant Cloud)]
    end
    
    LB --> Web1
    LB --> API1
    API1 --> PG
    API1 --> Redis
    API1 --> S3
    API1 --> Vector
    API2 --> PG
    API2 --> Redis

Kubernetes 部署 (Helm Chart)

# 添加 Helm 仓库
helm repo add dify https://douban.github.io/charts
helm repo update

# 创建 values.yaml
cat > values.yaml << 'EOF'
api:
  replicas: 3
  resources:
    requests:
      cpu: "500m"
      memory: "1Gi"
    limits:
      cpu: "2"
      memory: "4Gi"

worker:
  replicas: 2
  resources:
    requests:
      cpu: "500m"
      memory: "1Gi"

web:
  replicas: 2

persistence:
  storageClass: "gp3"
  size: "50Gi"

externalPostgresql:
  host: "dify-db.cluster-xxx.us-east-1.rds.amazonaws.com"
  port: 5432
  username: "dify"
  password: "secure-password"
  database: "dify"

externalRedis:
  host: "dify-redis.xxx.cache.amazonaws.com"
  port: 6379
  password: "redis-password"

externalS3:
  bucket: "dify-storage-prod"
  region: "us-east-1"
  accessKey: "AKIA..."
  secretKey: "..."
EOF

# 安装
helm install dify dify/dify -f values.yaml -n dify --create-namespace

Nginx 反向代理

# /etc/nginx/conf.d/dify.conf
upstream dify_api {
    server 127.0.0.1:5001;
    keepalive 32;
}

upstream dify_web {
    server 127.0.0.1:3000;
    keepalive 32;
}

server {
    listen 443 ssl http2;
    server_name dify.your-company.com;
    
    ssl_certificate /etc/ssl/certs/dify.crt;
    ssl_certificate_key /etc/ssl/private/dify.key;
    
    client_max_body_size 50M;
    
    # API 路由
    location /api/ {
        proxy_pass http://dify_api;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_buffering off;  # SSE 流式输出
    }
    
    location /console/api/ {
        proxy_pass http://dify_api;
        proxy_set_header Host $host;
    }
    
    # 前端
    location / {
        proxy_pass http://dify_web;
        proxy_set_header Host $host;
    }
}

关键环境变量 (生产)

# 安全
SECRET_KEY=使用-openssl-rand-生成的-64字符密钥  # 绝对不能用默认值!
CONSOLE_WEB_URL=https://dify.your-company.com
APP_WEB_URL=https://dify.your-company.com

# 性能
CELERY_WORKER_AMOUNT=4
API_WORKER_AMOUNT=4  

# 文件存储 (S3)
STORAGE_TYPE=s3
S3_BUCKET_NAME=dify-prod-storage
S3_REGION=us-east-1

# 向量数据库 (外部 Qdrant)
VECTOR_STORE=qdrant
QDRANT_URL=https://xxx.qdrant.io
QDRANT_API_KEY=xxx

生产检查清单

检查项 状态
SECRET_KEY 已更换为随机值
数据库密码已更换
Redis 密码已设置
HTTPS 已启用
文件存储使用 S3/OSS
数据库定期备份已配置
监控告警已设置
API 限流已配置