Dify: Login from IP to domain + HTTPS practice

This article describes the complete steps on how to upgrade Dify (Community Edition) installed through Tencent Cloud from the original IP to domain name access and enable HTTPS .
For Dify instances deployed using a Docker environment.

1. Background description

By default, Dify installed via official scripts or Docker can only be logged in through a server IP, such as:

http://123.45.67.89

For more professional and secure external access, we want to achieve:

• Access with a custom domain name (e.g. ai.mydify.cn);
• Enable HTTPS encryption (with an externally issued SSL certificate or Let’s Encrypt auto-issued).

2. Environment and prerequisites

1. Tencent Cloud Server (or other cloud host)
   Docker, Docker Compose installed.
2. Dify is running fine via Docker
   Accessible via IP (e.g http://your-server-ip. ).
3. Domain name resolution is in effect
   In a domain name service provider (Tencent Cloud, Alibaba Cloud, etc.), point the domain name A record to the server’s public IP address.
   Example:ai.mydify.cn → 123.45.67.89
4. The SSL certificate file is ready
   • fullchain.pem(or .crt)
   • privkey.pem(or .key)

3. Prepare certificate documents

Let’s say we put an externally issued certificate file on the server:

/etc/ssl/certs/fullchain.pem
/etc/ssl/certs/privkey.pem

If you are .crt in + .key format, simply rename to the above two files.

4. Mount the certificate directory to the nginx container

Dify deployments typically include a nginx container as a reverse proxy.
We just need to mount the certificate directory into it.

Method 1: docker run mode

If your nginx is run with commands:

docker run -d 
 --name nginx 
 -p 80:80 
 -p 443:443 
 -v /root/certs:/etc/nginx/certs:ro 
 -v /root/nginx/conf.d:/etc/nginx/conf.d 
 nginx:latest

Method 2: docker-compose mode (recommended)

 docker-compose.ymlEdit :

services:
 nginx:
 image: nginx:latest
 restart: always
 ports:
 - "80:80"
 - "443:443"
 volumes:
 - /root/certs:/etc/nginx/certs:ro
 - ./nginx/conf.d:/etc/nginx/conf.d

:ro Indicates read-only mounting to prevent the container from accidentally modifying the certificate.

📝 5. Configure nginx to support HTTPS

Edit nginx configuration file /root/nginx/conf.d/ai.mydify.cn.conf:

# HTTP 自动跳转到 HTTPS
server {
 listen 80;
 server_name ai.mydify.cn;
 return 301 https://$host$request_uri;
}

# HTTPS 反向代理 Dify
server {
 listen 443 ssl;
 server_name ai.mydify.cn;

 ssl_certificate /etc/nginx/certs/fullchain.pem;
 ssl_certificate_key /etc/nginx/certs/privkey.pem;

 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 10m;

 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers HIGH:!aNULL:!MD5;

 location / {
 proxy_pass http://docker-web-1:3000; # Dify Web 服务容器名或 IP
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 }
}

You can check the name of Dify’s web container (usually ) docker-web-1by docker ps .

6. Test and restart nginx

Go to the nginx container validation configuration:

docker exec -it docker-nginx-1 nginx -t

Appearance:

nginx: configuration file /etc/nginx/nginx.conf test is successful

It indicates that the configuration is correct.

Then reload:

docker exec -it docker-nginx-1 nginx -s reload

7. Access verification

Open in a browser:

https://ai.mydify.cn

If you can access the Dify page normally and display 🔒 the icon, it means that HTTPS has been enabled!

8. (Optional) Automatic renewal of certificates

If the certificate is issued by Let’s Encrypt, you can set up an auto-renewal task on the host machine:

crontab -e

Add:

0 3 * * * certbot renew --quiet && docker exec docker-nginx-1 nginx -s reload

🧩 9. Frequently asked questions

Question	Workaround
The browser display is not secure	ssl_certificate Check that the path is correctly mounted to the container
Access still jumps to IP	Confirm that Dify’s environment variable is APP_URL updated to a domain name
Nginx error cannot load certificate	If the certificate path is wrong or the file permissions are insufficient, check /root/certs

10. Summary

After completing the above steps, your Dify has the following:

• ✅ Exclusive domain access (ai.mydify.cn)
• ✅ HTTPS secure encryption
• ✅ Auto-jump and reverse proxy

This is not only more secure, but also facilitates subsequent access to external systems (e.g., webhooks, OAuth login, etc.).

Refer to the command Quick Check:

operation	order
View the list of containers	docker ps
Go to the nginx container	docker exec -it docker-nginx-1 bash
Test the configuration	nginx -t
Overload nginx	nginx -s reload

Tubing: