feat(#92): add SSL/TLS configuration support for HTTP requests

Add comprehensive SSL/TLS configuration capabilities to the plugin system:

- Add environment variables for SSL verification control, custom CA certificates, and mTLS client authentication
- Implement httpx.Client monkey patch to automatically apply SSL settings from environment configuration
- Support base64-encoded certificate data (CA cert, client cert, and client key) to avoid file system dependencies
- Enable SSL verification bypass for development/testing environments
- Apply SSL patches at module import time to ensure all HTTP requests use configured settings

This allows plugins to communicate securely with services using custom certificates or mutual TLS authentication without code changes in individual HTTP client implementations.

Author: Oscaner

python/dify_plugin/__init__.py

@@ -3,6 +3,9 @@
 # patch all the blocking calls
 monkey.patch_all(sys=True)
 
+# Apply httpx SSL configuration patches
+from dify_plugin.core.utils import ssl  # noqa: F401
+
 from dify_plugin.config.config import DifyPluginEnv
 from dify_plugin.interfaces.agent import AgentProvider, AgentStrategy
 from dify_plugin.interfaces.endpoint import Endpoint

python/dify_plugin/config/config.py

@@ -40,6 +40,20 @@ class DifyPluginEnv(BaseSettings):
 
     DIFY_PLUGIN_DAEMON_URL: str = Field(default="http://localhost:5002", description="backwards invocation address")
 
+    # HTTP Request SSL Configuration
+    HTTP_REQUEST_NODE_SSL_VERIFY: bool = Field(
+        default=True, description="Enable SSL certificate verification for HTTP requests"
+    )
+    HTTP_REQUEST_NODE_SSL_CERT_DATA: str | None = Field(
+        default=None, description="Base64 encoded CA certificate data for custom certificate verification (PEM format)"
+    )
+    HTTP_REQUEST_NODE_SSL_CLIENT_CERT_DATA: str | None = Field(
+        default=None, description="Base64 encoded client certificate data for mutual TLS authentication (PEM format)"
+    )
+    HTTP_REQUEST_NODE_SSL_CLIENT_KEY_DATA: str | None = Field(
+        default=None, description="Base64 encoded client private key data for mutual TLS authentication (PEM format)"
+    )
+
     model_config = SettingsConfigDict(
         # read from dotenv format config file
         env_file=".env",

python/dify_plugin/core/utils/ssl.py

@@ -0,0 +1,130 @@
+"""
+HTTPX client utility with SSL configuration support.
+
+This module patches httpx.Client.__init__ to automatically apply SSL configuration
+from environment variables. It supports:
+- SSL verification control
+- Custom CA certificates
+- Mutual TLS (mTLS) with client certificates and keys
+
+The patching is done via monkey patching httpx.Client.__init__, which covers all use cases:
+- Direct Client instantiation: httpx.Client()
+- Convenience methods: httpx.get(), httpx.post(), etc. (they internally use Client)
+
+No code changes are needed in places that use httpx.
+"""
+
+import base64
+import ssl
+import tempfile
+from functools import wraps
+from pathlib import Path
+from typing import Any
+
+import httpx
+
+from dify_plugin.config.config import DifyPluginEnv
+
+# Store original method before patching - use getattr to avoid reload issues
+_original_client_init = getattr(httpx.Client.__init__, "__wrapped__", httpx.Client.__init__)
+
+
+def _decode_base64_cert(data: str | None) -> bytes | None:
+    """
+    Decode base64 encoded certificate data.
+
+    :param data: Base64 encoded certificate data
+    :return: Decoded bytes or None if data is None/empty
+    """
+    if not data:
+        return None
+    try:
+        return base64.b64decode(data)
+    except Exception as e:
+        raise ValueError(f"Failed to decode base64 certificate data: {e}") from e
+
+
+def _create_ssl_context(config: DifyPluginEnv) -> ssl.SSLContext | bool:
+    """
+    Create SSL context based on environment configuration.
+
+    :param config: DifyPluginEnv configuration instance
+    :return: SSL context, True (verify), or False (no verify)
+    """
+    # If SSL verification is disabled, return False
+    if not config.HTTP_REQUEST_NODE_SSL_VERIFY:
+        return False
+
+    # Check if we have custom SSL configuration
+    has_ca_cert = bool(config.HTTP_REQUEST_NODE_SSL_CERT_DATA)
+    has_client_cert = bool(config.HTTP_REQUEST_NODE_SSL_CLIENT_CERT_DATA)
+    has_client_key = bool(config.HTTP_REQUEST_NODE_SSL_CLIENT_KEY_DATA)
+
+    # If no custom SSL configuration, use default verification
+    if not (has_ca_cert or has_client_cert or has_client_key):
+        return True
+
+    # Create custom SSL context
+    ssl_context = ssl.create_default_context()
+
+    # Load custom CA certificate if provided
+    if has_ca_cert:
+        ca_cert_data = _decode_base64_cert(config.HTTP_REQUEST_NODE_SSL_CERT_DATA)
+        if ca_cert_data:
+            # Write CA cert to temporary file and load it
+            with tempfile.NamedTemporaryFile(mode="wb", suffix=".pem", delete=False) as ca_file:
+                ca_file.write(ca_cert_data)
+                ca_cert_path = ca_file.name
+            try:
+                ssl_context.load_verify_locations(cafile=ca_cert_path)
+            finally:
+                # Clean up temporary file
+                Path(ca_cert_path).unlink(missing_ok=True)
+
+    # Load client certificate and key for mutual TLS if provided
+    if has_client_cert and has_client_key:
+        client_cert_data = _decode_base64_cert(config.HTTP_REQUEST_NODE_SSL_CLIENT_CERT_DATA)
+        client_key_data = _decode_base64_cert(config.HTTP_REQUEST_NODE_SSL_CLIENT_KEY_DATA)
+
+        if client_cert_data and client_key_data:
+            # Write client cert and key to temporary files
+            with (
+                tempfile.NamedTemporaryFile(mode="wb", suffix=".pem", delete=False) as cert_file,
+                tempfile.NamedTemporaryFile(mode="wb", suffix=".pem", delete=False) as key_file,
+            ):
+                cert_file.write(client_cert_data)
+                key_file.write(client_key_data)
+                cert_path = cert_file.name
+                key_path = key_file.name
+
+            try:
+                ssl_context.load_cert_chain(certfile=cert_path, keyfile=key_path)
+            finally:
+                # Clean up temporary files
+                Path(cert_path).unlink(missing_ok=True)
+                Path(key_path).unlink(missing_ok=True)
+
+    return ssl_context
+
+
+@wraps(_original_client_init)
+def _patched_client_init(self, *args: Any, **kwargs: Any) -> None:
+    """
+    Patched httpx.Client.__init__ that injects SSL configuration.
+
+    This single patch covers all httpx usage patterns:
+    - httpx.Client() - direct instantiation
+    - httpx.get(), httpx.post(), etc. - these internally create Client instances
+    """
+    if "verify" not in kwargs:
+        config = DifyPluginEnv()
+        kwargs["verify"] = _create_ssl_context(config)
+    return _original_client_init(self, *args, **kwargs)
+
+
+# Apply monkey patch to httpx.Client.__init__
+# This single patch is sufficient because:
+# - httpx.get/post/put/delete/patch/head/options all call httpx.request()
+# - httpx.request() creates a Client instance internally with the verify parameter
+# - So patching Client.__init__ catches all cases
+httpx.Client.__init__ = _patched_client_init

python/examples/.env.ssl.example

@@ -0,0 +1,33 @@
+# SSL Configuration Example for HTTP Requests
+# Copy this file to .env and configure as needed
+
+# Enable/Disable SSL certificate verification (default: True)
+HTTP_REQUEST_NODE_SSL_VERIFY=True
+
+# Base64 encoded CA certificate data for custom certificate verification (PEM format, optional)
+# Example: cat ca-cert.pem | base64
+# HTTP_REQUEST_NODE_SSL_CERT_DATA=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYVENDQWtXZ0F3SUJBZ0lKQU...
+
+# Base64 encoded client certificate data for mutual TLS authentication (PEM format, optional)
+# Example: cat client-cert.pem | base64
+# HTTP_REQUEST_NODE_SSL_CLIENT_CERT_DATA=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9...
+
+# Base64 encoded client private key data for mutual TLS authentication (PEM format, optional)
+# Example: cat client-key.pem | base64
+# HTTP_REQUEST_NODE_SSL_CLIENT_KEY_DATA=LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9...
+
+# ============================================================================
+# Multiple CA Certificates Support
+# ============================================================================
+# To use multiple self-signed certificates, merge them into one PEM file:
+#
+# Step 1: Merge multiple CA certificates into a single file
+#   cat ca-cert-1.pem ca-cert-2.pem ca-cert-3.pem > combined-ca.pem
+#
+# Step 2: Convert the combined file to Base64 (remove line breaks)
+#   cat combined-ca.pem | base64 | tr -d '\n'
+#
+# Step 3: Set the combined Base64 string to HTTP_REQUEST_NODE_SSL_CERT_DATA
+#
+# This allows connecting to multiple services with different self-signed certificates
+# or supporting certificate rotation scenarios.