warning

This tutorial is a community contribution and is not supported by the Open WebUI team. It serves only as a demonstration on how to customize Open WebUI for your specific use case. Want to contribute? Check out the contributing tutorial.

HTTPS using Nginx

Ensuring secure communication between your users and the Open WebUI is paramount. HTTPS (HyperText Transfer Protocol Secure) encrypts the data transmitted, protecting it from eavesdroppers and tampering. By configuring Nginx as a reverse proxy, you can seamlessly add HTTPS to your Open WebUI deployment, enhancing both security and trustworthiness.

This guide provides three methods to set up HTTPS:

• Self-Signed Certificates: Ideal for development and internal use, using docker.
• Let's Encrypt: Perfect for production environments requiring trusted SSL certificates, using docker.
• Windows+Self-Signed: Simplified instructions for development and internal use on windows, no docker required.

Choose the method that best fits your deployment needs.

Nginx Proxy Manager

Nginx Proxy Manager

Nginx Proxy Manager (NPM) allows you to easily manage reverse proxies and secure your local applications, like Open WebUI, with valid SSL certificates from Let's Encrypt. This setup enables HTTPS access, which is necessary for using voice input features on many mobile browsers due to their security requirements, without exposing the application's specific port directly to the internet.

Prerequisites

• A home server running Docker and open-webui container running.
• A domain name (free options like DuckDNS or paid ones like Namecheap/GoDaddy).
• Basic knowledge of Docker and DNS configuration.

Steps

1. Create Directories for Nginx Files:

   mkdir ~/nginx_config
   cd ~/nginx_config

2. Set Up Nginx Proxy Manager with Docker:

   nano docker-compose.yml

services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

Run the container:

docker-compose up -d

3. Configure DNS and Domain:

   • Log in to your domain provider (e.g., DuckDNS) and create a domain.
   • Point the domain to your proxy’s local IP (e.g., 192.168.0.6).
   • If using DuckDNS, get an API token from their dashboard.

Here is a simple example how it's done in https://www.duckdns.org/domains :

4. Set Up SSL Certificates:

• Access Nginx Proxy Manager at http://server_ip:81. For example: 192.168.0.6:81
• Log in with the default credentials (admin@example.com / changeme). Change them as asked.
• Go to SSL Certificates → Add SSL Certificate → Let's Encrypt.
• Write your email and domain name you got from DuckDNS. One domain name contains an asterisk and another does not. Example: *.hello.duckdns.org and hello.duckdns.org.
• Select Use a DNS challenge, choose DuckDNS, and paste your API token. example: dns_duckdns_token=f4e2a1b9-c78d-e593-b0d7-67f2e1c9a5b8
• Agree to Let’s Encrypt terms and save. Change propagation time if needed (120 seconds).

5. Create Proxy Hosts:

• For each service (e.g., openwebui, nextcloud), go to Hosts → Proxy Hosts → Add Proxy Host.
• Fill in the domain name (e.g., openwebui.hello.duckdns.org).
• Set the scheme to HTTP (default), enable Websockets support and point to your Docker IP (if docker with open-webui is running on the same computer as NGINX manager, this will be the same IP as earlier (example: 192.168.0.6)
• Select the SSL certificate generated earlier, force SSL, and enable HTTP/2.

6. Add your url to open-webui (otherwise getting HTTPS error):

• Go to your open-webui → Admin Panel → Settings → General
• In the Webhook URL text field, enter your URL through which you will connect to your open-webui via Nginx reverse proxy. Example: hello.duckdns.org (not essential with this one) or openwebui.hello.duckdns.org (essential with this one).

Access the WebUI:

Access Open WebUI via HTTPS at either hello.duckdns.org or openwebui.hello.duckdns.org (in whatever way you set it up).

Firewall Note: Be aware that local firewall software (like Portmaster) might block internal Docker network traffic or required ports. If you experience issues, check your firewall rules to ensure necessary communication for this setup is allowed.

Let's Encrypt

Let's Encrypt

Let's Encrypt provides free SSL certificates trusted by most browsers, ideal for production environments.

Prerequisites

• Certbot installed on your system.
• DNS records properly configured to point to your server.

Steps

1. Create Directories for Nginx Files:

   mkdir -p conf.d ssl

2. Create Nginx Configuration File:

   conf.d/open-webui.conf:

   server {
       listen 80;
       server_name your_domain_or_IP;
   
       location / {
           proxy_pass http://host.docker.internal:3000;
   
           # Add WebSocket support (Necessary for version 0.5.0 and up)
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
   
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
   
           # (Optional) Disable proxy buffering for better streaming response from models
           proxy_buffering off;
   
           # (Optional) Increase max request size for large attachments and long audio messages
           client_max_body_size 20M;
           proxy_read_timeout 10m;
       }
   }

3. Simplified Let's Encrypt Script:

   enable_letsencrypt.sh:

   #!/bin/bash
   
   # Description: Simplified script to obtain and install Let's Encrypt SSL certificates using Certbot.
   
   DOMAIN="your_domain_or_IP"
   EMAIL="your_email@example.com"
   
   # Install Certbot if not installed
   if ! command -v certbot &> /dev/null; then
       echo "Certbot not found. Installing..."
       sudo apt-get update
       sudo apt-get install -y certbot python3-certbot-nginx
   fi
   
   # Obtain SSL certificate
   sudo certbot --nginx -d "$DOMAIN" --non-interactive --agree-tos -m "$EMAIL"
   
   # Reload Nginx to apply changes
   sudo systemctl reload nginx
   
   echo "Let's Encrypt SSL certificate has been installed and Nginx reloaded."

   Make the script executable:

   chmod +x enable_letsencrypt.sh

4. Update Docker Compose Configuration:

   Add the Nginx service to your docker-compose.yml:

   services:
     nginx:
       image: nginx:alpine
       ports:
         - "80:80"
         - "443:443"
       volumes:
         - ./conf.d:/etc/nginx/conf.d
         - ./ssl:/etc/nginx/ssl
       depends_on:
         - open-webui

5. Start Nginx Service:

   docker compose up -d nginx

6. Run the Let's Encrypt Script:

   Execute the script to obtain and install the SSL certificate:

   ./enable_letsencrypt.sh

Access the WebUI

Access Open WebUI via HTTPS at:

https://your_domain_or_IP

Self-Signed

Self-Signed Certificate

Using self-signed certificates is suitable for development or internal use where trust is not a critical concern.

Steps

1. Create Directories for Nginx Files:

   mkdir -p conf.d ssl

2. Create Nginx Configuration File:

   conf.d/open-webui.conf:

   server {
       listen 443 ssl;
       server_name your_domain_or_IP;
   
       ssl_certificate /etc/nginx/ssl/nginx.crt;
       ssl_certificate_key /etc/nginx/ssl/nginx.key;
       ssl_protocols TLSv1.2 TLSv1.3;
   
       location / {
           proxy_pass http://host.docker.internal:3000;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
   
           # (Optional) Disable proxy buffering for better streaming response from models
           proxy_buffering off;
   
           # (Optional) Increase max request size for large attachments and long audio messages
           client_max_body_size 20M;
           proxy_read_timeout 10m;
       }
   }

3. Generate Self-Signed SSL Certificates:

   openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
   -keyout ssl/nginx.key \
   -out ssl/nginx.crt \
   -subj "/CN=your_domain_or_IP"

4. Update Docker Compose Configuration:

   Add the Nginx service to your docker-compose.yml:

   services:
     nginx:
       image: nginx:alpine
       ports:
         - "443:443"
       volumes:
         - ./conf.d:/etc/nginx/conf.d
         - ./ssl:/etc/nginx/ssl
       depends_on:
         - open-webui

5. Start Nginx Service:

   docker compose up -d nginx

Access the WebUI

Access Open WebUI via HTTPS at:

https://your_domain_or_IP

---

Windows

Using a Self-Signed Certificate and Nginx on Windows without Docker

For basic internal/development installations, you can use nginx and a self-signed certificate to proxy Open WebUI to https, allowing use of features such as microphone input over LAN. (By default, most browsers will not allow microphone input on insecure non-localhost urls)

This guide assumes you installed Open WebUI using pip and are running open-webui serve

Step 1: Installing openssl for certificate generation

You will first need to install openssl

You can download and install precompiled binaries from the Shining Light Productions (SLP) website.

Alternatively, if you have Chocolatey installed, you can use it to install OpenSSL quickly:

1. Open a command prompt or PowerShell.
2. Run the following command to install OpenSSL:

   choco install openssl -y

---

Verify Installation

After installation, open a command prompt and type:

openssl version

If it displays the OpenSSL version (e.g., OpenSSL 3.x.x ...), it is installed correctly.

Step 2: Installing nginx

Download the official Nginx for Windows from nginx.org or use a package manager like Chocolatey. Extract the downloaded ZIP file to a directory (e.g., C:\nginx).

Step 3: Generate certificate

Run the following command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx.key -out nginx.crt

Move the generated nginx.key and nginx.crt files to a folder of your choice, or to the C:\nginx directory

Step 4: Configure nginx

Open C:\nginx\conf\nginx.conf in a text editor

If you want Open WebUI to be accessible over your local LAN, be sure to note your LAN ip address using ipconfig e.g. 192.168.1.15

Set it up as follows:

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  120;

    #gzip  on;

    # needed to properly handle websockets (streaming)
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    # Redirect all HTTP traffic to HTTPS
    server {
        listen 80;
        server_name 192.168.1.15;

        return 301 https://$host$request_uri;
    }

    # Handle HTTPS traffic
    server {
        listen 443 ssl;
        server_name 192.168.1.15;

        # SSL Settings (ensure paths are correct)
        ssl_certificate C:\\nginx\\nginx.crt;
        ssl_certificate_key C:\\nginx\\nginx.key;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
        ssl_prefer_server_ciphers on;

        # OCSP Stapling
        #ssl_stapling on;
        #ssl_stapling_verify on;

        # Proxy settings to your local service
        location / {
            # proxy_pass should point to your running localhost version of open-webui
            proxy_pass http://localhost:8080;

            # Add WebSocket support (Necessary for version 0.5.0 and up)
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;

            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            # (Optional) Disable proxy buffering for better streaming response from models
            proxy_buffering off;

            # (Optional) Increase max request size for large attachments and long audio messages
            client_max_body_size 20M;
            proxy_read_timeout 10m;
        }
    }

}

Save the file, and check the configuration has no errors or syntax issues by running nginx -t. You may need to cd C:\nginx first depending on how you installed it

Run nginx by running nginx. If an nginx service is already started, you can reload new config by running nginx -s reload

---

You should now be able to access Open WebUI on https://192.168.1.15 (or your own LAN ip as appropriate). Be sure to allow windows firewall access as needed.

Next Steps

After setting up HTTPS, access Open WebUI securely at:

• https://localhost

Ensure that your DNS records are correctly configured if you're using a domain name. For production environments, it's recommended to use Let's Encrypt for trusted SSL certificates.

---