This tutorial is a community contribution and is not supported by the Open WebUI team. It serves only as a demonstration on how to customize Open WebUI for your specific use case. Want to contribute? Check out the contributing tutorial.
HTTPS using Nginx
Ensuring secure communication between your users and the Open WebUI is paramount. HTTPS (HyperText Transfer Protocol Secure) encrypts the data transmitted, protecting it from eavesdroppers and tampering. By configuring Nginx as a reverse proxy, you can seamlessly add HTTPS to your Open WebUI deployment, enhancing both security and trustworthiness.
This guide provides three methods to set up HTTPS:
- Self-Signed Certificates: Ideal for development and internal use, using docker.
- Let's Encrypt: Perfect for production environments requiring trusted SSL certificates, using docker.
- Windows+Self-Signed: Simplified instructions for development and internal use on windows, no docker required.
Choose the method that best fits your deployment needs.
- Nginx Proxy Manager
- Let's Encrypt
- Self-Signed
- Windows
Nginx Proxy Managerβ
Nginx Proxy Manager (NPM) allows you to easily manage reverse proxies and secure your local applications, like Open WebUI, with valid SSL certificates from Let's Encrypt. This setup enables HTTPS access, which is necessary for using voice input features on many mobile browsers due to their security requirements, without exposing the application's specific port directly to the internet.
Prerequisitesβ
- A home server running Docker and open-webui container running.
- A domain name (free options like DuckDNS or paid ones like Namecheap/GoDaddy).
- Basic knowledge of Docker and DNS configuration.
Stepsβ
-
Create Directories for Nginx Files:
mkdir ~/nginx_config
cd ~/nginx_config -
Set Up Nginx Proxy Manager with Docker:
nano docker-compose.yml
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
- '80:80'
- '81:81'
- '443:443'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
Run the container:
docker-compose up -d
-
Configure DNS and Domain:
- Log in to your domain provider (e.g., DuckDNS) and create a domain.
- Point the domain to your proxyβs local IP (e.g., 192.168.0.6).
- If using DuckDNS, get an API token from their dashboard.
Here is a simple example how it's done in https://www.duckdns.org/domains :β
- Set Up SSL Certificates:
- Access Nginx Proxy Manager at http://server_ip:81. For example:
192.168.0.6:81
- Log in with the default credentials (admin@example.com / changeme). Change them as asked.
- Go to SSL Certificates β Add SSL Certificate β Let's Encrypt.
- Write your email and domain name you got from DuckDNS. One domain name contains an asterisk and another does not. Example:
*.hello.duckdns.org
andhello.duckdns.org
. - Select Use a DNS challenge, choose DuckDNS, and paste your API token. example:
dns_duckdns_token=f4e2a1b9-c78d-e593-b0d7-67f2e1c9a5b8
- Agree to Letβs Encrypt terms and save. Change propagation time if needed (120 seconds).
- Create Proxy Hosts:
- For each service (e.g., openwebui, nextcloud), go to Hosts β Proxy Hosts β Add Proxy Host.
- Fill in the domain name (e.g., openwebui.hello.duckdns.org).
- Set the scheme to HTTP (default), enable
Websockets support
and point to your Docker IP (if docker with open-webui is running on the same computer as NGINX manager, this will be the same IP as earlier (example:192.168.0.6
) - Select the SSL certificate generated earlier, force SSL, and enable HTTP/2.
- Add your url to open-webui (otherwise getting HTTPS error):
- Go to your open-webui β Admin Panel β Settings β General
- In the Webhook URL text field, enter your URL through which you will connect to your open-webui via Nginx reverse proxy. Example:
hello.duckdns.org
(not essential with this one) oropenwebui.hello.duckdns.org
(essential with this one).
Access the WebUI:β
Access Open WebUI via HTTPS at either hello.duckdns.org
or openwebui.hello.duckdns.org
(in whatever way you set it up).
Firewall Note: Be aware that local firewall software (like Portmaster) might block internal Docker network traffic or required ports. If you experience issues, check your firewall rules to ensure necessary communication for this setup is allowed.β
Let's Encryptβ
Let's Encrypt provides free SSL certificates trusted by most browsers, ideal for production environments.
Prerequisitesβ
- Certbot installed on your system.
- DNS records properly configured to point to your server.
Stepsβ
-
Create Directories for Nginx Files:
mkdir -p conf.d ssl
-
Create Nginx Configuration File:
conf.d/open-webui.conf
:server {
listen 80;
server_name your_domain_or_IP;
location / {
proxy_pass http://host.docker.internal:3000;
# Add WebSocket support (Necessary for version 0.5.0 and up)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# (Optional) Disable proxy buffering for better streaming response from models
proxy_buffering off;
# (Optional) Increase max request size for large attachments and long audio messages
client_max_body_size 20M;
proxy_read_timeout 10m;
}
} -
Simplified Let's Encrypt Script:
enable_letsencrypt.sh
:#!/bin/bash
# Description: Simplified script to obtain and install Let's Encrypt SSL certificates using Certbot.
DOMAIN="your_domain_or_IP"
EMAIL="your_email@example.com"
# Install Certbot if not installed
if ! command -v certbot &> /dev/null; then
echo "Certbot not found. Installing..."
sudo apt-get update
sudo apt-get install -y certbot python3-certbot-nginx
fi
# Obtain SSL certificate
sudo certbot --nginx -d "$DOMAIN" --non-interactive --agree-tos -m "$EMAIL"
# Reload Nginx to apply changes
sudo systemctl reload nginx
echo "Let's Encrypt SSL certificate has been installed and Nginx reloaded."Make the script executable:
chmod +x enable_letsencrypt.sh
-
Update Docker Compose Configuration:
Add the Nginx service to your
docker-compose.yml
:services:
nginx:
image: nginx:alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./conf.d:/etc/nginx/conf.d
- ./ssl:/etc/nginx/ssl
depends_on:
- open-webui -
Start Nginx Service:
docker compose up -d nginx
-
Run the Let's Encrypt Script:
Execute the script to obtain and install the SSL certificate:
./enable_letsencrypt.sh
Access the WebUIβ
Access Open WebUI via HTTPS at:
Self-Signed Certificateβ
Using self-signed certificates is suitable for development or internal use where trust is not a critical concern.
Stepsβ
-
Create Directories for Nginx Files:
mkdir -p conf.d ssl
-
Create Nginx Configuration File:
conf.d/open-webui.conf
:server {
listen 443 ssl;
server_name your_domain_or_IP;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_protocols TLSv1.2 TLSv1.3;
location / {
proxy_pass http://host.docker.internal:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# (Optional) Disable proxy buffering for better streaming response from models
proxy_buffering off;
# (Optional) Increase max request size for large attachments and long audio messages
client_max_body_size 20M;
proxy_read_timeout 10m;
}
} -
Generate Self-Signed SSL Certificates:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout ssl/nginx.key \
-out ssl/nginx.crt \
-subj "/CN=your_domain_or_IP" -
Update Docker Compose Configuration:
Add the Nginx service to your
docker-compose.yml
:services:
nginx:
image: nginx:alpine
ports:
- "443:443"
volumes:
- ./conf.d:/etc/nginx/conf.d
- ./ssl:/etc/nginx/ssl
depends_on:
- open-webui -
Start Nginx Service:
docker compose up -d nginx
Access the WebUIβ
Access Open WebUI via HTTPS at:
Using a Self-Signed Certificate and Nginx on Windows without Dockerβ
For basic internal/development installations, you can use nginx and a self-signed certificate to proxy Open WebUI to https, allowing use of features such as microphone input over LAN. (By default, most browsers will not allow microphone input on insecure non-localhost urls)
This guide assumes you installed Open WebUI using pip and are running open-webui serve
Step 1: Installing openssl for certificate generationβ
You will first need to install openssl
You can download and install precompiled binaries from the Shining Light Productions (SLP) website.
Alternatively, if you have Chocolatey installed, you can use it to install OpenSSL quickly:
- Open a command prompt or PowerShell.
- Run the following command to install OpenSSL:
choco install openssl -y
Verify Installationβ
After installation, open a command prompt and type:
openssl version
If it displays the OpenSSL version (e.g., OpenSSL 3.x.x ...
), it is installed correctly.
Step 2: Installing nginxβ
Download the official Nginx for Windows from nginx.org or use a package manager like Chocolatey. Extract the downloaded ZIP file to a directory (e.g., C:\nginx).
Step 3: Generate certificateβ
Run the following command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx.key -out nginx.crt
Move the generated nginx.key and nginx.crt files to a folder of your choice, or to the C:\nginx directory
Step 4: Configure nginxβ
Open C:\nginx\conf\nginx.conf in a text editor
If you want Open WebUI to be accessible over your local LAN, be sure to note your LAN ip address using ipconfig
e.g. 192.168.1.15
Set it up as follows:
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 120;
#gzip on;
# needed to properly handle websockets (streaming)
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Redirect all HTTP traffic to HTTPS
server {
listen 80;
server_name 192.168.1.15;
return 301 https://$host$request_uri;
}
# Handle HTTPS traffic
server {
listen 443 ssl;
server_name 192.168.1.15;
# SSL Settings (ensure paths are correct)
ssl_certificate C:\\nginx\\nginx.crt;
ssl_certificate_key C:\\nginx\\nginx.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
# OCSP Stapling
#ssl_stapling on;
#ssl_stapling_verify on;
# Proxy settings to your local service
location / {
# proxy_pass should point to your running localhost version of open-webui
proxy_pass http://localhost:8080;
# Add WebSocket support (Necessary for version 0.5.0 and up)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# (Optional) Disable proxy buffering for better streaming response from models
proxy_buffering off;
# (Optional) Increase max request size for large attachments and long audio messages
client_max_body_size 20M;
proxy_read_timeout 10m;
}
}
}
Save the file, and check the configuration has no errors or syntax issues by running nginx -t
. You may need to cd C:\nginx
first depending on how you installed it
Run nginx by running nginx
. If an nginx service is already started, you can reload new config by running nginx -s reload
You should now be able to access Open WebUI on https://192.168.1.15 (or your own LAN ip as appropriate). Be sure to allow windows firewall access as needed.
Next Stepsβ
After setting up HTTPS, access Open WebUI securely at:
Ensure that your DNS records are correctly configured if you're using a domain name. For production environments, it's recommended to use Let's Encrypt for trusted SSL certificates.