4.1 KiB
sidebar_position, title
| sidebar_position | title |
|---|---|
| 200 | HTTPS using Nginx |
:::warning
This tutorial is a community contribution and is not supported by the Open WebUI team. It serves only as a demonstration on how to customize Open WebUI for your specific use case. Want to contribute? Check out the contributing tutorial.
:::
HTTPS using Nginx
Ensuring secure communication between your users and the Open WebUI is paramount. HTTPS (HyperText Transfer Protocol Secure) encrypts the data transmitted, protecting it from eavesdroppers and tampering. By configuring Nginx as a reverse proxy, you can seamlessly add HTTPS to your Open WebUI deployment, enhancing both security and trustworthiness.
This guide provides three methods to set up HTTPS:
- Self-Signed Certificates: Ideal for development and internal use, using docker.
- Let's Encrypt: Perfect for production environments requiring trusted SSL certificates, using docker.
- Windows+Self-Signed: Simplified instructions for development and internal use on windows, no docker required.
:::danger Critical: Configure CORS for WebSocket Connections
A very common and difficult-to-debug issue with WebSocket connections is a misconfigured Cross-Origin Resource Sharing (CORS) policy. When running Open WebUI behind a reverse proxy like Nginx Proxy Manager, you must set the CORS_ALLOW_ORIGIN environment variable in your Open WebUI configuration.
Failure to do so will cause WebSocket connections to fail, even if you have enabled "Websockets support" in Nginx Proxy Manager.
HTTP/2 and WebSockets
If you enable HTTP/2 on your Nginx server, ensure that your proxy configuration still uses HTTP/1.1 for the connection to the Open WebUI backend. This is crucial as most WebUI features (like streaming and real-time updates) rely on WebSockets, which are more stable when handled via HTTP/1.1 Upgrade than over the newer RFC 8441 (WebSockets over H2) in many proxy environments.
In your Nginx location block, always include:
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
:::
:::danger Critical: Disable Proxy Buffering for SSE Streaming
This is the most common cause of garbled markdown and broken streaming responses.
When Nginx's proxy_buffering is enabled (the default!), it re-chunks SSE streams arbitrarily. This breaks markdown tokens across chunk boundaries—for example, **bold** becomes ** + bold + **—causing corrupted output with visible ##, **, or missing words.
You MUST include these directives in your Nginx location block:
# CRITICAL: Disable buffering for SSE streaming
proxy_buffering off;
proxy_cache off;
Symptoms if you forget this:
- Raw markdown tokens visible (
##,**,###) - Bold/heading markers appearing incorrectly
- Words or sections randomly missing from responses
- Streaming works perfectly when disabled, breaks when enabled
Bonus: Disabling buffering also makes streaming responses significantly faster, as content flows directly to the client without Nginx's buffering delay.
:::
Choose the method that best fits your deployment needs.
import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem';
import NginxProxyManager from '../tab-nginx/NginxProxyManager.md'; import SelfSigned from '../tab-nginx/SelfSigned.md'; import LetsEncrypt from '../tab-nginx/LetsEncrypt.md'; import Windows from '../tab-nginx/Windows.md';
Next Steps
After setting up HTTPS, access Open WebUI securely at:
Ensure that your DNS records are correctly configured if you're using a domain name. For production environments, it's recommended to use Let's Encrypt for trusted SSL certificates.