From 947afd17e95f854d475a3996f4268ac94e362573 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sat, 8 Nov 2025 15:46:09 +0100 Subject: [PATCH 01/34] Document ENABLE_PASSWORD_BASED_LOGIN configuration --- docs/getting-started/env-configuration.mdx | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 9632ea0..c2989fb 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -82,6 +82,13 @@ Failure to set WEBUI_URL before using OAuth/SSO will result in failure to log in - Description: Toggles email, password, sign-in and "or" (only when `ENABLE_OAUTH_SIGNUP` is set to True) elements. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `ENABLE_PASSWORD_BASED_LOGIN` + +- Type: `bool` +- Default: `True` +- Description: Allows both password and SSO authentication methods to coexist when set to True. When set to False, **while SSO is enabled (`ENABLE_OAUTH_SIGNUP`=True)**, it disables all password-based login attempts on the /signin and /ldap endpoints, enforcing strict SSO-only authentication. Disable this setting in production environments with fully configured SSO to prevent credential-based account takeover attacks; keep it enabled if you require password authentication as a backup or have not yet completed SSO configuration. Should never be disabled if OAUTH/SSO is not being used. +- Persistence: This environment variable is a `PersistentConfig` variable. + :::danger This should **only** ever be set to `False` when [ENABLE_OAUTH_SIGNUP](https://docs.openwebui.com/getting-started/env-configuration/#enable_oauth_signup) From b10c5024ef2602a94b1b60669cfaebad32dfd48b Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Mon, 10 Nov 2025 08:54:33 +0100 Subject: [PATCH 02/34] Document CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE Added documentation for CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE including type, default value, and description. --- docs/getting-started/env-configuration.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index c2989fb..75e96c9 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -269,6 +269,12 @@ This will run the Open WebUI on port `9999`. The `PORT` environment variable is - Default: `1` - Description: Sets a system-wide minimum value for the number of tokens to batch together before sending them to the client during a streaming response. This allows an administrator to enforce a baseline level of performance and stability across the entire system by preventing excessively small chunk sizes that can cause high CPU load. The final chunk size used for a response will be the highest value set among this global variable, the model's advanced parameters, or the per-chat settings. The default is 1, which applies no minimum batching at the global level. +#### `CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE` + +- Type: `int` +- Default: Empty string (' '), which disables the limit (equivalent to None) +- Description: Sets the maximum buffer size in bytes for handling stream response chunks. When a single chunk exceeds this limit, the system returns an empty JSON object and skips subsequent oversized data until encountering normally-sized chunks. This prevents memory issues when dealing with extremely large responses from certain providers (e.g., models like gemini-2.5-flash-image or services returning extensive web search data exceeding). Set to an empty string or a negative value to disable chunk size limitations entirely. + :::info It is recommended to set this to a high single-digit or low double-digit value if you run Open WebUI with high concurrency, many users, and very fast streaming models. From 1db46642cd9ef4db68392f3ae194aee5096c86a7 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Mon, 10 Nov 2025 09:06:49 +0100 Subject: [PATCH 03/34] Update environment variable documentation for SSO Clarify the conditions for disabling password authentication in SSO environments. --- docs/getting-started/env-configuration.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 75e96c9..769ad64 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -87,7 +87,6 @@ Failure to set WEBUI_URL before using OAuth/SSO will result in failure to log in - Type: `bool` - Default: `True` - Description: Allows both password and SSO authentication methods to coexist when set to True. When set to False, **while SSO is enabled (`ENABLE_OAUTH_SIGNUP`=True)**, it disables all password-based login attempts on the /signin and /ldap endpoints, enforcing strict SSO-only authentication. Disable this setting in production environments with fully configured SSO to prevent credential-based account takeover attacks; keep it enabled if you require password authentication as a backup or have not yet completed SSO configuration. Should never be disabled if OAUTH/SSO is not being used. -- Persistence: This environment variable is a `PersistentConfig` variable. :::danger From aed296660f0a732adff1467656e712de26115669 Mon Sep 17 00:00:00 2001 From: Adam Skalicky Date: Mon, 10 Nov 2025 17:34:02 -0800 Subject: [PATCH 04/34] Added logging for WEBSOCKET_REDIS_OPTIONS, WEBSOCKET_SERVER_LOGGING, WEBSOCKET_SERVER_ENGINEIO_LOGGING, WEBSOCKET_SERVER_PING_TIMEOUT, WEBSOCKET_SERVER_PING_INTERVAL --- docs/getting-started/env-configuration.mdx | 40 ++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 769ad64..1af1ff0 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -4466,6 +4466,46 @@ This option has no effect if `WEBSOCKET_SENTINEL_HOSTS` is defined. ::: +#### `WEBSOCKET_REDIS_OPTIONS` + +- Type: `str` +- Default: `{}` +- Description: A string representation of a dictionary containing additional Redis connection options for the websocket Redis client. This allows you to specify advanced connection parameters such as SSL settings, timeouts, or other Redis client configurations that are not covered by the standard `WEBSOCKET_REDIS_URL`. The string should be formatted as a valid Python dictionary. For example: `{"retry_on_timeout": true, "socket_connect_timeout": 5, "socket_timeout": 5, "max_connections": 8}`. All JSON encodable options listed [here] (https://redis.readthedocs.io/en/stable/connections.html) can be used. + +#### `WEBSOCKET_SERVER_LOGGING` + +- Type: `bool` +- Default: `false` +- Description: Controls logging for SocketIO server related to websocket operations. + +:::warning + +**This can be very verbose, it is only recommended to use this flag when debugging Redis related issues.** + +#### `WEBSOCKET_SERVER_ENGINEIO_LOGGING` + +- Type: `bool` +- Default: `false` +- Description: Controls logging for EngineIO server related to websocket operations. + +:::warning + +**This can be very verbose, it is only recommended to use this flag when debugging Redis related issues.** + + +#### `WEBSOCKET_SERVER_PING_TIMEOUT` + +- Type: `int` +- Default: `20` +- Description: The timeout for a ping to Redis in seconds. + +#### `WEBSOCKET_SERVER_PING_INTERVAL` + +- Type: `int` +- Default: `25` +- Description: The frequency for a ping to Redis in seconds. + + #### `ENABLE_STAR_SESSIONS_MIDDLEWARE` - Type: `bool` - Default: `False` From 2a81659dda026c829656ec84b58f4c5fa53fef70 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Tue, 11 Nov 2025 09:21:56 +0100 Subject: [PATCH 05/34] Update env-configuration.mdx --- docs/getting-started/env-configuration.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 769ad64..5ae262d 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -82,11 +82,11 @@ Failure to set WEBUI_URL before using OAuth/SSO will result in failure to log in - Description: Toggles email, password, sign-in and "or" (only when `ENABLE_OAUTH_SIGNUP` is set to True) elements. - Persistence: This environment variable is a `PersistentConfig` variable. -#### `ENABLE_PASSWORD_BASED_LOGIN` +#### `ENABLE_PASSWORD_AUTH` - Type: `bool` - Default: `True` -- Description: Allows both password and SSO authentication methods to coexist when set to True. When set to False, **while SSO is enabled (`ENABLE_OAUTH_SIGNUP`=True)**, it disables all password-based login attempts on the /signin and /ldap endpoints, enforcing strict SSO-only authentication. Disable this setting in production environments with fully configured SSO to prevent credential-based account takeover attacks; keep it enabled if you require password authentication as a backup or have not yet completed SSO configuration. Should never be disabled if OAUTH/SSO is not being used. +- Description: Allows both password and SSO authentication methods to coexist when set to True. When set to False, it disables all password-based login attempts on the /signin and /ldap endpoints, enforcing strict SSO-only authentication. Disable this setting in production environments with fully configured SSO to prevent credential-based account takeover attacks; keep it enabled if you require password authentication as a backup or have not yet completed SSO configuration. Should never be disabled if OAUTH/SSO is not being used. :::danger From 84d886c3263281cb528ddeb65e124a5c63102b6d Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Fri, 14 Nov 2025 11:34:41 +0100 Subject: [PATCH 06/34] Update env-configuration.mdx --- docs/getting-started/env-configuration.mdx | 49 +++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 48c48b8..6454085 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -91,7 +91,7 @@ Failure to set WEBUI_URL before using OAuth/SSO will result in failure to log in :::danger This should **only** ever be set to `False` when [ENABLE_OAUTH_SIGNUP](https://docs.openwebui.com/getting-started/env-configuration/#enable_oauth_signup) -is also being used and set to `True`. Failure to do so will result in the inability to login. +is also being used and set to `True`. **Never disable this if OAUTH/SSO is not being used.** Failure to do so will result in the inability to login. ::: @@ -416,6 +416,13 @@ The AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST is set to 10 seconds by default to help en - Default: `./static` - Description: Specifies the directory for static files, such as the favicon. +#### `AUDIT_LOGS_FILE_PATH` + +- Type: `str` +- Default: `${DATA_DIR}/audit.log` +- Description: Configures where the audit log file is stored. Enables storing logs in separate volumes or custom locations for better organization and persistence. +- Example: `/var/log/openwebui/audit.log`, `/mnt/logs/audit.log` + ### Ollama #### `ENABLE_OLLAMA_API` @@ -2416,6 +2423,7 @@ This environment variable was previously named "WEB_SEARCH_CONCURRENT_REQUESTS". - `perplexity_search` - Uses the [Perplexity Search API](https://www.perplexity.ai/) search engine. In contrast to the `perplexity` option, this uses Perplexity's web search API for searching the web and retrieving results. - `sougou` - Uses the [Sougou](https://www.sogou.com/) search engine. - `ollama_cloud` - Uses the [Ollama Cloud](https://ollama.com/blog/web-search) search engine. + - `azure_ai_search` - Persistence: This environment variable is a `PersistentConfig` variable. #### `BYPASS_WEB_SEARCH_EMBEDDING_AND_RETRIEVAL` @@ -2552,6 +2560,29 @@ the search query. Example: `http://searxng.local/search?q=` - Description: Specifies the search engine to use for SerpAPI. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `AZURE_AI_SEARCH_API_KEY` + +- Type: `str` +- Default: `None` +- Description: API key (query key or admin key) for authenticating with Azure AI Search service. Required for using Azure AI Search as a web search provider. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `AZURE_AI_SEARCH_ENDPOINT` + +- Type: `str` +- Default: `None` +- Description: Azure Search service endpoint URL. Specifies which Azure Search service instance to connect to. +- Example: `https://myservice.search.windows.net`, `https://company-search.search.windows.net` +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `AZURE_AI_SEARCH_INDEX_NAME` + +- Type: `str` +- Default: `None` +- Description: Name of the search index to query within your Azure Search service. Different indexes can contain different types of searchable content. +- Example: `my-search-index`, `documents-index`, `knowledge-base` +- Persistence: This environment variable is a `PersistentConfig` variable. + #### `SOUGOU_API_SID` - Type: `str` @@ -2639,6 +2670,14 @@ Using a remote Playwright browser via `PLAYWRIGHT_WS_URL` can be beneficial for: - Description: Sets the API key for Perplexity API. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `PERPLEXITY_SEARCH_API_URL` + +- Type: `str` +- Default: `api.perplexity.ai/search` +- Description: Configures the API endpoint for Perplexity Search. Allows using custom or self-hosted Perplexity-compatible API endpoints (such as LiteLLM's `/search` endpoint) instead of the hardcoded default. This enables flexibility in routing search requests to alternative providers or internal proxies. +- Example: `my-litellm-server.com/search` +- Persistence: This environment variable is a `PersistentConfig` variable. + #### `PLAYWRIGHT_TIMEOUT` - Type: `int` @@ -2826,6 +2865,14 @@ Note: If none of the specified languages are available and `en` was not in your - Description: Sets the output format for Azure Text to Speech. - Persistence: This environment variable is a `PersistentConfig` variable. +### Voice Mode + +#### `VOICE_MODE_PROMPT_TEMPLATE` +- Type: `str` +- Default: The value of `DEFAULT_VOICE_MODE_PROMPT_TEMPLATE` environment variable. +- Description: Configures a custom system prompt for voice mode interactions. Allows administrators to control how the AI responds in voice conversations (style, length, tone). Leave empty to use the default prompt optimized for voice conversations, or provide custom instructions to tailor the voice assistant's behavior. +- Persistence: This environment variable is a `PersistentConfig` variable. + ### OpenAI Text-to-Speech #### `AUDIO_TTS_OPENAI_API_BASE_URL` From 50c00ae095f1543f26e850661c9cf383b8dc22a4 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Tue, 18 Nov 2025 11:39:02 +0100 Subject: [PATCH 07/34] Update env-configuration.mdx --- docs/getting-started/env-configuration.mdx | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 6454085..d46717b 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -2379,6 +2379,19 @@ This Tenant ID (also known as Directory ID) is required for the work/school inte - Description: Enables proxy set by `http_proxy` and `https_proxy` during web search content fetching. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `WEB_FETCH_FILTER_LIST` + +- Type: `string` (comma-separated list) +- Default: `""` (empty, but default blocklist is always applied) +- Description: Configures additional URL filtering rules for web fetch operations to prevent Server-Side Request Forgery (SSRF) attacks. The system includes a default blocklist that protects against access to cloud metadata endpoints (AWS, Google Cloud, Azure, Alibaba Cloud). Entries without a ! prefix are treated as an allow list (only these domains are permitted), while entries with a ! prefix are added to the block list (these domains are always denied). The default blocklist includes !169.254.169.254, !fd00:ec2::254, !metadata.google.internal, !metadata.azure.com, and !100.100.100.200. Custom entries are merged with the default blocklist. + +:::info +Example: + +Block additional domains: WEB_FETCH_FILTER_LIST="!internal.company.com,!192.168.1.1" +Allow only specific domains: WEB_FETCH_FILTER_LIST="example.com,trusted-site.org" +::: + #### `WEB_SEARCH_RESULT_COUNT` - Type: `int` From 9341e92b47c337de8f6576bfc2fa6f7fa5382a86 Mon Sep 17 00:00:00 2001 From: Adam Skalicky Date: Tue, 18 Nov 2025 12:58:10 -0800 Subject: [PATCH 08/34] Update env-configuration.mdx Added note about SSM and Compose escaping the quotes. --- docs/getting-started/env-configuration.mdx | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 1af1ff0..277cb71 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -4472,6 +4472,11 @@ This option has no effect if `WEBSOCKET_SENTINEL_HOSTS` is defined. - Default: `{}` - Description: A string representation of a dictionary containing additional Redis connection options for the websocket Redis client. This allows you to specify advanced connection parameters such as SSL settings, timeouts, or other Redis client configurations that are not covered by the standard `WEBSOCKET_REDIS_URL`. The string should be formatted as a valid Python dictionary. For example: `{"retry_on_timeout": true, "socket_connect_timeout": 5, "socket_timeout": 5, "max_connections": 8}`. All JSON encodable options listed [here] (https://redis.readthedocs.io/en/stable/connections.html) can be used. +:::warning + +**AWS SSM and Docker compose cannot ingest raw JSON, as such you need top escape any double quotes like the following:** +`{\"retry_on_timeout\": true, \"socket_connect_timeout\": 5, \"socket_timeout\": 5, \"max_connections\": 8}` + #### `WEBSOCKET_SERVER_LOGGING` - Type: `bool` From 591a027a04f18a6787ec9a5dcf6ed13466df994b Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Wed, 19 Nov 2025 11:23:20 +0100 Subject: [PATCH 09/34] Update env-configuration.mdx --- docs/getting-started/env-configuration.mdx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 277cb71..d493df8 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -4477,6 +4477,8 @@ This option has no effect if `WEBSOCKET_SENTINEL_HOSTS` is defined. **AWS SSM and Docker compose cannot ingest raw JSON, as such you need top escape any double quotes like the following:** `{\"retry_on_timeout\": true, \"socket_connect_timeout\": 5, \"socket_timeout\": 5, \"max_connections\": 8}` +::: + #### `WEBSOCKET_SERVER_LOGGING` - Type: `bool` @@ -4487,6 +4489,8 @@ This option has no effect if `WEBSOCKET_SENTINEL_HOSTS` is defined. **This can be very verbose, it is only recommended to use this flag when debugging Redis related issues.** +::: + #### `WEBSOCKET_SERVER_ENGINEIO_LOGGING` - Type: `bool` @@ -4497,6 +4501,7 @@ This option has no effect if `WEBSOCKET_SENTINEL_HOSTS` is defined. **This can be very verbose, it is only recommended to use this flag when debugging Redis related issues.** +::: #### `WEBSOCKET_SERVER_PING_TIMEOUT` @@ -4510,7 +4515,6 @@ This option has no effect if `WEBSOCKET_SENTINEL_HOSTS` is defined. - Default: `25` - Description: The frequency for a ping to Redis in seconds. - #### `ENABLE_STAR_SESSIONS_MIDDLEWARE` - Type: `bool` - Default: `False` From cc405b01a2922d8afba8f12ba9df5cc72705f921 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Wed, 19 Nov 2025 11:27:55 +0100 Subject: [PATCH 10/34] Update env-configuration.mdx --- docs/getting-started/env-configuration.mdx | 119 +++++++++++++++++++-- 1 file changed, 108 insertions(+), 11 deletions(-) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index d46717b..0fdee24 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -109,6 +109,14 @@ is also being used and set to `True`. **Never disable this if OAUTH/SSO is not b - Description: Sets a default Language Model. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `DEFAULT_PINNED_MODELS` + +- Type: `str` +- Default: Empty string (' ') +- Description: Comma-separated list of model IDs to pin by default for new users who haven't customized their pinned models. This provides a pre-selected set of frequently used models in the model selector for new accounts. +- Example: `gpt-4,claude-3-opus,llama-3-70b` +- Persistence: This environment variable is a `PersistentConfig` variable. + #### `DEFAULT_USER_ROLE` - Type: `str` @@ -928,29 +936,48 @@ JSON format: { "tags": ["tag1", "tag2", "tag3"] } ### API Key Endpoint Restrictions -#### `ENABLE_API_KEY` - -- Type: `bool` -- Default: `True` -- Description: Enables API key authentication. -- Persistence: This environment variable is a `PersistentConfig` variable. - -#### `ENABLE_API_KEY_ENDPOINT_RESTRICTIONS` +#### `ENABLE_API_KEYS` - Type: `bool` - Default: `False` -- Description: Enables API key endpoint restrictions for added security and configurability. +- Description: Enables the API key creation feature, allowing users to generate API keys for programmatic access to Open WebUI. - Persistence: This environment variable is a `PersistentConfig` variable. -#### `API_KEY_ALLOWED_ENDPOINTS` +:::info + +This variable replaces the deprecated `ENABLE_API_KEY` environment variable. + +::: + +#### `ENABLE_API_KEYS_ENDPOINT_RESTRICTIONS` + +- Type: `bool` +- Default: `False` +- Description: Enables API key endpoint restrictions for added security and configurability, allowing administrators to limit which endpoints can be accessed using API keys. +- Persistence: This environment variable is a `PersistentConfig` variable. + +:::info + +This variable replaces the deprecated `ENABLE_API_KEY_ENDPOINT_RESTRICTIONS` environment variable. + +::: + +#### `API_KEYS_ALLOWED_ENDPOINTS` - Type: `str` - Description: Specifies a comma-separated list of allowed API endpoints when API key endpoint restrictions are enabled. +- Example: `/api/v1/messages,/api/v1/channels,/api/v1/chat/completions` - Persistence: This environment variable is a `PersistentConfig` variable. :::note -The value of `API_KEY_ALLOWED_ENDPOINTS` should be a comma-separated list of endpoint URLs, such as `/api/v1/messages, /api/v1/channels`. +The value of `API_KEYS_ALLOWED_ENDPOINTS` should be a comma-separated list of endpoint URLs, such as `/api/v1/messages, /api/v1/channels`. + +::: + +:::info + +This variable replaces the deprecated `API_KEY_ALLOWED_ENDPOINTS` environment variable. ::: @@ -1584,6 +1611,49 @@ If set to `false`, open-webui will assume the postgreSQL database where embeddin ::: +#### `PGVECTOR_INDEX_METHOD` + +- Type: `str` +- Options: + - `ivfflat` - Uses inverted file with flat compression, better for datasets with many dimensions. + - `hnsw` - Uses Hierarchical Navigable Small World graphs, generally provides better query performance. +- Default: Not specified (pgvector will use its default) +- Description: Specifies the index method for pgvector. The choice affects query performance and index build time. +- Persistence: This environment variable is a `PersistentConfig` variable. + +:::info + +When choosing an index method, consider your dataset size and query patterns. HNSW generally provides better query performance but uses more memory, while IVFFlat can be more memory-efficient for larger datasets. + +::: + +#### `PGVECTOR_HNSW_M` + +- Type: `int` +- Default: `16` +- Description: HNSW index parameter that controls the maximum number of bi-directional connections per layer during index construction. Higher values improve recall but increase index size and build time. Only applicable when `PGVECTOR_INDEX_METHOD` is set to `hnsw`. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `PGVECTOR_HNSW_EF_CONSTRUCTION` + +- Type: `int` +- Default: `64` +- Description: HNSW index parameter that controls the size of the dynamic candidate list during index construction. Higher values improve index quality but increase build time. Only applicable when `PGVECTOR_INDEX_METHOD` is set to `hnsw`. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `PGVECTOR_IVFFLAT_LISTS` + +- Type: `int` +- Default: `100` +- Description: IVFFlat index parameter that specifies the number of inverted lists (clusters) to create. A good starting point is `rows / 1000` for up to 1M rows and `sqrt(rows)` for over 1M rows. Only applicable when `PGVECTOR_INDEX_METHOD` is set to `ivfflat`. +- Persistence: This environment variable is a `PersistentConfig` variable. + +:::info + +For IVFFlat indexes, choosing the right number of lists is crucial for query performance. Too few lists will result in slow queries, while too many will increase index size without significant performance gains. + +::: + ### Qdrant :::warning @@ -1940,6 +2010,19 @@ Note: this configuration assumes that AWS credentials will be available to your - Description: Sets the weight given to the keyword search (BM25) during hybrid search. 1 means only keyword search, 0 means only vector search. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `ENABLE_RAG_HYBRID_SEARCH_ENRICHED_TEXTS` + +- Type: `bool` +- Default: `False` +- Description: Enhances BM25 hybrid search by enriching indexed text with document metadata including filenames, titles, sections, and snippets. This improves keyword recall for metadata-based queries, allowing searches to match on document names and structural elements in addition to content. +- Persistence: This environment variable is a `PersistentConfig` variable. + +:::info + +Enabling this feature increases the text volume indexed by BM25, which may impact storage requirements and indexing performance. However, it significantly improves search results when users query based on document names, titles, or structural elements rather than just content. + +::: + #### `RAG_TEMPLATE` - Type: `str` @@ -3052,6 +3135,14 @@ Strictly return in JSON format: - Description: Sets the API key to use for DALL-E image generation. - Persistence: This environment variable is a `PersistentConfig` variable. +##### `IMAGES_OPENAI_API_PARAMS` + +- Type: `str` (JSON) +- Default: `{}` +- Description: Additional parameters for OpenAI image generation API in JSON format. Allows customization of API-specific settings such as quality parameters for DALL-E models (e.g., `{"quality": "hd"}` for dall-e-3). +- Example: `{"quality": "hd", "style": "vivid"}` +- Persistence: This environment variable is a `PersistentConfig` variable. + #### Image Editing ##### `IMAGES_EDIT_OPENAI_API_BASE_URL` @@ -3992,6 +4083,12 @@ If `OAUTH_PICTURE_CLAIM` is set to `''` (empty string), then the OAuth picture c - Description: Enables or disables user permission to use code interpreter feature. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `USER_PERMISSIONS_FEATURES_API_KEYS` + +- Type: `bool` +- Default: `False` +- Description: Sets the permission for API key creation feature for users. When enabled, users will have the ability to create and manage API keys for programmatic access. + ### Workspace Permissions #### `USER_PERMISSIONS_WORKSPACE_MODELS_ACCESS` From 90189965b498c03dfc43c5ef1f9621fcbfd74201 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Thu, 20 Nov 2025 10:36:47 +0100 Subject: [PATCH 11/34] Update env-configuration.mdx --- docs/getting-started/env-configuration.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 3acc3c1..b823b1e 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -270,6 +270,12 @@ This will run the Open WebUI on port `9999`. The `PORT` environment variable is - Default: `False` - Description: When enabled, the system saves each chunk of streamed chat data to the database in real time to ensure maximum data persistency. This feature provides robust data recovery and allows accurate session tracking. However, the tradeoff is increased latency, as saving to the database introduces a delay. Disabling this feature can improve performance and reduce delays, but it risks potential data loss in the event of a system failure or crash. Use based on your application's requirements and acceptable tradeoffs. +#### `ENABLE_CHAT_RESPONSE_BASE64_IMAGE_URL_CONVERSION` + +- Type: `bool` +- Default: `False` +- Description: When set to true, it automatically uploads base64-encoded images exceeding 1KB in markdown and converts them into image file URLs to reduce the size of response text. Some multimodal models directly output images as Base64 strings within the Markdown content. This results in larger response bodies, placing strain on CPU, network, Redis, and database resources. + #### `CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE` - Type: `int` From cdf7223ca37e26fcade35987a77db787f00720e5 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Thu, 20 Nov 2025 23:58:43 +0100 Subject: [PATCH 12/34] Update env-configuration.mdx --- docs/getting-started/env-configuration.mdx | 37 ++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index b823b1e..461bb75 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -1100,6 +1100,43 @@ directly. Ensure that no users are present in the database if you intend to turn ::: +#### `ENABLE_PASSWORD_VALIDATION` + +- Type: `bool` +- Default: `False` +- Description: Enables password complexity validation for user accounts. When enabled, passwords must meet the complexity requirements defined by `PASSWORD_VALIDATION_REGEX_PATTERN` during signup, password updates, and user creation operations. This helps enforce stronger password policies across the application. + +:::info + +Password validation is applied to: +- New user registration (signup) +- Password changes through user settings +- Admin-initiated user creation +- Password resets + +Existing users with passwords that don't meet the new requirements are **not automatically forced to update their passwords**, but will need to meet the requirements when they next change their password. + +::: + +#### `PASSWORD_VALIDATION_REGEX_PATTERN` + +- Type: `str` +- Default: `^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\w\s]).{8,}$` +- Description: Regular expression pattern used to validate password complexity when `ENABLE_PASSWORD_VALIDATION` is enabled. The default pattern requires passwords to be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, one digit, and one special character. + +:::warning + +**Custom Pattern Considerations** + +When defining a custom regex pattern, ensure it: +- Is a valid regular expression that Python's `re` module can compile +- Balances security requirements with user experience +- Is thoroughly tested before deployment to avoid locking users out + +Invalid regex patterns will cause password validation to fail, potentially preventing user registration and password changes. + +::: + #### `WEBUI_SECRET_KEY` - Type: `str` From 8df506292c1d295535764d4f4ad591156e4f72a1 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Fri, 21 Nov 2025 09:10:33 +0100 Subject: [PATCH 13/34] Update env-configuration.mdx --- docs/getting-started/env-configuration.mdx | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 461bb75..9da3c94 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -3126,6 +3126,13 @@ Strictly return in JSON format: ### Image Editing +#### `ENABLE_IMAGE_EDIT` + +- Type: `boolean` +- Default: `true` +- Description: When disabled, Image Editing will not be used and instead, images will be created only using the image generation engine. +- Persistence: This environment variable is a `PersistentConfig` variable. + #### `IMAGE_EDIT_ENGINE` - Type: `str` From 9dae399ca993a90922c39a7a70d449309488568d Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 19:33:04 +0100 Subject: [PATCH 14/34] Update index.mdx --- docs/features/index.mdx | 50 ++++++++++++++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 10 deletions(-) diff --git a/docs/features/index.mdx b/docs/features/index.mdx index 7431140..173b1ca 100644 --- a/docs/features/index.mdx +++ b/docs/features/index.mdx @@ -17,6 +17,8 @@ import { TopBanners } from "@site/src/components/TopBanners"; - πŸ›‘οΈ **Granular Permissions and User Groups**: By allowing administrators to create detailed user roles, user groups, and permissions across the workspace, we ensure a secure user environment for all users involved. This granularity not only enhances security, but also allows for customized user experiences, fostering a sense of ownership and responsibility amongst users. +- πŸ” **SCIM 2.0 Provisioning**: Enterprise-grade user and group provisioning through SCIM 2.0 protocol, enabling seamless integration with identity providers like Okta, Azure AD, and Google Workspace for automated user lifecycle management. + - πŸ“± **Responsive Design**: Enjoy a seamless experience across desktop PCs, laptops, and mobile devices. - πŸ“± **Progressive Web App for Mobile**: Enjoy a native progressive web application experience on your mobile device with offline access on `localhost` or a personal domain, and a smooth user interface. In order for our PWA to be installable on your device, it must be delivered in a secure context. This usually means that it must be served over HTTPS. @@ -31,15 +33,15 @@ import { TopBanners } from "@site/src/components/TopBanners"; - 🧩 **Model Builder**: Easily create custom models from base Ollama models directly from Open WebUI. Create and add custom characters and agents, customize model elements, and import models effortlessly through [Open WebUI Community](https://openwebui.com/) integration. -- πŸ“š **Local and Remote RAG Integration**: Dive into the future of chat interactions and explore your documents with our cutting-edge Retrieval Augmented Generation (RAG) technology within your chats. Documents can be loaded into the `Documents` tab of the Workspace, after which they can be accessed using the pound key [`#`] before a query, or by starting the prompt with the pound key [`#`], followed by a URL for webpage content integration. +- πŸ“š **Advanced RAG Integration with Multiple Vector Databases**: Dive into the future of chat interactions with cutting-edge Retrieval Augmented Generation (RAG) technology. Choose from 9 vector database options: ChromaDB (default), PostgreSQL with PGVector, Qdrant, Milvus, Elasticsearch, OpenSearch, Pinecone, S3Vector, and Oracle 23ai. Documents can be loaded into the `Documents` tab of the Workspace and accessed using the pound key [`#`] before a query, or by starting the prompt with [`#`] followed by a URL for webpage content integration. -- πŸ“„ **Document Extraction**: Extract text and data from various document formats including PDFs, Word documents, Excel spreadsheets, PowerPoint presentations, and more. Our advanced document processing capabilities enable seamless integration with your knowledge base, allowing for accurate retrieval and generation of information from complex documents while preserving their structure and formatting. +- πŸ“„ **Advanced Document Extraction with Multiple Engines**: Extract text and data from various document formats including PDFs, Word documents, Excel spreadsheets, PowerPoint presentations, and more using your choice of extraction engines: Apache Tika, Docling, Azure Document Intelligence, Mistral OCR, or external custom (self-built) content extraction engines/document loaders. Advanced document processing capabilities enable seamless integration with your knowledge base, preserving structure and formatting while supporting OCR for scanned documents and images. -- πŸ” **Web Search for RAG**: You can perform web searches using a selection of various search providers and inject the results directly into your local Retrieval Augmented Generation (RAG) experience. +- πŸ” **Web Search for RAG with 15+ Providers**: Perform web searches using 15+ providers including SearXNG, Google PSE, Brave Search, Kagi, Mojeek, Bocha, Tavily, Perplexity (AI models and Search API), serpstack, serper, Serply, DuckDuckGo, SearchAPI, SerpApi, Bing, Jina, Exa, Sougou, Azure AI Search, and Ollama Cloud, injecting results directly into your local Retrieval Augmented Generation (RAG) experience. - 🌐 **Web Browsing Capabilities**: Integrate websites seamlessly into your chat experience by using the `#` command followed by a URL. This feature enables the incorporation of web content directly into your conversations, thereby enhancing the richness and depth of your interactions. -- 🎨 **Image Generation Integration**: Seamlessly incorporate image generation capabilities to enrich your chat experience with dynamic visual content. +- 🎨 **Image Generation & Editing Integration**: Seamlessly create and edit images using multiple engines including OpenAI's DALL-E (generation and editing), Gemini (generation and editing), ComfyUI (local, generation and editing), and AUTOMATIC1111 (local, generation). Support for both text-to-image generation and prompt-based image editing workflows with dynamic visual content. - βš™οΈ **Concurrent Model Utilization**: Effortlessly engage with multiple models simultaneously, harnessing their unique strengths for optimal responses. Leverage a diverse set of model modalities in parallel to enhance your experience. @@ -47,6 +49,18 @@ import { TopBanners } from "@site/src/components/TopBanners"; - 🌐🌍 **Multilingual Support**: Experience Open WebUI in your preferred language with our internationalization (`i18n`) support. We invite you to join us in expanding our supported languages! We're actively seeking contributors! +- πŸ’Ύ **Persistent Artifact Storage**: Built-in key-value storage API for artifacts, enabling features like journals, trackers, leaderboards, and collaborative tools with both personal and shared data scopes that persist across sessions. + +- ☁️ **Cloud Storage Integration**: Native support for cloud storage backends including Amazon S3 (with S3-compatible providers), Google Cloud Storage, and Microsoft Azure Blob Storage for scalable file storage and data management. + +- ☁️ **Enterprise Cloud Integration**: Seamlessly import documents from Google Drive and OneDrive/SharePoint directly through the file picker interface, enabling smooth workflows with enterprise cloud storage solutions. + +- πŸ“Š **Production Observability with OpenTelemetry**: Built-in OpenTelemetry support for comprehensive monitoring with traces, metrics, and logs export to your existing observability stack (Prometheus, Grafana, Jaeger, etc.), enabling production-grade monitoring and debugging. + +- πŸ”’ **Encrypted Database Support**: Optional at-rest encryption for SQLite databases using SQLCipher, providing enhanced security for sensitive data in smaller deployments without requiring PostgreSQL infrastructure. + +- βš–οΈ **Horizontal Scalability for Production**: Redis-backed session management and WebSocket support enabling multi-worker and multi-node deployments behind load balancers for high-availability production environments. + - 🌟 **Continuous Updates**: We are committed to improving Open WebUI with regular updates, fixes, and new features. ## And many more remarkable features including... ⚑️ @@ -307,23 +321,23 @@ import { TopBanners } from "@site/src/components/TopBanners"; ### πŸŽ™οΈ Audio, Voice, & Accessibility -- πŸ—£οΈ **Voice Input Support**: Engage with your model through voice interactions; enjoy the convenience of talking to your model directly. Additionally, explore the option for sending voice input automatically after 3 seconds of silence for a streamlined experience. +- πŸ—£οΈ **Voice Input Support with Multiple Providers**: Engage with your model through voice interactions using multiple Speech-to-Text providers: Local Whisper (default, with VAD filtering), OpenAI-compatible endpoints, Deepgram, and Azure Speech Services. Enjoy the convenience of talking to your model directly with automatic voice input after 3 seconds of silence for a streamlined experience. - Microphone access requires manually setting up a secure connection over HTTPS to work, or [manually whitelisting your URL at your own risk](https://docs.openwebui.com/troubleshooting/microphone-error). - 😊 **Emoji Call**: Toggle this feature on from the `Settings` > `Interface` menu, allowing LLMs to express emotions using emojis during voice calls for a more dynamic interaction. - - Microphone access requires a secure connection over HTTPS for this feature to work. + - Microphone access requires manually setting up a secure connection over HTTPS to work, or [manually whitelisting your URL at your own risk](https://docs.openwebui.com/troubleshooting/microphone-error). - πŸŽ™οΈ **Hands-Free Voice Call Feature**: Initiate voice calls without needing to use your hands, making interactions more seamless. - - Microphone access is required using a secure connection over HTTPS for this feature to work. + - Microphone access requires manually setting up a secure connection over HTTPS to work, or [manually whitelisting your URL at your own risk](https://docs.openwebui.com/troubleshooting/microphone-error). - πŸ“Ή **Video Call Feature**: Enable video calls with supported vision models like LlaVA and GPT-4o, adding a visual dimension to your communications. - - Both Camera & Microphone access is required using a secure connection over HTTPS for this feature to work. + - Both Camera & Microphone access is required using a secure connection over HTTPS for this feature to work, or [manually whitelisting your URL at your own risk](https://docs.openwebui.com/troubleshooting/microphone-error). - πŸ‘† **Tap to Interrupt**: Stop the AI’s speech during voice conversations with a simple tap on mobile devices, ensuring seamless control over the interaction. - πŸŽ™οΈ **Voice Interrupt**: Stop the AI’s speech during voice conversations with your voice on mobile devices, ensuring seamless control over the interaction. -- πŸ”Š **Configurable Text-to-Speech Endpoint**: Customize your Text-to-Speech experience with configurable OpenAI-compatible endpoints for reading aloud LLM responses. +- πŸ”Š **Multiple Text-to-Speech Providers**: Customize your Text-to-Speech experience with multiple providers: OpenAI-compatible endpoints, Azure Speech Services, ElevenLabs (with EU residency support), local Transformers models, and browser-based WebAPI for reading aloud LLM responses. - πŸ”— **Direct Call Mode Access**: Activate call mode directly from a URL, providing a convenient shortcut for mobile device users. @@ -335,6 +349,10 @@ import { TopBanners } from "@site/src/components/TopBanners"; - 🎡 **Broad Audio Compatibility**: Enjoy support for a wide range of audio file format transcriptions with RAG, including 'audio/x-m4a', to broaden compatibility with audio content within the platform. +- 🎀 **Deepgram Speech-to-Text Integration**: Leverage Deepgram's advanced speech recognition capabilities for high-accuracy voice transcription, providing an additional STT option beyond local Whisper and OpenAI. + +- πŸ”Š **ElevenLabs Text-to-Speech Integration**: Access ElevenLabs' premium voice synthesis with support for EU residency API endpoints, offering high-quality and natural-sounding voice output for enhanced user experiences. + - πŸ”Š **Audio Compression**: Experimental audio compression allows navigating around the 25MB limit for OpenAI's speech-to-text processing, expanding the possibilities for audio-based interactions. - πŸ—£οΈ **Experimental SpeechT5 TTS**: Enjoy local SpeechT5 support for improved text-to-speech capabilities. @@ -367,6 +385,12 @@ import { TopBanners } from "@site/src/components/TopBanners"; - πŸ›’οΈ **Flexible Database Integration**: Seamlessly connect to custom databases, including SQLite, Postgres, and multiple vector databases like Milvus, using environment variables for flexible and scalable data management. +- πŸ—„οΈ **Multiple Vector Database Support**: Choose from 9 vector database options for optimal RAG performance: ChromaDB (default), PostgreSQL with PGVector, Qdrant, Milvus, Elasticsearch, OpenSearch, Pinecone, S3Vector, and Oracle 23ai. Each option provides different scaling characteristics and performance profiles to match your deployment needs. + +- ☁️ **Enterprise Cloud Storage Backends**: Configure cloud storage backends including Amazon S3 (with S3-compatible providers like MinIO), Google Cloud Storage, and Microsoft Azure Blob Storage for scalable file storage, enabling stateless instances and distributed deployments. + +- πŸ“‚ **Cloud File Picker Integration**: Import documents directly from Google Drive and OneDrive/SharePoint through native file picker interfaces, streamlining workflows for users working with enterprise cloud storage solutions. + - πŸŒπŸ—£οΈ **External Speech-to-Text Support**: The addition of external speech-to-text (`STT`) services provides enhanced flexibility, allowing users to choose their preferred provider for seamless interaction. - 🌐 **Remote ChromaDB Support**: Extend the capabilities of your database by connecting to remote ChromaDB servers. @@ -375,10 +399,14 @@ import { TopBanners } from "@site/src/components/TopBanners"; - πŸš€ **Advanced Load Balancing and Reliability**: Utilize enhanced load balancing capabilities, stateless instances with full Redis support, and automatic web socket re-connection to promote better performance, reliability, and scalability in WebUI, ensuring seamless and uninterrupted interactions across multiple instances. -- ☁️ **Experimental S3 Support**: Enable stateless WebUI instances with S3 support for enhanced scalability and balancing heavy workloads. +- ☁️ **Cloud Storage Backend Support**: Enable stateless Open WebUI instances with cloud storage backends (Amazon S3, Google Cloud Storage, Microsoft Azure Blob Storage) for enhanced scalability, high availability, and balancing heavy workloads across multiple instances. - πŸ› οΈ **OAuth Management for User Groups**: Enhance control and scalability in collaborative environments with group-level management via OAuth integration. +- πŸ” **SCIM 2.0 Automated Provisioning**: Enterprise-grade user and group provisioning through SCIM 2.0 protocol, enabling seamless integration with identity providers like Okta, Azure AD, and Google Workspace for automated user lifecycle management, reducing administrative overhead. + +- πŸ“Š **OpenTelemetry Observability**: Export traces, metrics, and logs to your observability stack using OpenTelemetry protocol (OTLP), supporting both gRPC and HTTP exporters with configurable endpoints, authentication, and sampling strategies for comprehensive production monitoring. + --- ### πŸ‘‘ Administration @@ -427,6 +455,8 @@ import { TopBanners } from "@site/src/components/TopBanners"; - πŸ”‘ **LDAP Authentication**: Enhance security and scalability with LDAP support for user management. +- πŸ” **SCIM 2.0 Provisioning**: Automate user and group lifecycle management through SCIM 2.0 protocol integration with identity providers like Okta, Azure AD, and Google Workspace, reducing administrative overhead and ensuring synchronized user management across systems. + - 🌐 **Customizable OpenAI Connections**: Enjoy smooth operation with custom OpenAI setups, including prefix ID support and explicit model ID support for APIs. - πŸ” **Ollama API Key Management**: Manage Ollama credentials, including prefix ID support, for secure and efficient operation. From 5ece4c57ff8d6503353dee7af2bca1631083d158 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 19:34:35 +0100 Subject: [PATCH 15/34] Update perplexity_search.mdx --- docs/features/web-search/perplexity_search.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/features/web-search/perplexity_search.mdx b/docs/features/web-search/perplexity_search.mdx index f38fdba..571b607 100644 --- a/docs/features/web-search/perplexity_search.mdx +++ b/docs/features/web-search/perplexity_search.mdx @@ -24,3 +24,9 @@ Perplexity Search API is just a search engine, as opposed to the Perplexity inte 3. Set `Web Search Engine` from dropdown menu to `perplexity_search` 4. Enter your Perplexity API key from [Perplexity API Key management](https://www.perplexity.ai/account/api/keys). 5. Press save + +:::tip + +LiteLLM's `/search` endpoint uses the Perplexity Search API style - you can customize the API endpoint of Open WebUI's perplexity_search web search to point to your LiteLLM instance and use that for web searches! + +::: From 67b3728f0d516d5742de0d2d00d091397bbabf7d Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 19:41:04 +0100 Subject: [PATCH 16/34] Update security.mdx --- docs/security.mdx | 46 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/docs/security.mdx b/docs/security.mdx index bb444d5..b57dcd7 100644 --- a/docs/security.mdx +++ b/docs/security.mdx @@ -44,20 +44,46 @@ Our commitment to a single, central reporting mechanism is rooted in both techni ## Reporting Guidelines -To ensure a constructive and rapid remediation process, please adhere to the following requirements: +**[You can find the latest version of the security guidelines here.](https://github.com/open-webui/open-webui/security)** -1. **Submit Detailed Reports Only**: Vague or generic statements such as β€œI found a vulnerability” without actionable details will not be accepted and are classified as spam. -2. **Demonstrate Understanding**: Clear, concise descriptions backed by evidence of impact or exploitability are required. Please specify components, affected versions, and steps to reproduce. -3. **Proof of Concept Required**: Submissions must include a working proof of concept (PoC). Private forks may be used for responsible disclosureβ€”access must be shared with relevant maintainers. -4. **Remediation Guidance Expected**: High-quality reports are most valuable when accompanied by proposed patches or direct, actionable steps for mitigation. This streamlines our review and resolution timeline, and demonstrates commitment to the project’s ongoing robustness. +To ensure constructive, actionable reports that genuinely improve security, all submissions must meet the following requirements: -Contributors who not only identify a vulnerability but also present a robust, ready-to-merge fix help accelerate our response and strengthen the community. We do recognize and prioritize such efforts, and there may be additional opportunities for appreciation for those who provide comprehensive solutions. +1. **Report MUST be a vulnerability**: A security vulnerability is an exploitable weakness where the system behaves in an unintended way, allowing attackers to bypass security controls, gain unauthorized access, execute arbitrary code, or escalate privileges. Configuration options, missing features, and expected protocol behavior are not vulnerabilities. -All non-compliant or off-topic submissions will be closed. Repeat misuse may result in being banned from contributing to the project. +2. **No Vague Reports**: Submissions such as "I found a vulnerability" without any details will be treated as spam and will not be accepted. -## Communication and Compensation +3. **In-Depth Understanding Required**: Reports must reflect a clear understanding of the codebase and provide specific details about the vulnerability, including the affected components and potential impacts. -All threat assessments and follow-up are reviewed by the core project team, allowing us to directly evaluate, prioritize, and address the issue. While we promote responsible disclosure and highly value skilled contributions, the processβ€”including recognitionβ€”remains at the sole discretion of the maintainers, and is handled within GitHub. Contributors offering actionable fixes may receive additional acknowledgment depending on the impact of their report. +4. **Proof of Concept (PoC) is Mandatory**: Each submission must include a well-documented proof of concept that demonstrates the vulnerability. A PoC must show what security boundary was crossed (Confidentiality, Integrity, Availability, Authenticity, Non-repudiation), how this vulnerability was abused, and what actions the attacker can now perform. Valid PoCs include step-by-step reproduction instructions with exact commands, complete exploit code with detailed execution instructions, or screenshots/videos demonstrating the exploit (supplementary to written steps). If confidentiality is a concern, reporters are encouraged to create a private fork of the repository and share access with the maintainers. Reports lacking valid evidence may be disregarded. We will notify you if we struggle to reproduce the exploit using your PoC, but if we repeatedly cannot reproduce it, the report may be closed. + +5. **Required Patch or Actionable Remediation Plan Submission**: Along with the PoC, reporters must provide a patch or actionable steps to remediate the identified vulnerability. This helps us evaluate and implement fixes rapidly and demonstrates commitment to the project's ongoing robustness. + +6. **Streamlined Merging Process**: When vulnerability reports meet the above criteria, we can consider provided patches for immediate merging, similar to regular pull requests. Well-structured and thorough submissions will expedite the process of enhancing our security. + +7. **Default Configuration Testing**: All vulnerability reports must be tested and reproducible using Open WebUI's out-of-the-box default configuration. Claims of vulnerabilities that only manifest with explicitly weakened security settings may be discarded. However, if you believe you have found a security issue that affects default configurations, represents a genuine bypass of intended security controls, or works only with non-default configurations but the configuration in question is likely to be used by production deployments, then we absolutely want to hear about it. This policy is intended to filter configuration issues and deployment problems, not to discourage legitimate security research. + +8. **Threat Model Understanding Required**: Reports must demonstrate understanding of Open WebUI's self-hosted, authenticated, role-based access control architecture. Comparing Open WebUI to services with fundamentally different security models without acknowledging the architectural differences may result in report rejection. + +9. **CVSS Scoring Accuracy**: If you include a CVSS score with your report, it must accurately reflect the vulnerability according to CVSS methodology. Common errors include rating PR:N (None) when authentication is required, scoring hypothetical attack chains instead of the actual vulnerability, or inflating severity without evidence. We will adjust inaccurate CVSS scores. Intentionally inflated scores may result in report rejection. If you cite other CVEs to support your report, ensure they are genuinely comparable in vulnerability type, threat model, and attack vector. Citing CVEs from different product categories, different vulnerability classes, or different deployment models will lead us to suspect the use of AI in your report. + +10. **Admin Actions Are Out of Scope**: Vulnerabilities that require an administrator to actively perform unsafe actions are not considered valid vulnerabilities. Admins have full system control and are expected to understand the security implications of their actions and configurations. This includes but is not limited to adding malicious external servers (models, tools, webhooks), pasting untrusted code into Functions/Tools, or intentionally weakening security settings. Reports requiring admin negligence or social engineering of admins may be rejected. However, if you believe you have found a vulnerability that affects admins and is not caused by admin negligence or intentionally malicious actions, then we absolutely want to hear about it. This policy is intended to filter social engineering attacks on admins and similar malicious actions, not to discourage legitimate security research. + +11. **AI Report Transparency**: Due to an extreme spike in AI-aided vulnerability reports, you must disclose if AI was used in any capacityβ€”whether for writing the report, generating the PoC, or identifying the vulnerability. AI-aided vulnerability reports will not be rejected by default. However, if we suspect you used AI but did not disclose it to us, we will be asking tough follow-up questions to validate your understanding of the reported vulnerability and Open WebUI itself. If we suspect you used AI but you did not disclose it and your report ends up being invalid, not a vulnerability, or not reproducible, then you may be banned from reporting future vulnerabilities. This measure was necessary due to the extreme rise in clearly AI-written vulnerability reports where the vast majority were not vulnerabilities, were faulty configurations rather than real vulnerabilities, did not provide a PoC, violated the rules outlined here, had a clear lack of understanding of Open WebUI, wrote comments with conflicting information, or used illogical arguments. + +Non-compliant submissions will be closed, and repeat extreme violators may be banned. Our goal is to foster a constructive reporting environment where quality submissions promote better security for all users. Contributors who not only identify a vulnerability but also present a robust, ready-to-merge fix help accelerate our response and strengthen the community. + +If you feel like you are not able to follow all outlined requirements for vulnerability-specific reasons, still do report itβ€”we will check every report either way. + +## For Non-Vulnerability Related Security Concerns + +If your concern does not meet the vulnerability requirements outlined above, is not a vulnerability, but is still related to security concerns, then use the following channels instead: + +- **Documentation issues/improvement ideas**: Open an issue in our [Documentation Repository](https://github.com/open-webui/docs) +- **Feature requests**: Create a discussion in [GitHub Discussions - Ideas](https://github.com/open-webui/open-webui/discussions/) to discuss with the community if this feature request is wanted by multiple people +- **Configuration help**: Ask the community for help and guidance on our [Discord Server](https://discord.gg/5rJgQTnV4s) or on [Reddit](https://www.reddit.com/r/OpenWebUI/) +- **General issues**: Use our [Issue Tracker](https://github.com/open-webui/open-webui/issues) + +Examples of non-vulnerability, still security-related concerns include suggestions for better default configuration values, security hardening recommendations, deployment best practices guidance, unclear configuration instructions, need for additional security documentation, feature requests for optional security enhancements (2FA, audit logging, etc.), and general security questions about production deployment. Please use the adequate channel for your specific issue. ## Product Security Process @@ -66,4 +92,4 @@ All threat assessments and follow-up are reviewed by the core project team, allo - Proactive risk management and code reviews as part of ongoing development - Continuous improvements and integration of advanced tooling for static/dynamic analysis -If you have an immediate and actionable security concern, please create a report in our [security advisory portal](https://github.com/open-webui/open-webui/security/advisories) or [issue tracker](https://github.com/open-webui/open-webui/issues). \ No newline at end of file +If you have an immediate and actionable security concern, please create a report in our [security advisory portal](https://github.com/open-webui/open-webui/security/advisories) or [issue tracker](https://github.com/open-webui/open-webui/issues). From 6146ca1d583e4dd38f737ffc8d52524b70b0ec69 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 19:44:02 +0100 Subject: [PATCH 17/34] Update docusaurus.config.ts --- docusaurus.config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docusaurus.config.ts b/docusaurus.config.ts index 566b993..aaec96d 100644 --- a/docusaurus.config.ts +++ b/docusaurus.config.ts @@ -156,7 +156,7 @@ const config: Config = { }, { label: "Report a Vulnerability / Responsible Disclosure", - to: "https://openwebui.com", + to: "https://github.com/open-webui/open-webui/security", }, ], }, From 78fb38ab3f4096ff899d0a09be9dd063d448c341 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 19:47:47 +0100 Subject: [PATCH 18/34] Delete docs/troubleshooting/compatibility.mdx --- docs/troubleshooting/compatibility.mdx | 16 ---------------- 1 file changed, 16 deletions(-) delete mode 100644 docs/troubleshooting/compatibility.mdx diff --git a/docs/troubleshooting/compatibility.mdx b/docs/troubleshooting/compatibility.mdx deleted file mode 100644 index f95da1f..0000000 --- a/docs/troubleshooting/compatibility.mdx +++ /dev/null @@ -1,16 +0,0 @@ ---- -sidebar_position: 0 -title: "Browser Compatibility" ---- - -Open WebUI is designed for and tested on modern browsers. To ensure the best experience, we recommend using the following browser versions or later: - -## πŸš€ Supported Browsers - -Open WebUI's core functionality specifically depends on these browser versions: - -- **Chrome 111** 🟒 *(Released March 2023)* -- **Safari 16.4** 🍏 *(Released March 2023)* -- **Firefox 128** πŸ”₯ *(Released July 2024)* - -πŸ’‘ If you experience any issues, ensure your browser is up to date or try an alternative supported browser. From 69a6459f894e67770732d7626fba392b961f5a54 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 20:01:59 +0100 Subject: [PATCH 19/34] Update connection-error.mdx --- docs/troubleshooting/connection-error.mdx | 103 +++++++++++++++++++++- 1 file changed, 102 insertions(+), 1 deletion(-) diff --git a/docs/troubleshooting/connection-error.mdx b/docs/troubleshooting/connection-error.mdx index cc8f0f0..c1445cb 100644 --- a/docs/troubleshooting/connection-error.mdx +++ b/docs/troubleshooting/connection-error.mdx @@ -3,7 +3,108 @@ sidebar_position: 0 title: "Server Connectivity Issues" --- -We're here to help you get everything set up and running smoothly. Below, you'll find step-by-step instructions tailored for different scenarios to solve common connection issues with Ollama and external servers like Hugging Face. +We're here to help you get everything set up and running smoothly. Below, you'll find step-by-step instructions tailored for different scenarios to solve common connection issues. + +## πŸ” HTTPS, TLS, CORS & WebSocket Issues + +If you're experiencing connectivity problems with Open WebUI, especially when using reverse proxies or HTTPS, these issues often stem from improper CORS, TLS, WebSocket, or cookie configuration. Here's how to diagnose and fix them. + +### Common Symptoms + +You might be experiencing these issues if you see: +- Empty responses like `"{}"` in the chat +- Errors like `"Unexpected token 'd', "data: {"id"... is not valid JSON"` +- WebSocket connection failures in browser console +- WebSocket connection failures in CLI logs +- Login problems or session issues +- CORS errors in browser developer tools +- Mixed content warnings when accessing over HTTPS + +### Required Configuration for HTTPS & Reverse Proxies + +**Critical Environment Variables** + +When running Open WebUI behind a reverse proxy with HTTPS, you must configure these settings: + +```bash +# Set this to your actual domain BEFORE FIRST STARTUP (required for OAuth/SSO and proper operation) +WEBUI_URL=https://your-open-webui-domain.com +# If you already started Open WebUI, don't worry, you can set this config from the admin panel as well! + +# CORS configuration - CRITICAL for WebSocket functionality +# Include ALL ways users might access your instance +# Make sure to include all IPs, hostnames and domains users can and could access Open WebUI and how requests are going to your Open WebUI instance +# e.g. localhost, 127.0.0.1, 0.0.0.0, , public domain - all in http and https with the correct ports +CORS_ALLOW_ORIGIN="https://yourdomain.com;http://yourdomain.com;https://yourip;http://localhost:3000" + +# Cookie security settings for HTTPS +# Disable if you do not use HTTPS +WEBUI_SESSION_COOKIE_SECURE=true +WEBUI_AUTH_COOKIE_SECURE=true + +# For OAuth/SSO, you will probably have to use 'lax' (strict can break OAuth callbacks) +WEBUI_SESSION_COOKIE_SAME_SITE=lax +WEBUI_AUTH_COOKIE_SAME_SITE=lax + +# WebSocket support (if using Redis) +# If you experience websocket related issues, even after configuring all of the above, you can try turning OFF ENABLE_WEBSOCKET_SUPPORT +# But this is not recommended for production and also not officially supported! +# If you experience websocket issues, you should ideally provide websocket support through reverse proxies. +ENABLE_WEBSOCKET_SUPPORT=true +WEBSOCKET_MANAGER=redis +WEBSOCKET_REDIS_URL=redis://redis:6379/1 +``` + +**WEBUI_URL Configuration** + +The `WEBUI_URL` must be set correctly BEFORE using OAuth/SSO. Since it's a persistent config variable, you can only change it by: +- Disabling persistent config temporarily with `ENABLE_PERSISTENT_CONFIG=false` +- Changing it in Admin Panel > Settings > WebUI URL +- Setting it correctly before first launch + +**CORS Configuration Details** + +The `CORS_ALLOW_ORIGIN` setting is crucial for WebSocket functionality. If you see errors in the logs like `"https://yourdomain.com is not an accepted origin"` or `"http://127.0.0.1:3000 is not an accepted origin"`, you need to add that URL to your CORS configuration. Use semicolons to separate multiple origins, and include every possible way users access your instance (domain, IP, localhost). + +### Reverse Proxy / SSL/TLS Configuration + +For reverse proxy and TLS setups, check our [tutorials here](docs/tutorials/https). + +### WebSocket Troubleshooting + +WebSocket support is required for Open WebUI v0.5.0 and later. If WebSockets aren't working: + +1. **Check your reverse proxy configuration** - Ensure `Upgrade` and `Connection` headers are properly set +2. **Verify CORS settings** - WebSocket connections respect CORS policies +3. **Check browser console** - Look for WebSocket connection errors +4. **Test direct connection** - Try connecting directly to Open WebUI without the proxy to isolate the issue + +For multi-instance deployments, configure Redis for WebSocket management: +```bash +ENABLE_WEBSOCKET_SUPPORT=true +WEBSOCKET_MANAGER=redis +WEBSOCKET_REDIS_URL=redis://redis:6379/1 +``` + +### Testing Your Configuration + +To verify your setup is working: + +1. **Check HTTPS**: Visit your domain and ensure you see a valid certificate with no browser warnings +2. **Test WebSockets**: Open browser developer tools, go to Network tab, filter by "WS", and verify WebSocket connections are established +3. **Verify CORS**: Check browser console for any CORS-related errors +4. **Test functionality**: Send a message and ensure streaming responses work properly + +### Quick Fixes Checklist + +- βœ“ Set `WEBUI_URL` to your actual HTTPS domain before enabling OAuth +- βœ“ Configure `CORS_ALLOW_ORIGIN` with all possible access URLs +- βœ“ Enable `WEBUI_SESSION_COOKIE_SECURE=true` for HTTPS +- βœ“ Add WebSocket headers to your reverse proxy configuration +- βœ“ Use TLSv1.2 or TLSv1.3 in your SSL configuration +- βœ“ Set proper `X-Forwarded-Proto` headers in your reverse proxy +- βœ“ Ensure HTTP to HTTPS redirects are in place +- βœ“ Configure Let's Encrypt for automatic certificate renewal ## 🌟 Connection to Ollama Server From f611070d7d7b67b6e2f4823cadf0c49743318c41 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 20:11:31 +0100 Subject: [PATCH 20/34] Update LetsEncrypt.md --- docs/tutorials/tab-nginx/LetsEncrypt.md | 53 ++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/docs/tutorials/tab-nginx/LetsEncrypt.md b/docs/tutorials/tab-nginx/LetsEncrypt.md index 1f91150..c520eca 100644 --- a/docs/tutorials/tab-nginx/LetsEncrypt.md +++ b/docs/tutorials/tab-nginx/LetsEncrypt.md @@ -162,6 +162,16 @@ Now we'll run a script that uses Docker to fetch the certificate. ----- +### Important: Caching Configuration + +When using NGINX with Open WebUI, proper caching is crucial for performance while ensuring authentication remains secure. The configuration below includes: + +- **Cached**: Static assets (CSS, JS, fonts, images) for better performance +- **Not Cached**: Authentication endpoints, API calls, SSO/OAuth callbacks, and session data +- **Result**: Faster page loads without breaking login functionality + +The configuration below implements these rules automatically. + ### Step 3: Finalize Nginx Configuration for HTTPS With the certificate saved in your `ssl` directory, you can now update the Nginx configuration to enable HTTPS. @@ -180,7 +190,7 @@ With the certificate saved in your `ssl` directory, you can now update the Nginx listen 80; listen [::]:80; server_name ; - + location /.well-known/acme-challenge/ { root /var/www/certbot; } @@ -206,6 +216,44 @@ With the certificate saved in your `ssl` directory, you can now update the Nginx ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256'; ssl_prefer_server_ciphers off; + # Caching: NEVER cache auth endpoints, API calls, or dynamic content + # This prevents login issues while improving performance for static assets + location ~* ^/(auth|api|oauth|admin|signin|signup|signout|login|logout|sso)/ { + proxy_pass http://open-webui:8080; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 10m; + proxy_buffering off; + client_max_body_size 20M; + + # Explicitly disable caching for auth/API endpoints + proxy_no_cache 1; + proxy_cache_bypass 1; + add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always; + add_header Pragma "no-cache" always; + expires -1; + } + + # Static assets can be cached (CSS, JS, fonts, images) + location ~* \.(css|jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ { + proxy_pass http://open-webui:8080; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Cache static assets for 7 days + expires 7d; + add_header Cache-Control "public, immutable"; + } + + # Default location for all other requests (main app) location / { proxy_pass http://open-webui:8080; proxy_http_version 1.1; @@ -218,6 +266,9 @@ With the certificate saved in your `ssl` directory, you can now update the Nginx proxy_read_timeout 10m; proxy_buffering off; client_max_body_size 20M; + + # Allow browser caching of the main app, but revalidate + add_header Cache-Control "public, max-age=300, must-revalidate"; } } ``` From a60d8f800c557fbd39afd64604071ab0c8d6dc8d Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 20:12:49 +0100 Subject: [PATCH 21/34] Update SelfSigned.md --- docs/tutorials/tab-nginx/SelfSigned.md | 39 ++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/docs/tutorials/tab-nginx/SelfSigned.md b/docs/tutorials/tab-nginx/SelfSigned.md index 9bb42da..1d6b2df 100644 --- a/docs/tutorials/tab-nginx/SelfSigned.md +++ b/docs/tutorials/tab-nginx/SelfSigned.md @@ -23,6 +23,42 @@ Using self-signed certificates is suitable for development or internal use where ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_protocols TLSv1.2 TLSv1.3; + # Auth/API endpoints: NO caching (critical for login/sessions) + location ~* ^/(auth|api|oauth|admin|signin|signup|signout|login|logout|sso)/ { + proxy_pass http://host.docker.internal:3000; + + # Add WebSocket support (Necessary for version 0.5.0 and up) + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + client_max_body_size 20M; + proxy_read_timeout 10m; + + # Disable caching for auth endpoints + proxy_no_cache 1; + proxy_cache_bypass 1; + add_header Cache-Control "no-store, no-cache, must-revalidate" always; + expires -1; + } + + # Static assets: Enable caching for performance + location ~* \.(css|jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ { + proxy_pass http://host.docker.internal:3000; + proxy_http_version 1.1; + proxy_set_header Host $host; + + expires 7d; + add_header Cache-Control "public, immutable"; + } + + # Default location location / { proxy_pass http://host.docker.internal:3000; @@ -42,6 +78,9 @@ Using self-signed certificates is suitable for development or internal use where # (Optional) Increase max request size for large attachments and long audio messages client_max_body_size 20M; proxy_read_timeout 10m; + + # Light caching with revalidation + add_header Cache-Control "public, max-age=300, must-revalidate"; } } ``` From 07394335120988ab44f3d6975338fc611681e03f Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 20:14:50 +0100 Subject: [PATCH 22/34] Update LetsEncrypt.md --- docs/tutorials/tab-nginx/LetsEncrypt.md | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/docs/tutorials/tab-nginx/LetsEncrypt.md b/docs/tutorials/tab-nginx/LetsEncrypt.md index c520eca..69655a7 100644 --- a/docs/tutorials/tab-nginx/LetsEncrypt.md +++ b/docs/tutorials/tab-nginx/LetsEncrypt.md @@ -190,7 +190,7 @@ With the certificate saved in your `ssl` directory, you can now update the Nginx listen 80; listen [::]:80; server_name ; - + location /.well-known/acme-challenge/ { root /var/www/certbot; } @@ -200,24 +200,19 @@ With the certificate saved in your `ssl` directory, you can now update the Nginx } } - # Main HTTPS server block server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name ; - # SSL certificate paths ssl_certificate /etc/letsencrypt/live//fullchain.pem; ssl_certificate_key /etc/letsencrypt/live//privkey.pem; - # Security enhancements ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256'; ssl_prefer_server_ciphers off; - # Caching: NEVER cache auth endpoints, API calls, or dynamic content - # This prevents login issues while improving performance for static assets location ~* ^/(auth|api|oauth|admin|signin|signup|signout|login|logout|sso)/ { proxy_pass http://open-webui:8080; proxy_http_version 1.1; @@ -231,7 +226,6 @@ With the certificate saved in your `ssl` directory, you can now update the Nginx proxy_buffering off; client_max_body_size 20M; - # Explicitly disable caching for auth/API endpoints proxy_no_cache 1; proxy_cache_bypass 1; add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always; @@ -239,7 +233,6 @@ With the certificate saved in your `ssl` directory, you can now update the Nginx expires -1; } - # Static assets can be cached (CSS, JS, fonts, images) location ~* \.(css|jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ { proxy_pass http://open-webui:8080; proxy_http_version 1.1; @@ -253,7 +246,6 @@ With the certificate saved in your `ssl` directory, you can now update the Nginx add_header Cache-Control "public, immutable"; } - # Default location for all other requests (main app) location / { proxy_pass http://open-webui:8080; proxy_http_version 1.1; @@ -267,7 +259,6 @@ With the certificate saved in your `ssl` directory, you can now update the Nginx proxy_buffering off; client_max_body_size 20M; - # Allow browser caching of the main app, but revalidate add_header Cache-Control "public, max-age=300, must-revalidate"; } } From 19d87ab76ffad0c1c08cec1abb41dad5db204b9e Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 20:15:29 +0100 Subject: [PATCH 23/34] Update SelfSigned.md --- docs/tutorials/tab-nginx/SelfSigned.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/docs/tutorials/tab-nginx/SelfSigned.md b/docs/tutorials/tab-nginx/SelfSigned.md index 1d6b2df..3d885c8 100644 --- a/docs/tutorials/tab-nginx/SelfSigned.md +++ b/docs/tutorials/tab-nginx/SelfSigned.md @@ -23,11 +23,9 @@ Using self-signed certificates is suitable for development or internal use where ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_protocols TLSv1.2 TLSv1.3; - # Auth/API endpoints: NO caching (critical for login/sessions) location ~* ^/(auth|api|oauth|admin|signin|signup|signout|login|logout|sso)/ { proxy_pass http://host.docker.internal:3000; - # Add WebSocket support (Necessary for version 0.5.0 and up) proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -48,7 +46,6 @@ Using self-signed certificates is suitable for development or internal use where expires -1; } - # Static assets: Enable caching for performance location ~* \.(css|jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ { proxy_pass http://host.docker.internal:3000; proxy_http_version 1.1; @@ -58,11 +55,9 @@ Using self-signed certificates is suitable for development or internal use where add_header Cache-Control "public, immutable"; } - # Default location location / { proxy_pass http://host.docker.internal:3000; - # Add WebSocket support (Necessary for version 0.5.0 and up) proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -72,14 +67,11 @@ Using self-signed certificates is suitable for development or internal use where proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - # (Optional) Disable proxy buffering for better streaming response from models proxy_buffering off; - # (Optional) Increase max request size for large attachments and long audio messages client_max_body_size 20M; proxy_read_timeout 10m; - # Light caching with revalidation add_header Cache-Control "public, max-age=300, must-revalidate"; } } From 502fca579afc23b9ff12b7b552528ba284bc5975 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 20:17:42 +0100 Subject: [PATCH 24/34] Update Windows.md --- docs/tutorials/tab-nginx/Windows.md | 59 ++++++++++++++++------------- 1 file changed, 32 insertions(+), 27 deletions(-) diff --git a/docs/tutorials/tab-nginx/Windows.md b/docs/tutorials/tab-nginx/Windows.md index 3ba9496..1cfd15a 100644 --- a/docs/tutorials/tab-nginx/Windows.md +++ b/docs/tutorials/tab-nginx/Windows.md @@ -75,27 +75,14 @@ http { include mime.types; default_type application/octet-stream; - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; - - #access_log logs/access.log main; - sendfile on; - #tcp_nopush on; - - #keepalive_timeout 0; keepalive_timeout 120; - #gzip on; - - # needed to properly handle websockets (streaming) map $http_upgrade $connection_upgrade { default upgrade; '' close; } - # Redirect all HTTP traffic to HTTPS server { listen 80; server_name 192.168.1.15; @@ -103,28 +90,19 @@ http { return 301 https://$host$request_uri; } - # Handle HTTPS traffic server { listen 443 ssl; server_name 192.168.1.15; - # SSL Settings (ensure paths are correct) ssl_certificate C:\\nginx\\nginx.crt; ssl_certificate_key C:\\nginx\\nginx.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers on; - # OCSP Stapling - #ssl_stapling on; - #ssl_stapling_verify on; - - # Proxy settings to your local service - location / { - # proxy_pass should point to your running localhost version of open-webui + location ~* ^/(auth|api|oauth|admin|signin|signup|signout|login|logout|sso)/ { proxy_pass http://localhost:8080; - # Add WebSocket support (Necessary for version 0.5.0 and up) proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; @@ -134,15 +112,42 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - # (Optional) Disable proxy buffering for better streaming response from models proxy_buffering off; - - # (Optional) Increase max request size for large attachments and long audio messages client_max_body_size 20M; proxy_read_timeout 10m; + + add_header Cache-Control "no-store, no-cache, must-revalidate" always; + expires -1; + } + + location ~* \.(css|jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ { + proxy_pass http://localhost:8080; + proxy_http_version 1.1; + proxy_set_header Host $host; + + expires 7d; + add_header Cache-Control "public, immutable"; + } + + location / { + proxy_pass http://localhost:8080; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + client_max_body_size 20M; + proxy_read_timeout 10m; + + add_header Cache-Control "public, max-age=300, must-revalidate"; } } - } ``` From 71ad543e2c57a41e2147f439b91bc032ee06b5d0 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 20:20:16 +0100 Subject: [PATCH 25/34] Update NginxProxyManager.md --- docs/tutorials/tab-nginx/NginxProxyManager.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/tutorials/tab-nginx/NginxProxyManager.md b/docs/tutorials/tab-nginx/NginxProxyManager.md index 8f019c5..f7808d2 100644 --- a/docs/tutorials/tab-nginx/NginxProxyManager.md +++ b/docs/tutorials/tab-nginx/NginxProxyManager.md @@ -77,6 +77,20 @@ A very common and difficult-to-debug issue with WebSocket connections is a misco Failure to do so will cause WebSocket connections to fail, even if you have enabled "Websockets support" in Nginx Proxy Manager. +::: + +:::tip Caching Best Practice + +While Nginx Proxy Manager handles most configuration automatically, be aware that: + +- **Static assets** (CSS, JS, images) are cached by default for better performance +- **Authentication endpoints** should never be cached +- If you add custom caching rules in NPM's "Advanced" tab, ensure you exclude paths like `/api/`, `/auth/`, `/signup/` , `/signin/`, `/sso/`, `/admin/`, `/signout/`, `/oauth/`, `/login/`, and `/logout/` + +The default NPM configuration handles this correctly - only modify caching if you know what you're doing. + +::: + **Example:** If you access your UI at `https://openwebui.hello.duckdns.org`, you must set: From a400e8601b96d6847b16423314c46be53f61a01d Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 20:20:50 +0100 Subject: [PATCH 26/34] Update nginx.md --- docs/tutorials/https/nginx.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/tutorials/https/nginx.md b/docs/tutorials/https/nginx.md index 4ee0cb1..3de6d8e 100644 --- a/docs/tutorials/https/nginx.md +++ b/docs/tutorials/https/nginx.md @@ -19,6 +19,14 @@ This guide provides three methods to set up HTTPS: - **Let's Encrypt**: Perfect for production environments requiring trusted SSL certificates, using docker. - **Windows+Self-Signed**: Simplified instructions for development and internal use on windows, no docker required. +:::danger Critical: Configure CORS for WebSocket Connections + +A very common and difficult-to-debug issue with WebSocket connections is a misconfigured Cross-Origin Resource Sharing (CORS) policy. When running Open WebUI behind a reverse proxy like Nginx Proxy Manager, you **must** set the `CORS_ALLOW_ORIGIN` environment variable in your Open WebUI configuration. + +Failure to do so will cause WebSocket connections to fail, even if you have enabled "Websockets support" in Nginx Proxy Manager. + +::: + Choose the method that best fits your deployment needs. import Tabs from '@theme/Tabs'; From a8a2c2568178c0f5e27187d4cda3b5a3ecbd9d2b Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 20:26:55 +0100 Subject: [PATCH 27/34] Update env-configuration.mdx --- docs/getting-started/env-configuration.mdx | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 4705712..e8da6e8 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -1194,6 +1194,19 @@ Read more about `offline mode` in the [offline mode guide](/tutorials/offline-mo ::: +#### `HF_HUB_OFFLINE` + +- Type: `bool` +- Default: `False` +- Description: Tells Hugging Face that we want to launch in offline mode, so to not connect to hugging face and prevent all automatic model downloads + +:::info + +Downloads of models, sentence transformers and other configurable items will NOT WORK when this is set to `True`. +RAG will also not work on a default installation, if this is set to `True`. + +::: + #### `RESET_CONFIG_ON_START` - Type: `bool` From 83ac20adaba966745f9df9c6eb2470d5a119cd89 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 20:29:34 +0100 Subject: [PATCH 28/34] Update env-configuration.mdx --- docs/getting-started/env-configuration.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index e8da6e8..08b1442 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -1196,13 +1196,13 @@ Read more about `offline mode` in the [offline mode guide](/tutorials/offline-mo #### `HF_HUB_OFFLINE` -- Type: `bool` -- Default: `False` -- Description: Tells Hugging Face that we want to launch in offline mode, so to not connect to hugging face and prevent all automatic model downloads +- Type: `int` +- Default: `0` +- Description: Tells Hugging Face whether we want to launch in offline mode, so to not connect to hugging face and prevent all automatic model downloads :::info -Downloads of models, sentence transformers and other configurable items will NOT WORK when this is set to `True`. +Downloads of models, sentence transformers and other configurable items will NOT WORK when this is set to `1`. RAG will also not work on a default installation, if this is set to `True`. ::: From 4b634b5d3cdcad1e60cd753cfda4ed33a866d990 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 20:31:19 +0100 Subject: [PATCH 29/34] Update offline-mode.mdx --- docs/tutorials/offline-mode.mdx | 45 ++++++++++++++++++++++++++++----- 1 file changed, 39 insertions(+), 6 deletions(-) diff --git a/docs/tutorials/offline-mode.mdx b/docs/tutorials/offline-mode.mdx index bf7cfc7..0e30dae 100644 --- a/docs/tutorials/offline-mode.mdx +++ b/docs/tutorials/offline-mode.mdx @@ -25,9 +25,10 @@ The offline mode of Open WebUI lets you run the application without the need for **Disabled functionality when offline mode is enabled:** -- Automatic version update checks -- Downloads of embedding models from Hugging Face Hub - - If you did not download an embedding model prior to activating `OFFLINE_MODE` any RAG, web search and document analysis functionality may not work properly +- Automatic version update checks (controlled by `ENABLE_VERSION_UPDATE_CHECK`) +- Downloads of embedding models from Hugging Face Hub (controlled by `HF_HUB_OFFLINE`) + - If you did not download an embedding model prior to activating offline mode, RAG, web search and document analysis functionality will not work properly +- Automatic model updates for embeddings, reranking, and Whisper models - Update notifications in the UI **Still functional:** @@ -40,8 +41,31 @@ The offline mode of Open WebUI lets you run the application without the need for ## How to enable offline mode? -The offline mode has to be enabled via the [environment variable](https://docs.openwebui.com/getting-started/env-configuration#offline_mode) `OFFLINE_MODE`. -Apply the environment variable depending on your way of deploying Open WebUI. +Offline mode requires setting multiple environment variables to fully disconnect Open WebUI from external network dependencies. The primary variables are: + +**Required Environment Variables:** + +- `OFFLINE_MODE=true` - Disables version checks and prevents automatic model downloads +- `HF_HUB_OFFLINE=1` - Tells Hugging Face Hub to operate in offline mode, preventing all automatic downloads + +**Optional but Recommended:** + +- `RAG_EMBEDDING_MODEL_AUTO_UPDATE=false` - Prevents automatic updates of embedding models +- `RAG_RERANKING_MODEL_AUTO_UPDATE=false` - Prevents automatic updates of reranking models +- `WHISPER_MODEL_AUTO_UPDATE=false` - Prevents automatic updates of Whisper models + +Apply these environment variables depending on your deployment method. + +:::warning Critical: HF_HUB_OFFLINE Behavior + +When `HF_HUB_OFFLINE=1` is set: +- **Downloads of models, sentence transformers, and other Hugging Face content will NOT WORK** +- RAG will not work on a default installation if this is enabled without pre-downloading models +- Only pre-downloaded models in the correct cache directories will be accessible + +This variable provides the strictest offline enforcement but requires careful preparation. + +::: :::tip @@ -113,7 +137,16 @@ services: image: ghcr.io/open-webui/open-webui:main restart: unless-stopped environment: - - OFFLINE_MODE=True + # Core offline mode settings + - OFFLINE_MODE=true + - HF_HUB_OFFLINE=1 + + # Disable automatic model updates + - RAG_EMBEDDING_MODEL_AUTO_UPDATE=false + - RAG_RERANKING_MODEL_AUTO_UPDATE=false + - WHISPER_MODEL_AUTO_UPDATE=false + + # Specify pre-downloaded models - RAG_EMBEDDING_MODEL=sentence-transformers/all-MiniLM-L6-v2 - WHISPER_MODEL=Systran/faster-whisper-large-v3 volumes: From 140c721a68a8d0b035bc2d100740c1f79b38e7c9 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 20:38:50 +0100 Subject: [PATCH 30/34] =?UTF-8?q?Create=20compatibility.mdx=E2=80=8E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/troubleshooting/compatibility.mdxβ€Ž | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 docs/troubleshooting/compatibility.mdxβ€Ž diff --git a/docs/troubleshooting/compatibility.mdxβ€Ž b/docs/troubleshooting/compatibility.mdxβ€Ž new file mode 100644 index 0000000..f95da1f --- /dev/null +++ b/docs/troubleshooting/compatibility.mdxβ€Ž @@ -0,0 +1,16 @@ +--- +sidebar_position: 0 +title: "Browser Compatibility" +--- + +Open WebUI is designed for and tested on modern browsers. To ensure the best experience, we recommend using the following browser versions or later: + +## πŸš€ Supported Browsers + +Open WebUI's core functionality specifically depends on these browser versions: + +- **Chrome 111** 🟒 *(Released March 2023)* +- **Safari 16.4** 🍏 *(Released March 2023)* +- **Firefox 128** πŸ”₯ *(Released July 2024)* + +πŸ’‘ If you experience any issues, ensure your browser is up to date or try an alternative supported browser. From 28ab16257178689b0ea83fa3a0112dc72bbe5065 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 21:00:20 +0100 Subject: [PATCH 31/34] Update env-configuration.mdx --- docs/getting-started/env-configuration.mdx | 293 +++++++++++++++++++-- 1 file changed, 276 insertions(+), 17 deletions(-) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 08b1442..50dc258 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -128,6 +128,13 @@ is also being used and set to `True`. **Never disable this if OAUTH/SSO is not b - Description: Sets the default role assigned to new users. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `DEFAULT_GROUP_ID` + +- Type: `str` +- Default: Empty string (' ') +- Description: Sets the default group ID to assign to new users upon registration. +- Persistence: This environment variable is a `PersistentConfig` variable. + #### `PENDING_USER_OVERLAY_TITLE` - Type: `str` @@ -334,6 +341,24 @@ WEBUI_BANNERS="[{\"id\": \"1\", \"type\": \"warning\", \"title\": \"Your message - Default: `False` - Description: Builds the Docker image with NVIDIA CUDA support. Enables GPU acceleration for local Whisper and embeddings. +#### `DOCKER` + +- Type: `bool` +- Default: `False` +- Description: Indicates whether Open WebUI is running inside a Docker container. Used internally for environment detection. + +#### `USE_CUDA` + +- Type: `bool` +- Default: `False` +- Description: Controls whether to use CUDA acceleration for local models. When set to `true`, attempts to detect and use available NVIDIA GPUs. + +#### `DEVICE_TYPE` + +- Type: `str` +- Default: `cpu` +- Description: Specifies the device type for model execution. Automatically set to `cuda` if CUDA is available and enabled, or `mps` for Apple Silicon. + #### `EXTERNAL_PWA_MANIFEST_URL` - Type: `str` @@ -371,6 +396,12 @@ WEBUI_BANNERS="[{\"id\": \"1\", \"type\": \"warning\", \"title\": \"Your message [{"title": ["Title part 1", "Title part 2"], "content": "prompt"}] ``` +:::warning + +NEVER set this env var to `debug` in production. + +::: + ### AIOHTTP Client #### `AIOHTTP_CLIENT_TIMEOUT` @@ -430,6 +461,14 @@ The AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST is set to 10 seconds by default to help en - Default: `./static` - Description: Specifies the directory for static files, such as the favicon. +### Logging + +#### `GLOBAL_LOG_LEVEL` + +- Type: `str` +- Default: `INFO` +- Description: Sets the global logging level for all Open WebUI components. Valid values: `DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`. + #### `AUDIT_LOGS_FILE_PATH` - Type: `str` @@ -437,6 +476,37 @@ The AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST is set to 10 seconds by default to help en - Description: Configures where the audit log file is stored. Enables storing logs in separate volumes or custom locations for better organization and persistence. - Example: `/var/log/openwebui/audit.log`, `/mnt/logs/audit.log` +#### `AUDIT_LOG_FILE_ROTATION_SIZE` + +- Type: `str` +- Default: `10MB` +- Description: Specifies the maximum size of the audit log file before rotation occurs (e.g., `10MB`, `100MB`, `1GB`). + +#### `AUDIT_UVICORN_LOGGER_NAMES` + +- Type: `str` +- Default: `uvicorn.access` +- Description: Comma-separated list of logger names to capture for audit logging. Defaults to Uvicorn's access logger. + +#### `AUDIT_LOG_LEVEL` + +- Type: `str` +- Default: `NONE` +- Options: `NONE`, `METADATA`, `REQUEST`, `REQUEST_RESPONSE` +- Description: Controls the verbosity level of audit logging. `METADATA` logs basic request info, `REQUEST` includes request bodies, `REQUEST_RESPONSE` includes both requests and responses. + +#### `MAX_BODY_LOG_SIZE` + +- Type: `int` +- Default: `2048` +- Description: Sets the maximum size in bytes for request/response bodies in audit logs. Bodies larger than this are truncated. + +#### `AUDIT_EXCLUDED_PATHS` + +- Type: `str` +- Default: `/chats,/chat,/folders` +- Description: Comma-separated list of URL paths to exclude from audit logging. Paths are matched without leading slashes.RetryTo run code, enable code execution and file creation in Settings > Capabilities.Claude can make mistakes. Please double-check responses. + ### Ollama #### `ENABLE_OLLAMA_API` @@ -1293,7 +1363,7 @@ modeling files for reranking. - Type: `str` - Options: -- `chroma`, `elasticsearch`, `milvus`, `opensearch`, `pgvector`, `qdrant`, `pinecone`, `s3vector`, `oracle23ai` +- `chroma`, `elasticsearch`, `milvus`, `opensearch`, `pgvector`, `qdrant`, `pinecone`, `s3vector`, `oracle23ai`, `weaviate` - Default: `chroma` - Description: Specifies which vector database system to use. This setting determines which vector storage system will be used for managing embeddings. @@ -1710,6 +1780,49 @@ For IVFFlat indexes, choosing the right number of lists is crucial for query per ::: +#### `PGVECTOR_USE_HALFVEC` + +- Type: `bool` +- Default: `False` +- Description: Enables the use of `halfvec` data type instead of `vector` for storing embeddings. Required when `PGVECTOR_INITIALIZE_MAX_VECTOR_LENGTH` exceeds 2000 dimensions, as the `vector` type has a 2000-dimension limit. + +#### `PGVECTOR_PGCRYPTO` + +- Type: `bool` +- Default: `False` +- Description: Enables pgcrypto extension for encrypting sensitive data within PGVector. When enabled, `PGVECTOR_PGCRYPTO_KEY` must be set. + +#### `PGVECTOR_PGCRYPTO_KEY` + +- Type: `str` +- Default: `None` +- Description: Specifies the encryption key for pgcrypto when `PGVECTOR_PGCRYPTO` is enabled. Must be a secure, randomly generated key. + +#### `PGVECTOR_POOL_SIZE` + +- Type: `int` +- Default: `None` +- Description: Sets the number of connections to maintain in the PGVector database connection pool. If not set, uses SQLAlchemy defaults. + +#### `PGVECTOR_POOL_MAX_OVERFLOW` + +- Type: `int` +- Default: `0` +- Description: Specifies the maximum number of connections that can be created beyond `PGVECTOR_POOL_SIZE` when the pool is exhausted. + +#### `PGVECTOR_POOL_TIMEOUT` + +- Type: `int` +- Default: `30` +- Description: Sets the timeout in seconds for acquiring a connection from the PGVector pool. + +#### `PGVECTOR_POOL_RECYCLE` + +- Type: `int` +- Default: `3600` +- Description: Specifies the time in seconds after which connections are recycled in the PGVector pool to prevent stale connections. + + ### Qdrant :::warning @@ -1850,6 +1963,32 @@ When using Pinecone as the vector store, the following environment variables are - Options: `aws`, `gcp`, `azure` - Description: Specifies the cloud provider where the Pinecone index is hosted. +### Weaviate + +#### `WEAVIATE_HTTP_HOST` + +- Type: `str` +- Default: Empty string (' ') +- Description: Specifies the hostname of the Weaviate server for HTTP connections. + +#### `WEAVIATE_HTTP_PORT` + +- Type: `int` +- Default: `8080` +- Description: Specifies the HTTP port for connecting to the Weaviate server. + +#### `WEAVIATE_GRPC_PORT` + +- Type: `int` +- Default: `50051` +- Description: Specifies the gRPC port for connecting to the Weaviate server. + +#### `WEAVIATE_API_KEY` + +- Type: `str` +- Default: `None` +- Description: Sets the API key for authenticating with Weaviate server. + ### Oracle 23ai Vector Search (oracle23ai) #### `ORACLE_DB_USE_WALLET` @@ -2531,6 +2670,14 @@ Block additional domains: WEB_FETCH_FILTER_LIST="!internal.company.com,!192.168. Allow only specific domains: WEB_FETCH_FILTER_LIST="example.com,trusted-site.org" ::: +#### `WEB_SEARCH_DOMAIN_FILTER_LIST` + +- Type: `list` of `str` +- Default: `[]` +- Description: Comma-separated list of domains to filter web search results. Domains prefixed with `!` are blocked; domains without prefix create an allowlist (only those domains permitted). +- Example: `wikipedia.org,github.com,!malicious-site.com` +- Persistence: This environment variable is a `PersistentConfig` variable. + #### `WEB_SEARCH_RESULT_COUNT` - Type: `int` @@ -2576,6 +2723,7 @@ This environment variable was previously named "WEB_SEARCH_CONCURRENT_REQUESTS". - `sougou` - Uses the [Sougou](https://www.sogou.com/) search engine. - `ollama_cloud` - Uses the [Ollama Cloud](https://ollama.com/blog/web-search) search engine. - `azure_ai_search` + - `yacy` - Persistence: This environment variable is a `PersistentConfig` variable. #### `BYPASS_WEB_SEARCH_EMBEDDING_AND_RETRIEVAL` @@ -2763,6 +2911,91 @@ the search query. Example: `http://searxng.local/search?q=` - Description: Specifies the extract depth for Tavily search results. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `YACY_QUERY_URL` +- Type: `str` +- Default: Empty string (' ') +- Description: Sets the query URL for YaCy search engine integration. Should point to a YaCy instance's search API endpoint. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `YACY_USERNAME` +- Type: `str` +- Default: Empty string (' ') +- Description: Specifies the username for authenticated access to YaCy search engine. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `YACY_PASSWORD` +- Type: `str` +- Default: Empty string (' ') +- Description: Specifies the password for authenticated access to YaCy search engine. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `EXTERNAL_WEB_SEARCH_URL` +- Type: `str` +- Default: Empty string (' ') +- Description: Specifies the URL of an external web search service API endpoint for custom search integrations. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `EXTERNAL_WEB_SEARCH_API_KEY` +- Type: `str` +- Default: Empty string (' ') +- Description: Sets the API key for authenticating with the external web search service. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `EXTERNAL_WEB_LOADER_URL` +- Type: `str` +- Default: Empty string (' ') +- Description: Specifies the URL of an external web content loader service for fetching and processing web pages. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `EXTERNAL_WEB_LOADER_API_KEY` +- Type: `str` +- Default: Empty string (' ') +- Description: Sets the API key for authenticating with the external web loader service. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `PERPLEXITY_API_KEY` + +- Type: `str` +- Default: `None` +- Description: Sets the API key for Perplexity API. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `PERPLEXITY_SEARCH_API_URL` + +- Type: `str` +- Default: `api.perplexity.ai/search` +- Description: Configures the API endpoint for Perplexity Search. Allows using custom or self-hosted Perplexity-compatible API endpoints (such as LiteLLM's `/search` endpoint) instead of the hardcoded default. This enables flexibility in routing search requests to alternative providers or internal proxies. +- Example: `my-litellm-server.com/search` +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `PERPLEXITY_MODEL` + +- Type: `str` +- Default: `sonar` +- Description: Specifies the Perplexity AI model to use for search queries when using `Perplexity` as the web search engine. +- Persistence: This environment variable is a `PersistentConfig` variable. + +:::info + +`Perplexity` is different from `perplexity_search`. +If you use `perplexity_search`, this variable is not relevant to you. + +::: + +#### `PERPLEXITY_SEARCH_CONTEXT_USAGE` + +- Type: `str` +- Default: `medium` +- Description: Controls the amount of search context used by Perplexity AI. Options typically include `low`, `medium`, `high`. +- Persistence: This environment variable is a `PersistentConfig` variable. + +:::info + +`Perplexity` is different from `perplexity_search`. +If you use `perplexity`, this variable is not relevant to you. + +::: + ### Web Loader Configuration #### `WEB_LOADER_ENGINE` @@ -2815,21 +3048,6 @@ Using a remote Playwright browser via `PLAYWRIGHT_WS_URL` can be beneficial for: - Description: Sets the API key for Firecrawl API. - Persistence: This environment variable is a `PersistentConfig` variable. -#### `PERPLEXITY_API_KEY` - -- Type: `str` -- Default: `None` -- Description: Sets the API key for Perplexity API. -- Persistence: This environment variable is a `PersistentConfig` variable. - -#### `PERPLEXITY_SEARCH_API_URL` - -- Type: `str` -- Default: `api.perplexity.ai/search` -- Description: Configures the API endpoint for Perplexity Search. Allows using custom or self-hosted Perplexity-compatible API endpoints (such as LiteLLM's `/search` endpoint) instead of the hardcoded default. This enables flexibility in routing search requests to alternative providers or internal proxies. -- Example: `my-litellm-server.com/search` -- Persistence: This environment variable is a `PersistentConfig` variable. - #### `PLAYWRIGHT_TIMEOUT` - Type: `int` @@ -3676,6 +3894,20 @@ You must also set `OPENID_PROVIDER_URL` or otherwise logout may not work. - Description: Sets the redirect URI for Microsoft OAuth. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `MICROSOFT_CLIENT_LOGIN_BASE_URL` + +- Type: `str` +- Default: `https://login.microsoftonline.com` +- Description: Sets the base login URL for Microsoft OAuth authentication. Allows configuration of alternative login endpoints for government clouds or custom deployments. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `MICROSOFT_CLIENT_PICTURE_URL` + +- Type: `str` +- Default: `https://graph.microsoft.com/v1.0/me/photo/$value` +- Description: Specifies the Microsoft Graph API endpoint for retrieving user profile pictures during OAuth authentication. +- Persistence: This environment variable is a `PersistentConfig` variable. + ### GitHub See https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps @@ -3846,6 +4078,20 @@ If `OAUTH_PICTURE_CLAIM` is set to `''` (empty string), then the OAuth picture c - Description: Enables or disables OAuth group management. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `ENABLE_OAUTH_GROUP_CREATION` + +- Type: `bool` +- Default: `False` +- Description: When enabled, groups from OAuth claims that don't exist in Open WebUI will be automatically created. +- Persistence: This environment variable is a `PersistentConfig` variable. + +#### `OAUTH_BLOCKED_GROUPS` + +- Type: `str` +- Default: `[]` +- Description: JSON array of group names that are blocked from accessing the application. Users belonging to these groups will be denied access even if they have valid OAuth credentials. +- Persistence: This environment variable is a `PersistentConfig` variable. + #### `OAUTH_ROLES_CLAIM` - Type: `str` @@ -4549,6 +4795,18 @@ When `DATABASE_URL` is not explicitly set, Open WebUI will attempt to construct ::: +#### `DATABASE_USER_ACTIVE_STATUS_UPDATE_INTERVAL` + +- Type: `float` +- Default: `None` +- Description: Sets the minimum time interval in seconds between user active status updates in the database. Helps reduce write operations for high-traffic instances. Set to `0.0` to update on every activity. + +#### `ENABLE_QUERIES_CACHE` + +- Type: `bool` +- Default: `False` +- Description: Enables query result caching to improve database performance by storing and reusing frequently accessed data. + ### Encrypted SQLite with SQLCipher For enhanced security, Open WebUI supports at-rest encryption for its primary SQLite database using SQLCipher. This is recommended for deployments handling sensitive data where using a larger database like PostgreSQL is not needed. @@ -4820,9 +5078,10 @@ This option has no effect if `WEBSOCKET_SENTINEL_HOSTS` is defined. - Description: The frequency for a ping to Redis in seconds. #### `ENABLE_STAR_SESSIONS_MIDDLEWARE` + - Type: `bool` - Default: `False` -- Description: Enables Redis-based session storage for OAuth authentication flows using the StarSessions middleware. When enabled, OAuth session state is stored in Redis instead of browser cookies, which can help resolve CSRF errors in multi-replica deployments where session data needs to be shared across pods. +- Description: Enables Redis-based session storage for OAuth authentication flows using the StarSessions middleware. When enabled, OAuth session state is stored in Redis instead of browser cookies, which can help resolve CSRF errors in multi-replica deployments where session data needs to be shared across pods. Experimental feature that enables Redis-based session storage for OAuth flows using StarSessions middleware, helping resolve CSRF errors in multi-replica deployments. - Persistence: This is an experimental environment variable. :::warning From 2775df892c2bf3836d717e7fda8e52af39641dec Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 21:08:03 +0100 Subject: [PATCH 32/34] Update env-configuration.mdx --- docs/getting-started/env-configuration.mdx | 30 +++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index 50dc258..9239f9b 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -351,7 +351,7 @@ WEBUI_BANNERS="[{\"id\": \"1\", \"type\": \"warning\", \"title\": \"Your message - Type: `bool` - Default: `False` -- Description: Controls whether to use CUDA acceleration for local models. When set to `true`, attempts to detect and use available NVIDIA GPUs. +- Description: Controls whether to use CUDA acceleration for local models. When set to `true`, attempts to detect and use available NVIDIA GPUs. The code reads the environment variable `USE_CUDA_DOCKER` to set this internal boolean variable. #### `DEVICE_TYPE` @@ -386,6 +386,12 @@ WEBUI_BANNERS="[{\"id\": \"1\", \"type\": \"warning\", \"title\": \"Your message - Description: Specifies the SSL assert fingerprint to use. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `ENABLE_COMPRESSION_MIDDLEWARE` + +- Type: `bool` +- Default: `True` +- Description: Enables gzip compression middleware for HTTP responses, reducing bandwidth usage and improving load times. + #### `DEFAULT_PROMPT_SUGGESTIONS` - Type: `list` of `dict` @@ -436,6 +442,24 @@ The AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST is set to 10 seconds by default to help en - Type: `int` - Description: Sets the timeout in seconds for fetching the model list. This can be useful in cases where network latency requires a longer timeout duration to successfully retrieve the model list. +#### `AIOHTTP_CLIENT_SESSION_SSL` + +- Type: `bool` +- Default: `True` +- Description: Controls SSL/TLS verification for AIOHTTP client sessions when connecting to external APIs. + +#### `AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER_DATA` + +- Type: `int` +- Default: `10` +- Description: Sets the timeout in seconds for retrieving data from tool servers via AIOHTTP client. + +#### `AIOHTTP_CLIENT_SESSION_TOOL_SERVER_SSL` + +- Type: `bool` +- Default: `True` +- Description: Controls SSL/TLS verification specifically for tool server connections via AIOHTTP client. + ### Directories #### `DATA_DIR` @@ -2956,14 +2980,14 @@ the search query. Example: `http://searxng.local/search?q=` #### `PERPLEXITY_API_KEY` - Type: `str` -- Default: `None` +- Default: Empty string (' ') - Description: Sets the API key for Perplexity API. - Persistence: This environment variable is a `PersistentConfig` variable. #### `PERPLEXITY_SEARCH_API_URL` - Type: `str` -- Default: `api.perplexity.ai/search` +- Default: `https://api.perplexity.ai/search` - Description: Configures the API endpoint for Perplexity Search. Allows using custom or self-hosted Perplexity-compatible API endpoints (such as LiteLLM's `/search` endpoint) instead of the hardcoded default. This enables flexibility in routing search requests to alternative providers or internal proxies. - Example: `my-litellm-server.com/search` - Persistence: This environment variable is a `PersistentConfig` variable. From 81b44d6d0d4d92cc0bcb165c6720460381035b40 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 21:20:24 +0100 Subject: [PATCH 33/34] Update onedrive-sharepoint.mdx --- .../integrations/onedrive-sharepoint.mdx | 43 +++++++++++++++++-- 1 file changed, 39 insertions(+), 4 deletions(-) diff --git a/docs/tutorials/integrations/onedrive-sharepoint.mdx b/docs/tutorials/integrations/onedrive-sharepoint.mdx index 9a20bdb..7a5a10b 100644 --- a/docs/tutorials/integrations/onedrive-sharepoint.mdx +++ b/docs/tutorials/integrations/onedrive-sharepoint.mdx @@ -5,7 +5,7 @@ title: "Integrate with OneDrive & SharePoint" :::info -This tutorial provides a step-by-step guide for integrating Open WebUI with **Microsoft OneDrive for Business & SharePoint**, as well as the separate, optional integration for **Personal Microsoft OneDrive** accounts. You can enable one or both integrations. This documentation is up to date as of Open WebUI v0.6.32. +This tutorial provides a step-by-step guide for integrating Open WebUI with **Microsoft OneDrive for Business & SharePoint**, as well as the separate, optional integration for **Personal Microsoft OneDrive** accounts. You can enable one or both integrations. This documentation is up to date as of Open WebUI v0.6.37. ::: @@ -133,9 +133,25 @@ ONEDRIVE_CLIENT_ID_PERSONAL="zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz" --- -## Final Step: Browser Configuration and Verification +## Final Step: Enable OneDrive Integration in Admin Settings -After setting your environment variables and restarting your Open WebUI instance, verify the integration. +After setting your environment variables and restarting your Open WebUI instance, you must explicitly enable the feature in the admin panel. **The environment variables alone do not activate the integration.** + +1. Navigate to **Settings β†’ Admin β†’ Documents**. +2. Toggle on the **"OneDrive"** switch. +3. Refresh your browser or log out and log back in. + +:::warning + +Admin Toggle is Required + +This step is mandatory even though you've set `ENABLE_ONEDRIVE_INTEGRATION=true` in your environment. Some configuration options in Open WebUI are persistent database settings that are initialized on first startup but must be activated through the admin interface. + +::: + +## Verifying the Integration + +After enabling the admin toggle and refreshing, verify the integration is working: 1. In Open WebUI, open the attachment menu (+) in the chat input. You should see menu items for **"Microsoft OneDrive (work/school)"** and/or **"Microsoft OneDrive (personal)"**, depending on your configuration. 2. Clicking either option should trigger a pop-up window for Microsoft authentication. @@ -143,8 +159,27 @@ After setting your environment variables and restarting your Open WebUI instance :::caution Disable Pop-up Blockers! -The OneDrive file picker and authentication flow happen in a pop-up window. If nothing happens when you click a OneDrive option, it is almost certainly because your browser is blocking pop-ups. **You must disable the pop-up blocker for your Open WebUI domain** for the integration to work. + +The OneDrive file picker and authentication flow happen in a pop-up window. If nothing happens when you click a OneDrive option, your browser is almost certainly blocking pop-ups. **You must disable the pop-up blocker for your Open WebUI domain** for the integration to work. Note that some browsers (like Chrome) may have additional restrictions compared to others (like Edge). ::: +## Troubleshooting + +**OneDrive option not appearing in the attachment menu:** +- Verify the admin toggle is enabled in Settings β†’ Admin β†’ Documents +- Refresh your browser after enabling the toggle +- Check that your environment variables are correctly set and the container has been restarted + +**Files not loading or folders not clickable:** +- Log out of Open WebUI completely and log back in to refresh your authentication tokens +- Verify the Azure App Registration permissions are correctly configured and admin consent is granted +- Check browser console for any authentication errors + +**Authentication pop-up not appearing:** +- Disable pop-up blockers for your Open WebUI domain +- Try a different browser (Edge tends to work more reliably than Chrome for Microsoft authentication flows) + +--- + You have now successfully configured OneDrive integration, providing seamless file access for your users. From bd20fa2b69e129c08518a5c8e05cae32b98dbb79 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sun, 23 Nov 2025 21:21:10 +0100 Subject: [PATCH 34/34] Update onedrive-sharepoint.mdx --- docs/tutorials/integrations/onedrive-sharepoint.mdx | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/tutorials/integrations/onedrive-sharepoint.mdx b/docs/tutorials/integrations/onedrive-sharepoint.mdx index 7a5a10b..0433ad8 100644 --- a/docs/tutorials/integrations/onedrive-sharepoint.mdx +++ b/docs/tutorials/integrations/onedrive-sharepoint.mdx @@ -84,7 +84,6 @@ From the **Overview** page of the App Registration you just created, copy the fo Set the following environment variables in your Open WebUI deployment to enable the work/school integration: ```bash - # Enable the OneDrive integration feature globally ENABLE_ONEDRIVE_INTEGRATION=true @@ -100,6 +99,12 @@ ONEDRIVE_SHAREPOINT_TENANT_ID="yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy" ONEDRIVE_SHAREPOINT_URL="https://your-tenant-name.sharepoint.com" ``` +:::info + +After setting these variables and restarting Open WebUI, you must also enable the OneDrive toggle in the admin panel. See the Final Step section below for details. + +::: + --- # Integration for Personal OneDrive (Optional)