Secure Deployment with Nginx
This guide covers the essential steps for securing your LibreChat deployment with an SSL/TLS certificate for HTTPS, setting up Nginx as a reverse proxy, and configuring your domain.
Prerequisites
- A cloud server (e.g., AWS, Google Cloud, Azure, Digital Ocean).
- A registered domain name.
- Terminal access to your cloud server.
- Node.js and NPM installed on your server.
Initial Setup
Pointing Your Domain to Your Server
Before proceeding with certificate acquisition, point your domain to your cloud server’s IP address. This step is foundational and must precede SSL certificate setup due to the time DNS records may require to propagate globally.
- Log in to your domain registrar’s control panel.
- Navigate to DNS settings.
- Create an
A record
pointing your domain to the IP address of your cloud server. - Wait for the DNS changes to propagate globally (you can check by pinging your domain:
ping your_domain.com
).
Obtain an SSL/TLS Certificate
To secure your LibreChat application with HTTPS, you’ll need an SSL/TLS certificate. Let’s Encrypt offers free certificates:
-
Install Certbot:
- For Ubuntu:
sudo apt-get install certbot python3-certbot-nginx
- For CentOS:
sudo yum install certbot python2-certbot-nginx
- For Ubuntu:
-
Obtain the Certificate:
- Run
sudo certbot --nginx
to obtain and install the certificate automatically for Nginx. - Follow the on-screen instructions. Certbot will ask for information and complete the validation process.
- Once successful, Certbot will store your certificate files.
- Run
Set Up Nginx as a Reverse Proxy
Nginx acts as a reverse proxy, forwarding client requests to your LibreChat application. There are two deployment options:
Option A: Using the deploy-compose.yml
Docker Compose (Recommended)
The deploy-compose.yml
file includes an Nginx container and uses the client/nginx.conf
file for Nginx configuration. However, since sudo certbot --nginx
extracts the certificate to the host configuration, you need to duplicate the certificate to the Docker containers.
- Update
client/nginx.conf
with your domain and certificate paths. - Update
deploy-compose.yml
in theclient
section to mount the certificate files from the host:
client:
# ...
volumes:
- ./client/nginx.conf:/etc/nginx/conf.d/default.conf
- /etc/letsencrypt/live/<your-domain>:/etc/letsencrypt/live/<your-domain>
- /etc/letsencrypt/archive/<your-domain>:/etc/letsencrypt/archive/<your-domain>
- /etc/letsencrypt/options-ssl-nginx.conf:/etc/letsencrypt/options-ssl-nginx.conf
- /etc/letsencrypt/ssl-dhparams.pem:/etc/letsencrypt/ssl-dhparams.pem
- Stop any running instance:
npm run stop:deployed
- Commit the changes to a new Git branch.
- Rebase the deployed instance:
npm run rebase:deployed
Option B: Host-based Deployment without Docker
If you’re not using Docker, you can install and configure Nginx directly on the host:
-
Install Nginx:
- Ubuntu:
sudo apt-get install nginx
- CentOS:
sudo yum install nginx
- Ubuntu:
-
Start Nginx:
sudo systemctl start nginx
-
Open the Nginx configuration file:
sudo nano /etc/nginx/sites-available/default
-
Replace the file content with the following, ensuring to replace
your_domain.com
with your domain andapp_port
with your application’s port:
server {
listen 80;
server_name your_domain.com;
location / {
proxy_pass http://localhost:app_port;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
- Check the Nginx configuration:
sudo nginx -t
- Reload Nginx:
sudo systemctl reload nginx
Run the Application
- Navigate to your application’s directory:
cd LibreChat
- Start your application using Docker Compose:
sudo docker-compose -f ./deploy-compose.yml up -d
Web Application Firewall
Nginx can be configured to act as a web application firewall (WAF) by leveraging the OWASP Core Rule Set (CRS), which provides a robust set of rules to protect against common web application vulnerabilities and attacks. Using OWASP CRS with Nginx can enhance the security of your LibreChat deployment by adding an additional layer of protection.
-
Install OWASP CRS:
- Ubuntu:
sudo apt-get install nginx-modsecurity-crs
- Ubuntu:
-
Enable ModSecurity in Nginx:
-
Open your Nginx configuration file (e.g.,
/etc/nginx/nginx.conf
). -
Add the following lines inside the
http
block:nginx.confmodsecurity on; modsecurity_rules_file /usr/share/nginx/modsecurity-crs/nginx-modsecurity.conf;
-
-
Configure OWASP CRS:
- The OWASP CRS package typically includes a configuration file (e.g.,
/etc/nginx/modsecurity.d/nginx-modsecurity.conf
) where you can adjust various settings and rulesets based on your requirements.
- The OWASP CRS package typically includes a configuration file (e.g.,
-
Reload Nginx:
sudo systemctl reload nginx
By enabling OWASP CRS in your Nginx configuration, you can leverage the comprehensive set of rules provided by the project to detect and mitigate various web application vulnerabilities and attacks, such as SQL injection, cross-site scripting (XSS), remote file inclusion, and more.
Static File Caching and Compression
LibreChat now supports static file caching and compression natively. If you’re using NGINX to handle compression, you should disable compression in LibreChat to avoid redundant processing. You can do this by setting the DISABLE_COMPRESSION
environment variable to true
in your LibreChat configuration.
# .env file
DISABLE_COMPRESSION=true
This will prevent LibreChat from compressing static files, allowing NGINX to handle compression more efficiently.
For more information on static file handling in LibreChat, including caching options, refer to the Static File Handling documentation.