Docs
Remote Hosting
Nginx

Secure Deployment with Nginx

This guide covers the essential steps for securing your LibreChat deployment with an SSL/TLS certificate for HTTPS, setting up Nginx as a reverse proxy, and configuring your domain.

Prerequisites

  1. A cloud server (e.g., AWS, Google Cloud, Azure, Digital Ocean).
  2. A registered domain name.
  3. Terminal access to your cloud server.
  4. Node.js and NPM installed on your server.

Initial Setup

Pointing Your Domain to Your Server

Before proceeding with certificate acquisition, point your domain to your cloud server’s IP address. This step is foundational and must precede SSL certificate setup due to the time DNS records may require to propagate globally.

  1. Log in to your domain registrar’s control panel.
  2. Navigate to DNS settings.
  3. Create an A record pointing your domain to the IP address of your cloud server.
  4. Wait for the DNS changes to propagate globally (you can check by pinging your domain: ping your_domain.com).

Obtain an SSL/TLS Certificate

To secure your LibreChat application with HTTPS, you’ll need an SSL/TLS certificate. Let’s Encrypt offers free certificates:

  1. Install Certbot:

    • For Ubuntu: sudo apt-get install certbot python3-certbot-nginx
    • For CentOS: sudo yum install certbot python2-certbot-nginx
  2. Obtain the Certificate:

    • Run sudo certbot --nginx to obtain and install the certificate automatically for Nginx.
    • Follow the on-screen instructions. Certbot will ask for information and complete the validation process.
    • Once successful, Certbot will store your certificate files.

Set Up Nginx as a Reverse Proxy

Nginx acts as a reverse proxy, forwarding client requests to your LibreChat application. There are two deployment options:

Option A: Using the deploy-compose.yml Docker Compose (Recommended)

The deploy-compose.yml file includes an Nginx container and uses the client/nginx.conf file for Nginx configuration. However, since sudo certbot --nginx extracts the certificate to the host configuration, you need to duplicate the certificate to the Docker containers.

  1. Update client/nginx.conf with your domain and certificate paths.
  2. Update deploy-compose.yml in the client section to mount the certificate files from the host:
client:
  # ...
  volumes:
    - ./client/nginx.conf:/etc/nginx/conf.d/default.conf
    - /etc/letsencrypt/live/<your-domain>:/etc/letsencrypt/live/<your-domain>
    - /etc/letsencrypt/archive/<your-domain>:/etc/letsencrypt/archive/<your-domain>
    - /etc/letsencrypt/options-ssl-nginx.conf:/etc/letsencrypt/options-ssl-nginx.conf
    - /etc/letsencrypt/ssl-dhparams.pem:/etc/letsencrypt/ssl-dhparams.pem
  1. Stop any running instance: npm run stop:deployed
  2. Commit the changes to a new Git branch.
  3. Rebase the deployed instance: npm run rebase:deployed

Option B: Host-based Deployment without Docker

If you’re not using Docker, you can install and configure Nginx directly on the host:

  1. Install Nginx:

    • Ubuntu: sudo apt-get install nginx
    • CentOS: sudo yum install nginx
  2. Start Nginx: sudo systemctl start nginx

  3. Open the Nginx configuration file: sudo nano /etc/nginx/sites-available/default

  4. Replace the file content with the following, ensuring to replace your_domain.com with your domain and app_port with your application’s port:

/etc/nginx/sites-available/default
server {
    listen 80;
    server_name your_domain.com;
 
    location / {
        proxy_pass http://localhost:app_port;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}
  1. Check the Nginx configuration: sudo nginx -t
  2. Reload Nginx: sudo systemctl reload nginx

Run the Application

  1. Navigate to your application’s directory:
cd LibreChat
  1. Start your application using Docker Compose:
Start your application
sudo docker-compose -f ./deploy-compose.yml up -d

Web Application Firewall

Nginx can be configured to act as a web application firewall (WAF) by leveraging the OWASP Core Rule Set (CRS), which provides a robust set of rules to protect against common web application vulnerabilities and attacks. Using OWASP CRS with Nginx can enhance the security of your LibreChat deployment by adding an additional layer of protection.

  1. Install OWASP CRS:

    • Ubuntu: sudo apt-get install nginx-modsecurity-crs
  2. Enable ModSecurity in Nginx:

    • Open your Nginx configuration file (e.g., /etc/nginx/nginx.conf).

    • Add the following lines inside the http block:

      nginx.conf
      modsecurity on;
      modsecurity_rules_file /usr/share/nginx/modsecurity-crs/nginx-modsecurity.conf;
  3. Configure OWASP CRS:

    • The OWASP CRS package typically includes a configuration file (e.g., /etc/nginx/modsecurity.d/nginx-modsecurity.conf) where you can adjust various settings and rulesets based on your requirements.
  4. Reload Nginx:

    • sudo systemctl reload nginx

By enabling OWASP CRS in your Nginx configuration, you can leverage the comprehensive set of rules provided by the project to detect and mitigate various web application vulnerabilities and attacks, such as SQL injection, cross-site scripting (XSS), remote file inclusion, and more.

Static File Caching and Compression

LibreChat now supports static file caching and compression natively. If you’re using NGINX to handle compression, you should disable compression in LibreChat to avoid redundant processing. You can do this by setting the DISABLE_COMPRESSION environment variable to true in your LibreChat configuration.

# .env file
DISABLE_COMPRESSION=true

This will prevent LibreChat from compressing static files, allowing NGINX to handle compression more efficiently.

For more information on static file handling in LibreChat, including caching options, refer to the Static File Handling documentation.