This guide covers the essential steps for securing your LibreChat deployment with an SSL/TLS certificate for HTTPS, setting up Nginx as a reverse proxy, and configuring your domain.
A reverse proxy is a server that sits between clients and the web servers that host actual applications. It forwards client requests to the back-end servers and returns the server's response to the client. Using a reverse proxy in deployment can enhance security, load balancing, and caching. It hides the characteristics and origins of the back-end servers, providing an additional layer of defense against attacks. Additionally, it can distribute traffic among several servers, improving performance and scalability.
Implementing HTTPS in your Nginx configuration is vital when deploying an application for several reasons:
Data Security: HTTPS encrypts the data transmitted between the client (user's browser) and the server, protecting sensitive information from being intercepted by third parties. This is particularly important for applications handling personal, financial, or otherwise confidential information.
Authentication: HTTPS provides a mechanism for users to verify that they are communicating with the intended website, reducing the risk of man-in-the-middle attacks, phishing, and other threats where an attacker might impersonate your site.
SEO and Trust: Search engines like Google give preference to HTTPS-enabled websites, potentially improving your site's search ranking. Additionally, browsers display security warnings for sites not using HTTPS, which can erode trust and deter users from using your application.
Regulatory Compliance: For many types of applications, particularly those dealing with personal data, HTTPS may be required to comply with legal standards and regulations, such as GDPR, HIPAA, or PCI-DSS.
By configuring HTTPS in Nginx, you ensure that your application benefits from enhanced security, improved trust and compliance, and better user experience.
Before proceeding with certificate acquisition, it's crucial to direct your domain to your cloud server. This step is foundational and must precede SSL certificate setup due to the time DNS records may require to propagate globally. Ensure that this DNS configuration is fully operational before moving forward.
NGINX acts as a reverse proxy, forwarding client requests to your LibreChat application.
There are 2 different options for the nginx server, which depends on the method you want to deploy the LibreChat.
### Using the `deploy-compose.yml` Docker Compose (the recommended way)
The `deploy-compose.yml` has already the Nginx app within it. it used the file `client/nginx.conf` for the Nginx configuration.
But here is the problem... using the `sudo certbot --nginx` you extracted the cert to the ... host conf so we will need to duplicate the cert to the dockers to make it work.
### Normal Host based deployment
If you are deploying from the host without dockers you need to install the Nginx on the host, as below. However if you use the docker compose `deploy-compose.yml` - DON'T install Nginx on the host since it will mess within your Nginx within the Docker.
1.**Install NGINX**:
- Ubuntu: `sudo apt-get install nginx`
- CentOS: `sudo yum install nginx`
2.**Start NGINX**:
- Start NGINX: `sudo systemctl start nginx`
- Follow the on-screen instructions. Press Enter for any screen that opens during the process.
- You might be asked to execute `sudo reboot` to restart your server. This will apply any kernel updates and restart your services.
3.**What type of Nginx Configuration I want?**
There are 2 different use cases, each calling for a bit different configuration.
### Configuration without Basic Authentication
#### Use Case
Suitable for production environments or when application has a built-in robust authentication system. Ideal for dynamic user management scenarios.
#### User Perspective
- Seamless access after application login.
- No additional Nginx login required.
#### Administrator Perspective
- No `.htpasswd` maintenance required.
- Focus on application security and SSL certificate management.
#### Configuration Example
This guide assumes the use case of installing without Basic Authentication, so if this is your case, jump over to `Configure NGINX without Basic Authentication` below.
---
### Configuration with Basic Authentication
#### Use Case
Appropriate for smaller environments like staging, internal tools, or additional security layers. Useful if application lacks its own authentication.
#### User Perspective
- Additional login prompt for Nginx access.
- Separate credentials for Nginx and application.
#### Administrator Perspective
- Maintenance of `.htpasswd` file required.
- Extra security layer management.
#### Configuration Example
For example configuration with Basic Authentication see [🌀 Miscellaneous](../install/configuration/misc.md)
---
### Summary of Differences
- **User Experience**: Direct application access vs. additional Nginx login.
- **Administration**: Less overhead vs. `.htpasswd` management.
- **Security**: Application security vs. added Nginx layer.
after you changed them you should follow the instruction from [Part V: Editing the NGINX file](digitalocean.md#part-v-editing-the-nginx-file-for-custom-domains-and-advanced-configs)\*\*
in order to update the git and deploy from a rebased branch.
[TBA: TO ADD HERE a simple explanation based on that explanation]
