Move Open-WebUI to chat.${DOMAIN} subdomain
All checks were successful
Deploy with Docker Compose / deploy (push) Successful in 34s
All checks were successful
Deploy with Docker Compose / deploy (push) Successful in 34s
Open-WebUI's SvelteKit frontend hardcodes asset/API paths at build time,
so subpath hosting under /openwebui/ produced 404s on /_app/... assets.
Move it to its own subdomain so it can run at root.
- certbot: request cert with chat.${DOMAIN} as a third SAN via --expand
- nginx (prod): drop /openwebui blocks; add chat.${DOMAIN} HTTP redirect
+ HTTPS server with the existing admin auth gate
- nginx (dev): drop /openwebui blocks (no chat.localhost in dev)
- compose: WEBUI_URL points to https://chat.${DOMAIN}
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -1,7 +1,8 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
if [ ! -d /etc/letsencrypt/live/${DOMAIN} ]; then
|
certbot certonly --webroot -w /var/www/certbot \
|
||||||
certbot certonly --webroot -w /var/www/certbot --email ${EMAIL} -d ${DOMAIN} -d www.${DOMAIN} --agree-tos --non-interactive;
|
--email ${EMAIL} \
|
||||||
fi;
|
-d ${DOMAIN} -d www.${DOMAIN} -d chat.${DOMAIN} \
|
||||||
|
--agree-tos --non-interactive --expand;
|
||||||
|
|
||||||
trap exit TERM;
|
trap exit TERM;
|
||||||
|
|
||||||
|
|||||||
@@ -184,7 +184,7 @@ services:
|
|||||||
environment:
|
environment:
|
||||||
- OLLAMA_BASE_URL=${OLLAMA_BASE_URL}
|
- OLLAMA_BASE_URL=${OLLAMA_BASE_URL}
|
||||||
- WEBUI_AUTH=False
|
- WEBUI_AUTH=False
|
||||||
- WEBUI_URL=https://www.${DOMAIN}/openwebui
|
- WEBUI_URL=https://chat.${DOMAIN}
|
||||||
volumes:
|
volumes:
|
||||||
- openwebui_data:/app/backend/data
|
- openwebui_data:/app/backend/data
|
||||||
|
|
||||||
|
|||||||
@@ -79,7 +79,6 @@ http {
|
|||||||
set $upstream_hasura http://$HASURA_HOST:$HASURA_PORT;
|
set $upstream_hasura http://$HASURA_HOST:$HASURA_PORT;
|
||||||
set $upstream_quartz http://$QUARTZ_HOST:$QUARTZ_PORT;
|
set $upstream_quartz http://$QUARTZ_HOST:$QUARTZ_PORT;
|
||||||
set $upstream_searxng http://$SEARXNG_HOST:$SEARXNG_PORT;
|
set $upstream_searxng http://$SEARXNG_HOST:$SEARXNG_PORT;
|
||||||
set $upstream_openwebui http://$OPENWEBUI_HOST:$OPENWEBUI_PORT;
|
|
||||||
|
|
||||||
root /etc/nginx/html;
|
root /etc/nginx/html;
|
||||||
index index.html;
|
index index.html;
|
||||||
@@ -289,14 +288,56 @@ http {
|
|||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /openwebui {
|
|
||||||
return 301 /openwebui/;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
location /openwebui/ {
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name chat.$DOMAIN;
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge/ {
|
||||||
|
root /var/www/certbot;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://chat.$DOMAIN$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
http2 on;
|
||||||
|
server_name chat.$DOMAIN;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
|
||||||
|
|
||||||
|
set $upstream_openwebui http://$OPENWEBUI_HOST:$OPENWEBUI_PORT;
|
||||||
|
|
||||||
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||||
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
||||||
|
|
||||||
|
client_max_body_size 50M;
|
||||||
|
|
||||||
|
location = /internal/auth/admin-validate {
|
||||||
|
internal;
|
||||||
|
rewrite ^ /auth/validate-admin break;
|
||||||
|
proxy_pass http://$BACKEND_HOST:$BACKEND_PORT;
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
proxy_set_header Cookie $http_cookie;
|
||||||
|
}
|
||||||
|
|
||||||
|
location @auth_denied {
|
||||||
|
return 302 https://www.$DOMAIN/admin/login?redirect=https://chat.$DOMAIN$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
auth_request /internal/auth/admin-validate;
|
auth_request /internal/auth/admin-validate;
|
||||||
error_page 401 403 = @auth_denied;
|
error_page 401 403 = @auth_denied;
|
||||||
rewrite ^/openwebui/(.*)$ /$1 break;
|
|
||||||
proxy_pass $upstream_openwebui;
|
proxy_pass $upstream_openwebui;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
@@ -309,8 +350,6 @@ http {
|
|||||||
proxy_read_timeout 300s;
|
proxy_read_timeout 300s;
|
||||||
proxy_send_timeout 300s;
|
proxy_send_timeout 300s;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -52,7 +52,6 @@ http {
|
|||||||
set $upstream_hasura http://$HASURA_HOST:$HASURA_PORT;
|
set $upstream_hasura http://$HASURA_HOST:$HASURA_PORT;
|
||||||
set $upstream_quartz http://$QUARTZ_HOST:$QUARTZ_PORT;
|
set $upstream_quartz http://$QUARTZ_HOST:$QUARTZ_PORT;
|
||||||
set $upstream_searxng http://$SEARXNG_HOST:$SEARXNG_PORT;
|
set $upstream_searxng http://$SEARXNG_HOST:$SEARXNG_PORT;
|
||||||
set $upstream_openwebui http://$OPENWEBUI_HOST:$OPENWEBUI_PORT;
|
|
||||||
|
|
||||||
location /uploads/ {
|
location /uploads/ {
|
||||||
alias /uploads/;
|
alias /uploads/;
|
||||||
@@ -206,28 +205,6 @@ http {
|
|||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /openwebui {
|
|
||||||
return 301 /openwebui/;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /openwebui/ {
|
|
||||||
auth_request /internal/auth/admin-validate;
|
|
||||||
error_page 401 403 = @auth_denied;
|
|
||||||
rewrite ^/openwebui/(.*)$ /$1 break;
|
|
||||||
proxy_pass $upstream_openwebui;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_read_timeout 300s;
|
|
||||||
proxy_send_timeout 300s;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
@@ -243,7 +220,6 @@ http {
|
|||||||
set $upstream_hasura http://$HASURA_HOST:$HASURA_PORT;
|
set $upstream_hasura http://$HASURA_HOST:$HASURA_PORT;
|
||||||
set $upstream_quartz http://$QUARTZ_HOST:$QUARTZ_PORT;
|
set $upstream_quartz http://$QUARTZ_HOST:$QUARTZ_PORT;
|
||||||
set $upstream_searxng http://$SEARXNG_HOST:$SEARXNG_PORT;
|
set $upstream_searxng http://$SEARXNG_HOST:$SEARXNG_PORT;
|
||||||
set $upstream_openwebui http://$OPENWEBUI_HOST:$OPENWEBUI_PORT;
|
|
||||||
|
|
||||||
location /uploads/ {
|
location /uploads/ {
|
||||||
alias /uploads/;
|
alias /uploads/;
|
||||||
@@ -397,28 +373,6 @@ http {
|
|||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /openwebui {
|
|
||||||
return 301 /openwebui/;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /openwebui/ {
|
|
||||||
auth_request /internal/auth/admin-validate;
|
|
||||||
error_page 401 403 = @auth_denied;
|
|
||||||
rewrite ^/openwebui/(.*)$ /$1 break;
|
|
||||||
proxy_pass $upstream_openwebui;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_read_timeout 300s;
|
|
||||||
proxy_send_timeout 300s;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user