stark egret
Then run: sudo chmod 644 librechat.pem # Certificate can be world-readable
The certificate itself can be readable by everyone, so broad permissions are okay.
Now you set the correct permissions for the created key, so that you ensure that even a misconfiguration does not easily exposes your private key:
Run: sudo chmod 600 librechat.key # Key is only only by root/owner
stark egret
The next step is to create the actual Nginx configuration:
run: sudo nano /etc/nginx/sites-available/librechat
This will open a simple text editor where you can use the following configuration. You have to edit the IP address to make this work. The keynames are already set correctly, however you need to set your correct local LAN IP (the adress from the machine that is hosting LibreChat, the very same ip also has to be declared in the LibreChat .env file!
# --- HTTP Server Block (Redirects to HTTPS) ---
server {
listen 80;
listen [::]:80;
# Listen specifically on this IP for HTTP requests
server_name 192.168.*.*; # Enter your local LAN IP of the host machine or the configuration will not work!
# Redirect all HTTP traffic to HTTPS
location / {
# Use 301 for permanent redirect if sure, 302 for temporary during testing
return 301 https://$host$request_uri;
}
}
# --- HTTPS Server Block (Main Configuration) ---
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# Listen specifically on this IP for HTTPS requests
server_name 192.168.*.*; # Enter your correct LAN IP here too!
# SSL certificate configuration
ssl_certificate /etc/nginx/ssl/librechat.pem; # Path to your certificate
ssl_certificate_key /etc/nginx/ssl/librechat.key; # Path to your private key
# Basic SSL settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off; # Keep as is per original config comment
# --- NEW: Limit Maximum Upload File Size ---
# Sets the maximum allowed size of the client request body.
# Adjust value as needed (e.g., 100m for 100 MB).
client_max_body_size 50m;
# --- NEW: Enable Gzip Compression ---
gzip on; # Enables gzip compression
gzip_vary on; # Tells proxies to cache both gzipped and non-gzipped versions
gzip_proxied any; # Compress responses from proxied servers (like LibreChat)
gzip_comp_level 6; # Compression level (1-9). 6 is a good balance.
gzip_buffers 16 8k; # Number and size of buffers for compression
gzip_http_version 1.1; # Enable gzip for HTTP/1.1 and higher
gzip_min_length 256; # Don't gzip very small files
# Specifies MIME types to compress. Add more if needed.
# Avoid compressing already compressed formats (jpg, png, zip, etc.)
gzip_types
text/plain
text/css
application/json
application/javascript
text/xml
application/xml
application/xml+rss
text/javascript
image/svg+xml;
location / {
# --- Proxy requests to LibreChat running on the SAME machine ---
proxy_pass http://127.0.0.1:3080;
# --- Standard Proxy Headers ---
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# --- Headers REQUIRED for WebSocket support ---
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Optional: Increase timeouts if needed for long-running requests or large uploads
# proxy_connect_timeout 600;
# proxy_send_timeout 600;
# proxy_read_timeout 600;
# send_timeout 600;
}
# Optional: Add error pages (example)
# error_page 404 /404.html;
# location = /40x.html {
# }
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# Deny access to hidden files (good practice even on LAN)
location ~ /\. {
deny all;
}
}
To understand why this setup is not secure, please have look at:
The gzip permissions are quite broad and unrestriced for maxium performance inside a small LAN where bad WLAN connections can introduce all kinds of problems.
If you want make things more secure, you can add these settings to the SSL configuration block:
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
If you also want securtiy headers added, these would looke like this in the same server block:
# Security headers
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(self), microphone=(self), geolocation=()" always;
also more restrice gzip settings with more explicit file blocking could looke like this:
# Compression settings
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/javascript application/json application/octet-stream image/svg+xml;
# Increase upload size limit
client_max_body_size 25M;
# Block access to sensitive files
location ~* /\.(env|git|svn|ht|DS_Store|aws|dockerignore|npmrc|gitignore|env.*|bak|backup|swp|swo|idea|vscode|log|sql|yml|yaml|xml|ini|php|json)$ {
deny all;
return 403;
}
location ~* /(composer\.json|package\.json|yarn\.lock|Dockerfile|docker-compose\.yml|docker-compose\.yaml|Makefile|Procfile|config\.js|config\.ts|tsconfig\.json|jsconfig\.json|webpack\.config\.js|babel\.config\.js|Gruntfile\.js|gulpfile\.js|\.well-known/security.txt)$ {
deny all;
return 403;
}
Activate the Nginx configuratio: sudo ln -s /etc/nginx/sites-available/librechat /etc/nginx/sites-enabled/
Notes: this commands assumes that you followed standard procedure by installing Nginx via the ubuntu apt packet manger and kept everything in default folders and created everything according to the commands outlined in this tutoral.
Now before reloading Nginx with the new configuration, you want to check for any syntax errors by running sudo nginx -t