|
| 1 | +As LibreChat has varying use cases and environment possibilities, this page will host niche setup/configurations, as contributed by the community, that are not better delegated to any of the other guides. |
| 2 | + |
| 3 | +# Using LibreChat behind a reverse proxy with Basic Authentication |
| 4 | + |
| 5 | +Written by [@danny-avila](https://github.com/danny-avila) and [@jerkstorecaller](https://github.com/jerkstorecaller) |
| 6 | + |
| 7 | +### Basic Authentication (Basic Auth) |
| 8 | + |
| 9 | +Basic Authentication is a simple authentication scheme built into the HTTP protocol. When a client sends a request to a server, the server can respond with a `401 Unauthorized` status code, prompting the client to provide a username and password. This username and password are then sent with subsequent requests in the HTTP header, encoded in Base64 format. |
| 10 | + |
| 11 | +For example, if the username is `Aladdin` and the password is `open sesame`, the client sends: |
| 12 | + |
| 13 | +``` |
| 14 | +Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== |
| 15 | +``` |
| 16 | + |
| 17 | +Where `QWxhZGRpbjpvcGVuIHNlc2FtZQ==` is the Base64 encoding of `Aladdin:open sesame`. |
| 18 | + |
| 19 | +**Note**: Basic Auth is not considered very secure on its own because the credentials are sent in easily decodable Base64 format. It should always be used in conjunction with HTTPS to encrypt the credentials during transmission. |
| 20 | + |
| 21 | +### Reverse Proxy |
| 22 | + |
| 23 | +A reverse proxy is a server that sits between client devices and a web server, forwarding client requests to the web server and returning the server's responses back to the clients. This is useful for load balancing, caching, and, in this context, adding an additional layer of security or authentication. |
| 24 | + |
| 25 | +### The Issue with LibreChat and Basic Auth |
| 26 | + |
| 27 | +If LibreChat is behind a webserver acting as a reverse proxy with Basic Auth (a common scenario for casual users), LibreChat will not function properly without some extra configuration. You will connect to LibreChat, be prompted to enter Basic Auth credentials, enter your username/password, LibreChat will load, but then you will not get a response from the AI services. |
| 28 | + |
| 29 | +The reason is that LibreChat uses Bearer authentication when calling the backend API at domain.com/api. Because those calls will use Bearer rather than Basic auth, your webserver will view this as unauthenticated connection attempt and return 401. |
| 30 | + |
| 31 | +The solution is to enable Basic Auth, but disable it specifically for the /api/ endpoint. (it's safe because the API calls still require an authenticated user) |
| 32 | + |
| 33 | +You will therefore need to create a new rule that disables Basic Auth for /api/. This rule must be higher priority than the rule activating Basic Auth. |
| 34 | + |
| 35 | +### Nginx Configuration |
| 36 | + |
| 37 | +For example, for nginx, you might do: |
| 38 | + |
| 39 | +``` |
| 40 | +#https://librechat.domain.com |
| 41 | +server { |
| 42 | + listen 443 ssl; |
| 43 | + listen [::]:443 ssl; |
| 44 | + server_name librechat.*; |
| 45 | + include /config/nginx/ssl.conf; |
| 46 | +
|
| 47 | + #all connections to librechat.domain.com require basic_auth |
| 48 | + location / { |
| 49 | + auth_basic "Access Restricted"; |
| 50 | + auth_basic_user_file /config/nginx/.htpasswd; |
| 51 | + include /config/nginx/proxy_params.conf; |
| 52 | + proxy_pass http://127.0.0.1:3080; |
| 53 | + } |
| 54 | +
|
| 55 | + #...except for /api/, which will use LibreChat's own auth system |
| 56 | + location ~ ^/api/ { |
| 57 | + auth_basic off; |
| 58 | + include /config/nginx/proxy_params.conf; |
| 59 | + proxy_pass http://127.0.0.1:3080; |
| 60 | + } |
| 61 | +} |
| 62 | +``` |
| 63 | + |
| 64 | +The provided Nginx configuration sets up a server block for `librechat.domain.com`: |
| 65 | + |
| 66 | +1. **Basic Auth for All Requests**: The `location /` block sets up Basic Auth for all requests to `librechat.domain.com`. The `auth_basic` directive activates Basic Auth, and the `auth_basic_user_file` directive points to the file containing valid usernames and passwords. |
| 67 | + |
| 68 | +2. **Exception for `/api/` Endpoint**: The `location ~ ^/api/` block matches any URL path starting with `/api/`. For these requests, Basic Auth is turned off using `auth_basic off;`. This ensures that LibreChat's own authentication system can operate without interference. |
0 commit comments