Difficulty

Intermediate

Read Time

8 min

Deploying OpenWebUI Local AI Interface on Ubuntu 24.04

By Codcompass Team·2026-05-26·8 min read

Building a Secure, Multi-Tenant AI Chat Gateway with OpenWebUI and Traefik

Current Situation Analysis

Organizations adopting local large language models (LLMs) frequently encounter a deployment gap. While model servers like Ollama or vLLM handle inference efficiently, they lack the user interface, authentication layers, and access controls required for team usage. Exposing raw API endpoints directly to users creates security risks, including unauthorized access and lack of audit trails.

OpenWebUI addresses this by providing a self-hosted, ChatGPT-style interface that supports per-user authentication, role-based access, and integration with multiple model backends. However, deploying OpenWebUI securely in production requires more than a basic container launch. The infrastructure must handle TLS termination, automatic certificate renewal, and reverse proxying without manual intervention.

Many teams overlook the operational overhead of managing certificates and proxy configurations. Manual Nginx setups or self-signed certificates introduce friction, increase the risk of expired credentials, and complicate scaling. The industry standard for containerized deployments is now dynamic reverse proxying with automated ACME (Let's Encrypt) integration, which reduces operational load and enforces security by default.

WOW Moment: Key Findings

Comparing traditional manual proxy setups against a Traefik-driven deployment reveals significant advantages in operational efficiency and security posture. The following data highlights the impact of automating TLS and routing via Docker labels.

Deployment Strategy	TLS Management	Certificate Renewal	Ops Overhead	Security Posture
Manual Nginx + Self-Signed	Manual configuration	Manual script/cron	High	Low (Trust warnings)
Traefik + ACME	Dynamic via labels	Automated	Low	High (Valid certs)

Why this matters:
Using Traefik with ACME eliminates the need for manual certificate management. The proxy automatically detects new containers via Docker labels, requests certificates from Let's Encrypt, and handles renewals transparently. This allows engineering teams to focus on model configuration and user management rather than infrastructure maintenance. Additionally, label-based routing ensures that services are only exposed when explicitly configured, reducing the attack surface.

Core Solution

This solution deploys OpenWebUI behind a Traefik reverse proxy using Docker Compose. The architecture ensures that OpenWebUI is never directly exposed to the internet; all traffic flows through Traefik, which terminates HTTPS and routes requests based on host rules.

Architecture Decisions

Traefik v3.6 as Edge Proxy: Traefik is selected for its native Docker integration and automatic certificate management. It reads container labels to build routing rules dynamically, removing the need for static configuration files.
Container Isolation: OpenWebUI runs on an internal port (8080) and is not mapped to host ports. Only Traefik binds to ports 80 and 443. This prevents direct access to the application container.
Persistent Storage: User data, chat history, and knowledge base files are stored in a dedicated volume. This ensures data survives container restarts and updates.
Authentication Enforcement: The WEBUI_AUTH environment variable is set to true to enforce user authentication. Without this, the inte

rface would be open to anyone with network access.

Implementation Steps

1. Initialize Project Structure

Create a dedicated directory for the stack. Separating configuration and data volumes improves maintainability.

mkdir -p ~/ai-gateway-stack/config
mkdir -p ~/ai-gateway-stack/data
cd ~/ai-gateway-stack

2. Configure Environment Variables

Create a .env file to manage sensitive and domain-specific values. This keeps the compose file clean and allows easy environment switching.

nano .env

Add the following variables:

APP_DOMAIN=ai-gateway.example.com
ACME_EMAIL=admin@example.com

APP_DOMAIN: The fully qualified domain name pointing to your server.
ACME_EMAIL: Email address for Let's Encrypt account registration and expiration notices.

3. Define Docker Compose Manifest

Create the docker-compose.yaml file. This manifest defines the proxy and the application service.

nano docker-compose.yaml

services:
  proxy-edge:
    image: traefik:v3.6
    container_name: proxy-edge
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "letsencrypt-storage:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    restart: unless-stopped

  chat-ui-service:
    image: ghcr.io/open-webui/open-webui:main
    container_name: chat-ui-service
    hostname: chat-ui
    expose:
      - "8080"
    volumes:
      - "./data:/app/backend/data"
    environment:
      - WEBUI_AUTH=true
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ai-gateway.rule=Host(`${APP_DOMAIN}`)"
      - "traefik.http.routers.ai-gateway.entrypoints=websecure"
      - "traefik.http.routers.ai-gateway.tls.certresolver=letsencrypt"
      - "traefik.http.services.ai-gateway.loadbalancer.server.port=8080"
    restart: unless-stopped

volumes:
  letsencrypt-storage:

Key Implementation Details:

expose: "8080" vs ports: The chat-ui-service uses expose instead of ports. This makes the port available to linked services but does not publish it to the host. Traefik can still route to it via the Docker network, but external traffic cannot bypass the proxy.
Traefik Commands:
- --providers.docker.exposedbydefault=false: Ensures only containers with explicit traefik.enable=true labels are exposed. This is a critical security default.
- --entrypoints.web.http.redirections...: Forces all HTTP traffic to redirect to HTTPS, enforcing secure connections.
- --certificatesresolvers...: Configures ACME with HTTP challenge for automatic certificate issuance.
Labels on chat-ui-service:
- traefik.http.routers.ai-gateway.rule: Routes traffic based on the APP_DOMAIN.
- traefik.http.routers.ai-gateway.tls.certresolver: Associates the router with the Let's Encrypt resolver.
- traefik.http.services...: Defines the backend service and target port.

4. Launch and Verify

Start the stack in detached mode:

docker compose up -d

Verify service status:

docker compose ps

Check logs for certificate issuance:

docker compose logs -f proxy-edge

Look for messages indicating successful ACME certificate retrieval. Once the proxy is ready, navigate to https://<APP_DOMAIN> in your browser.

5. Initial Configuration

The first user to register via the web interface becomes the administrator. Complete the registration to gain access to the Admin Panel. Subsequent users can sign up and be managed by the administrator.

Pitfall Guide

Deploying containerized AI interfaces involves specific risks. The following pitfalls are common in production environments and include mitigation strategies.

Pitfall	Explanation	Fix
Unrestricted Docker Socket	Mounting `/var/run/docker.sock` gives the container root-level control over the Docker daemon. If Traefik is compromised, an attacker could escalate privileges.	Use Docker socket proxy or restrict access via TLS. In single-node setups, ensure Traefik is not exposed to untrusted networks and keep the image updated.
Missing `WEBUI_AUTH`	Omitting `WEBUI_AUTH=true` leaves the interface open. Anyone with the URL can access the chat and potentially upload malicious documents.	Always set `WEBUI_AUTH=true` in the environment. Verify the login screen appears on first access.
ACME Rate Limiting	Let's Encrypt enforces rate limits on certificate requests. Frequent restarts or misconfigurations can trigger limits, blocking certificate issuance.	Use the Let's Encrypt staging environment (`--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory`) during testing. Switch to production only after validation.
Volume Permission Errors	OpenWebUI may fail to write to the data volume if the host directory has incorrect ownership, leading to startup crashes.	Ensure the `./data` directory is writable by the container user. Use `chown -R 1000:1000 ./data` if permission denied errors appear in logs.
First User Admin Trap	The first registered user becomes the admin. If a non-admin registers first, they gain full control, which may be unintended.	Plan the admin account registration. If needed, delete the data volume and restart to reset the first-user flow, or use the admin panel to assign roles immediately after setup.
Backend Connectivity Failure	OpenWebUI cannot connect to Ollama or other backends if they are not reachable from the container network.	Use `http://host.docker.internal:11434` for local Ollama instances, or configure a shared Docker network. Ensure the backend allows CORS if accessed from the browser.
Port Conflicts	Ports 80 or 443 may be occupied by existing web servers, causing Traefik to fail on startup.	Check for conflicts using `sudo lsof -i :80` and `sudo lsof -i :443`. Stop conflicting services or change Traefik ports and configure a upstream load balancer.

Production Bundle

Action Checklist

DNS Verification: Ensure the APP_DOMAIN DNS record points to the server IP and propagation is complete.
Staging Test: Run the stack with Let's Encrypt staging to validate configuration without hitting rate limits.
Admin Registration: Register the first user immediately after deployment to secure the admin role.
Backup Strategy: Implement automated backups for the ./data volume and acme.json file.
Model Backend: Configure the model endpoint in OpenWebUI settings (e.g., Ollama URL or OpenAI-compatible API).
User Management: Invite team members and assign appropriate roles via the Admin Panel.
RAG Configuration: Upload documents to the knowledge base if Retrieval-Augmented Generation is required.
Monitoring: Set up log aggregation for Traefik and OpenWebUI to detect errors and access patterns.

Decision Matrix

Scenario	Recommended Approach	Why	Cost Impact
Solo Developer	Single-node Docker Compose	Simple setup, low resource usage, sufficient for personal use.	Low (Single VM)
Small Team	Docker Compose + Traefik	Provides auth, HTTPS, and user management with minimal ops overhead.	Low (Single VM)
High Availability	Kubernetes + Ingress Controller	Enables scaling, rolling updates, and redundancy for critical workloads.	Medium-High (Cluster resources)
Air-Gapped Environment	Self-Signed Certs + Internal CA	ACME requires internet. Use internal CA for TLS in isolated networks.	Medium (CA management)

Configuration Template

Copy this template for a production-ready deployment. Replace placeholder values with your actual configuration.

.env

APP_DOMAIN=your-domain.com
ACME_EMAIL=your-email@example.com

docker-compose.yaml

services:
  proxy-edge:
    image: traefik:v3.6
    container_name: proxy-edge
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "letsencrypt-storage:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    restart: unless-stopped

  chat-ui-service:
    image: ghcr.io/open-webui/open-webui:main
    container_name: chat-ui-service
    hostname: chat-ui
    expose:
      - "8080"
    volumes:
      - "./data:/app/backend/data"
    environment:
      - WEBUI_AUTH=true
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ai-gateway.rule=Host(`${APP_DOMAIN}`)"
      - "traefik.http.routers.ai-gateway.entrypoints=websecure"
      - "traefik.http.routers.ai-gateway.tls.certresolver=letsencrypt"
      - "traefik.http.services.ai-gateway.loadbalancer.server.port=8080"
    restart: unless-stopped

volumes:
  letsencrypt-storage:

Quick Start Guide

Create Directory: Run mkdir -p ~/ai-gateway-stack/data && cd ~/ai-gateway-stack.
Edit Config: Create .env with your domain and email. Create docker-compose.yaml using the template.
Deploy: Execute docker compose up -d.
Register: Open https://<APP_DOMAIN> and register the first user as admin.
Connect Model: Navigate to Settings → Connections and add your Ollama or OpenAI-compatible endpoint.

🎉 Mid-Year Sale — Unlock Full Article

Base plan from just $4.99/mo or $49/yr

7-day free trial · Cancel anytime · 30-day money-back