Secure your Open WebUI deployment with TLS encryption, reverse proxies, or managed tunnels.
HTTPS encrypts all traffic between users and Open WebUI, protecting chat history, credentials, and uploaded files. It is also required for browser features like Voice Calls, which need a secure context to access the microphone.
:::warning Voice Calls require HTTPS
Modern browsers block microphone access on non-HTTPS origins. Voice Calls will not work over plain http:// unless you are on localhost.
:::
| Method | Best for | TLS management |
|---|---|---|
| Cloudflare Tunnel | Production without open ports | Automatic (Cloudflare edge) |
| ngrok | Development and testing | Automatic (ngrok edge) |
| Tailscale | Private access across devices | Automatic (tailscale serve) |
| Nginx | Self-hosted production with full control | Manual or Let's Encrypt |
| Caddy | Self-hosted production, minimal config | Automatic (Let's Encrypt) |
| HAProxy | High-availability / load balancing | Manual or Let's Encrypt |
| Cloud load balancers | AWS ALB, GCP LB, Azure App Gateway | Managed by cloud provider |
- Just want HTTPS fast? Use Cloudflare Tunnel (production) or ngrok (development). No certificates to manage, no ports to open.
- Running a reverse proxy already? Add Caddy for automatic certs or Nginx for maximum control.
- Need load balancing? Use HAProxy or your cloud provider's load balancer.
Regardless of which approach you choose, keep these in mind: