easydiffusion icon indicating copy to clipboard operation
easydiffusion copied to clipboard
verified publisher icon easydiffusion

Add lets encrypt certbot ssl functionality

Open ResearchForumOnline opened this issue 3 years ago • 8 comments

Want to provide images for friends family etc on a ssl domain Add SSL to domain set to stable0diffusion-ui example: http://super-cool-ai-images.domain.com:9000

Solution https://super-cool-ai-images.domain.com

Any alternatives? Someone said you can setup SSL through Cloudflare but did not manage to do so yet due to a lack of understandable instructions when searching google. Additional context Would be really cool to have SSL easily setup for the UI of this software, which would help this project get noticed even more.

ResearchForumOnline avatar Nov 26 '22 23:11 ResearchForumOnline

I think this is beyond the capabilities of this project. There are many different home network topologies to consider, and all the solutions I found require a cloud side component to be running all the time.

There are projects offering tools to expose local web services to the internet, e.g. https://github.com/localtunnel/localtunnel (open source) or https://ngrok.com/ (commercial, offering a free tier).

When using such a service, make sure that you enable password protection, since SDUI will allow anyone with access to it to fill up your disk space.

JeLuF avatar Nov 28 '22 09:11 JeLuF

I think this is beyond the capabilities of this project. There are many different home network topologies to consider, and all the solutions I found require a cloud-side component to be running all the time.

There are projects offering tools to expose local web services to the internet, e.g. https://github.com/localtunnel/localtunnel (open source) or https://ngrok.com/ (commercial, offering a free tier).

When using such a service, make sure that you enable password protection since SDUI will allow anyone with access to it to fill up your disk space.

Hello, thanks for replying, i am running on a kvm vps server on a website, but want to make it secure etc, i think the other version stable-diffusion-webui may offer SSL functionality.

ResearchForumOnline avatar Nov 28 '22 14:11 ResearchForumOnline

For a server installation, I'd recommend to configure a reverse proxy to handle the TLS and certificate update parts, e.g. haproxy, nginx or traefik, and to also implement user authentication using these tools.

JeLuF avatar Nov 29 '22 09:11 JeLuF

Caddy is extremely easy to set up. A basic https reverse proxy /etc/caddy/Caddyfile looks like this (and most of it is optional):

{
    email    [email protected]
    #key_type p384 #optional
    #acme_ca  https://acme-staging-v02.api.letsencrypt.org/directory #for testing
    #local_certs #locally signed (for testing or use without a CA)
}

#You can specify a domain or subdomain and certificates will be created automatically.
#With local certs you can even use an IP address (replace domain below with IP).
#Both support limiting the proxy to a port eg. your.domain.net:4444

your.domain.net {
    reverse_proxy localhost:9000
}

This is without annotations:

{
    email    [email protected]
}

your.domain.net {
    reverse_proxy localhost:9000
}

Momi-V avatar Nov 30 '22 11:11 Momi-V

I will try again later today using nginx proxy manager. Thanks.

ResearchForumOnline avatar Nov 30 '22 11:11 ResearchForumOnline

Solved:

INSTALL SSL EASY:

Run the commands below to install NGINX if it is not installed already:

sudo apt-get update sudo apt-get install nginx Check the available configurations for your firewall with this command:

sudo ufw app list The output will be as follows:

Output Available applications: Nginx Full Nginx HTTP Nginx HTTPS OpenSSH Next, enable NGINX with the following command:

sudo ufw allow 'Nginx HTTP'

Now copy paste these commands:

sudo ufw allow 22 sudo ufw enable

Then, confirm the setting by running the command below:

sudo ufw status With it installed, we'll need to also create a config file for our Botpress server. To do this, run the command below:

cd /etc/nginx/sites-available Create a new file by running the following command.

sudo nano kodeec.website Copy the following in the file and save it.

server { # listen on port 80 (http) listen 80; server_name kodeec.website 47.254.153.30 www.kodeec.website;

location / {
    include proxy_params;
    proxy_pass http://127.0.0.1:9000;
}

}

Enable the configuration with the following command.

sudo ln -s /etc/nginx/sites-available/kodeec.website /etc/nginx/sites-enabled/ Now you should be able to access 'kodeec.website' on your browser but it is still unsecure.

To install SSL encryption for your website, we can use Let's Encrypt.

To get started with this, install the dependencies with the following commands:

sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot sudo apt-get install certbot python-certbot-nginx or sudo apt-get install certbot python3-certbot-nginx Once everything's installed and running, run the command below:

sudo certbot --nginx Follow the prompt to generate a certificate for your domain.

Finally, run the commands below to enable HTTPS encryption and reload NGINX.

sudo ufw allow https sudo systemctl reload nginx

https://online-business-seo-forum.seotraining1.com/discussion/133/create-your-own-ai-images-self-hosted-easy-tutorial-home-or-server-desktop-install-linux/p1?new=1

ResearchForumOnline avatar Dec 07 '22 16:12 ResearchForumOnline

Please keep in mind that anyone with access to your SDUI installation can fill your disk and write to any folder that the user running SDUI has access to. It is thus highly recommended to configure password authentication on the reverse proxy.

JeLuF avatar Dec 08 '22 20:12 JeLuF

Please keep in mind that anyone with access to your SDUI installation can fill your disk and write to any folder that the user running SDUI has access to. It is thus highly recommended to configure password authentication on the reverse proxy.

Thank you, what would be the easiest way to do that?

ResearchForumOnline avatar Dec 08 '22 20:12 ResearchForumOnline

Please keep in mind that anyone with access to your SDUI installation can fill your disk and write to any folder that the user running SDUI has access to. It is thus highly recommended to configure password authentication on the reverse proxy.

Thank you, what would be the easiest way to do that?

In Nginx, you can do this in the location block...

auth_basic            "Restricted Area";
auth_basic_user_file  passfile;

To generate the passfile, try this in Bash... printf "johnsmith:$(openssl passwd -1 c0mplexpassw0rd)\n" > /etc/nginx/passfile

That said, I can't get the "ResearchForumOnline" config to work. I know how to setup SSL with proxy_pass, but with easy-diffusion I get the following Nginx error:

SSL_do_handshake() failed (SSL: error:0A0000C6:SSL routines::packet length too long error:0A000139:SSL routines::record layer failure) while SSL handshaking to upstream

Not sure how to solve it.

pjbrunet avatar Feb 22 '24 05:02 pjbrunet

Update after two days of trying everything: I made the mistake of doing the proxy_pass to https://localhost instead of http! So I have it working now, didn't need any special settings or proxy_params, just a basic Nginx proxy_pass.

To be clear, my Nginx only listens to port 443 (using Let's Encrypt) but that's irrelevant to the proxy_pass to http://localhost:9000/

I did encounter one "libgl" error -- my server was missing a dependency https://stackoverflow.com/a/70672240/722796

pjbrunet avatar Feb 23 '24 05:02 pjbrunet