LocalAI icon indicating copy to clipboard operation
LocalAI copied to clipboard
Published 3 days ago verified publisher icon mudler

Web UI broken when LocalAI is behind a TLS termination reverse proxy

Open pmarini-nc opened this issue 1 month ago • 11 comments

LocalAI version: 3.7.0

Environment, CPU architecture, OS, and Version: Ubuntu Server 24.04 LTS in a LXD container.

Describe the bug The Web UI is broken when connecting via a TLS termination reverse proxy.

Image

To Reproduce Setup a local HAProxy with the following configuration and put the certificate+key in /etc/haproxy/tls/

frontend local-ai
	mode tcp
	bind *:8081 ssl crt /etc/haproxy/tls/
	use_backend local-ai

backend local-ai
	server local-ai localhost:8080

Try to connect to the web ui.

Expected behavior A graphically functional Web UI.

Logs HAProxy and

Additional context

  • The TLS termination setup tried here is successfully used for many services locally (website, web apps..)
  • Connecting from other HTML clients (e.g wget) to other endpoints (/v1/models) seem to work fine.
  • Disable TLS in HAProxy seems to work fine.
  • Same behaviour observed using Apache2 and its instructions to terminate TLS.
  • Same issue in previous versions of LocalAI

pmarini-nc avatar Nov 07 '25 14:11 pmarini-nc

Not a issue with Local AI. I have v3.7.0 behind reverse proxy with TLS (on Kubernetes) and it works fine.

Expro avatar Nov 07 '25 14:11 Expro

Hello @Expro , thanks for the feedback.

It would be great if you can share your reverse proxy setup. Which reverse proxy you are using? Configuration file?

pmarini-nc avatar Nov 07 '25 14:11 pmarini-nc

I have it behind NGINX ingresson controller on Kubernetes cluster, it's same technology, but configured in completely different way.

Expro avatar Nov 08 '25 10:11 Expro

Can you share the NGINX server block? There should be some TLS-related option that make it work. Thanks!

pmarini-nc avatar Nov 08 '25 14:11 pmarini-nc

I can confirm this. I use the Docker-Container behind a HAProxy on OPNSense. Same issue. The developer console shows various mixed content errors:

Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.

An ENV-Variable to simply set the Base-URI would solve this perfectly.

mw77 avatar Nov 29 '25 17:11 mw77

Hello @mw77, thanks for your comment!

You seem to suggest a workaround: to define Base-URI as an environment variable? What is the exact name of the environment variable to define?

pmarini-nc avatar Nov 29 '25 20:11 pmarini-nc

Sorry, I think my comment was a little deceptive.

I think this tag in combination with relative links causes the problem:

<base href="http://ai.somedomain.de/">

The server gets the DNS-Name from the reverse-proxy corrently, but doesnt know anything about the protocol.

I know many docker-webapps allow some ENV-Variable to be set wich changes the base tag for the application, but the application (or the used webserver) has to implement support for this. I don't think there is some ENV-Variable you can just pass to achieve this. (But tbh I did not look into your project implementation.)

Keycloak accepts KC_HOSTNAME, for paperless-ngx it is PAPERLESS_URL for example. I think I also saw something like BASE_URI or BASE_URL.

mw77 avatar Nov 30 '25 11:11 mw77

Thanks for the insight @mw77.

I just installed 3.8.0 and the behaviour is the same. I think this is a rather common setup to have LocalAI behind a reverese proxy - @mudler do you think there is a way to solve this? Is https://github.com/mudler/LocalAI/issues/7176#issuecomment-3592454522 correct?

pmarini-nc avatar Dec 01 '25 21:12 pmarini-nc

I can't reproduce, I can serve LocalAI just fine from kubernetes as well, and can use CF tunnels as well to serve it via https without issues.

We do have base URL handling already here: https://github.com/mudler/LocalAI/blob/9872bdf455f34521142226a514826f75ac3990e4/core/http/middleware/baseurl.go#L13 - so I guess what we should do first is actually figure out what are the HA proxy headers, or either expose a way to set the base URL from there manually via variable

mudler avatar Dec 02 '25 08:12 mudler

Thanks @mudler for the hint. I've added the following instruction in the HAProxy header and everything is working fine.

http-request add-header X-Forwarded-Proto https

Do let me know if you think this should go into deployment documentation. As mentioned above it should be quite to terminate TLS in HAProxy.

This ticket can be closed

pmarini-nc avatar Dec 02 '25 09:12 pmarini-nc

Thanks @mudler for the hint. I've added the following instruction in the HAProxy header and everything is working fine.

http-request add-header X-Forwarded-Proto https

Do let me know if you think this should go into deployment documentation. As mentioned above it should be quite to terminate TLS in HAProxy.

This ticket can be closed

@pmarini-nc If you feel like opening up a PR, it would be a great addition, probably better placed in the reference section: https://localai.io/reference/

mudler avatar Dec 02 '25 13:12 mudler