Run openweb-ui over https to simulate production better

Run openweb-ui over https to simulate production better

.gitignore

@@ -139,3 +139,5 @@ dmypy.json
 /docker.env
 /**/temp/
 /image_generation/*.png
+/certs/*
+/letsencrypt/*

Makefile

@@ -7,7 +7,7 @@ Pipfile.lock: # Locks Pipfile and updates the Pipfile.lock on the local file sys
 
 .PHONY:devsetup
 devsetup: ## one time setup for devs
-	make update && \
+	brew install mkcert && \
 	make up && \
 	make setup-pre-commit && \
 	make tests && \
@@ -27,7 +27,7 @@ up: ## starts docker containers
 	@echo language_model_gateway Service: http://localhost:5050/graphql
 
 .PHONY: up-open-webui
-up-open-webui: ## starts docker containers
+up-open-webui: clean_database ## starts docker containers
 	docker compose --progress=plain -f docker-compose-openwebui.yml up --build -d
 	echo "waiting for open-webui service to become healthy" && \
 	while [ "`docker inspect --format {{.State.Health.Status}} language_model_gateway-open-webui-1`" != "healthy" ]; do printf "." && sleep 2; done && \
@@ -36,16 +36,50 @@ up-open-webui: ## starts docker containers
 	echo ""
 	@echo OpenWebUI: http://localhost:3050
 
-.PHONY: up-open-webui-auth
-up-open-webui-auth: ## starts docker containers
-	docker compose --progress=plain -f docker-compose-openwebui-auth.yml up --build -d
+.PHONY: up-open-webui-ssl
+up-open-webui-ssl: clean_database ## starts docker containers
+	docker compose --progress=plain -f docker-compose-openwebui.yml -f docker-compose-openwebui-ssl.yml up --build -d
 	echo "waiting for open-webui service to become healthy" && \
 	while [ "`docker inspect --format {{.State.Health.Status}} language_model_gateway-open-webui-1`" != "healthy" ]; do printf "." && sleep 2; done && \
 	while [ "`docker inspect --format {{.State.Health.Status}} language_model_gateway-open-webui-1`" != "healthy" ] && [ "`docker inspect --format {{.State.Health.Status}} language_model_gateway-open-webui-1`" != "unhealthy" ] && [ "`docker inspect --format {{.State.Status}} language_model_gateway-open-webui-1`" != "restarting" ]; do printf "." && sleep 2; done && \
 	if [ "`docker inspect --format {{.State.Health.Status}} language_model_gateway-open-webui-1`" != "healthy" ]; then docker ps && docker logs language_model_gateway-open-webui-1 && printf "========== ERROR: language_model_gateway-open-webui-1 did not start. Run docker logs language_model_gateway-open-webui-1 =========\n" && exit 1; fi && \
 	echo ""
+	@echo OpenWebUI: http://localhost:3050 https://open-webui.localhost
+
+.PHONY: up-open-webui-auth
+up-open-webui-auth: clean_database create-certs ## starts docker containers
+	docker compose --progress=plain -f docker-compose-openwebui.yml -f docker-compose-openwebui-ssl.yml -f docker-compose-openwebui-auth.yml up --build -d
+	echo "waiting for open-webui service to become healthy" && \
+	max_attempts=30 && \
+	attempt=0 && \
+	while [ $$attempt -lt $$max_attempts ]; do \
+		container_status=$$(docker inspect --format '{{.State.Health.Status}}' language_model_gateway-open-webui-1 2>/dev/null) && \
+		container_state=$$(docker inspect --format '{{.State.Status}}' language_model_gateway-open-webui-1 2>/dev/null) && \
+		if [ "$$container_status" = "healthy" ]; then \
+			echo "" && \
+			break; \
+		elif [ "$$container_status" = "unhealthy" ] || [ "$$container_state" = "restarting" ]; then \
+			echo "" && \
+			echo "========== ERROR: Container became unhealthy ==========" && \
+			docker ps && \
+			docker logs language_model_gateway-open-webui-1 && \
+			printf "========== ERROR: language_model_gateway-open-webui-1 is unhealthy. Run docker logs language_model_gateway-open-webui-1 =========\n" && \
+			exit 1; \
+		fi; \
+		printf "." && \
+		sleep 2 && \
+		attempt=$$((attempt + 1)); \
+	done && \
+	if [ $$attempt -ge $$max_attempts ]; then \
+		echo "" && \
+		echo "========== ERROR: Container did not become healthy within timeout ==========" && \
+		docker ps && \
+		docker logs language_model_gateway-open-webui-1 && \
+		printf "========== ERROR: language_model_gateway-open-webui-1 did not start. Run docker logs language_model_gateway-open-webui-1 =========\n" && \
+		exit 1; \
+	fi
 	make insert-admin-user
-	@echo OpenWebUI: http://localhost:3050 tester/password
+	@echo OpenWebUI: http://localhost:3050  https://open-webui.localhost tester/password
 	@echo Keycloak: http://keycloak:8080 admin/password
 	@echo OIDC debugger: http://localhost:8085
 
@@ -95,7 +129,10 @@ run-pre-commit: setup-pre-commit
 	./.git/hooks/pre-commit pre_commit_all_files
 
 .PHONY: clean
-clean: down ## Cleans all the local docker setup
+clean: down clean_database ## Cleans all the local docker setup
+
+.PHONY: clean_database
+clean_database: ## Cleans all the local docker setup
 ifneq ($(shell docker volume ls | grep "language_model_gateway"| awk '{print $$2}'),)
 	docker volume ls | grep "language_model_gateway" | awk '{print $$2}' | xargs docker volume rm
 endif
@@ -106,3 +143,28 @@ insert-admin-user:
     "INSERT INTO public.\"user\" (id,name,email,\"role\",profile_image_url,api_key,created_at,updated_at,last_active_at,settings,info,oauth_sub) \
     SELECT '8d967d73-99b8-40ff-ac3b-c71ac19e1286','User','admin@localhost','admin','/user.png',NULL,1735089600,1735089600,1735089609,'{"ui": {"version": "0.4.8"}}','null',NULL \
     WHERE NOT EXISTS (SELECT 1 FROM public.\"user\" WHERE id = '8d967d73-99b8-40ff-ac3b-c71ac19e1286');"
+
+CERT_DIR := certs
+CERT_KEY := $(CERT_DIR)/open-webui.localhost-key.pem
+CERT_CRT := $(CERT_DIR)/open-webui.localhost.pem
+
+.PHONY: all install-ca create-certs
+
+# Install local Certificate Authority
+install-ca:
+	mkcert -install
+
+# Create certificates
+create-certs: install-ca
+	@if [ ! -f "$(CERT_CRT)" ]; then \
+		mkdir -p $(CERT_DIR); \
+		mkcert open-webui.localhost localhost 127.0.0.1 ::1; \
+		mv ./open-webui.localhost+3.pem $(CERT_CRT); \
+		mv ./open-webui.localhost+3-key.pem $(CERT_KEY); \
+		echo "Certificates generated in $(CERT_DIR)"; \
+	else \
+		echo "Certificates already exist at $(CERT_CRT)"; \
+	fi
+
+clean_certs:
+	rm -rf $(CERT_DIR)

docker-compose-openwebui-auth.yml

@@ -1,61 +1,13 @@
 version: '3'
 services:
   open-webui:
-    ports:
-      - '3050:8080'
-    image: ghcr.io/open-webui/open-webui:v0.4.8
-#    image: openwebui-local:latest
-#    build:
-#        context: ../open-webui
-#        dockerfile: Dockerfile
-    depends_on:
-      - open-webui-db
-      - keycloak
-    env_file:
-      - docker.env
     environment:
       # https://docs.openwebui.com/getting-started/advanced-topics/env-configuration
-      BYPASS_MODEL_ACCESS_CONTROL: True
-      DEFAULT_USER_ROLE: user
-#      WEBUI_AUTH: 0
-      #      OPENAI_API_BASE_URL: 'https://api.openai.com/v1'
-      GLOBAL_LOG_LEVEL: debug
-      SRC_LOG_LEVELS: '{"SOCKET": "DEBUG", "MAIN": "DEBUG", "MODELS": "DEBUG", "OPENAI": "DEBUG", "OAUTH": "DEBUG", "CONFIG": "DEBUG", "DB": "DEBUG"}'
-      #      OPENAI_API_BASE_URL: 'http://dev:5000/api/v1'
-      # Supports balanced OpenAI base API URLs, semicolon-separated.
-      OPENAI_API_BASE_URL: 'http://dev:5000/api/v1'
-      CORS_ALLOW_ORIGIN: '*'
-      OPENAI_API_KEY: 'bedrock'
-      #      DEFAULT_MODELS: "General Purpose"
-      DEFAULT_MODELS: "us.anthropic.claude-3-5-sonnet-20241022-v2:0"
-      ENABLE_MODEL_FILTER: True
-      #      MODEL_FILTER_LIST: "anthropic.claude-3-5-sonnet-20240620-v1:0"
-      WEBUI_SECRET_KEY: ""
-      WEBUI_DB_HOST: "open-webui-db"
-      DATABASE_URL: "postgresql://myapp_user:myapp_pass@open-webui-db:5431/myapp_db"
-      ENABLE_OLLAMA_API: False
-      ENABLE_EVALUATION_ARENA_MODELS: False
-      #      TITLE_GENERATION_PROMPT_TEMPLATE: "What do you want to know about your health?"
-      ENABLE_IMAGE_GENERATION: True
-      IMAGE_GENERATION_ENGINE: "openai"
-      IMAGES_OPENAI_API_BASE_URL: "http://localhost:5050/api/v1"
-      IMAGES_OPENAI_API_KEY: "bedrock"
-      IMAGE_GENERATION_MODEL: "amazon.titan-image-generator-v2:0"
-      LOAD_PROMPT_FROM_LANGCHAIN_HUB: False
-      WEBUI_FAVICON_URL: "http://localhost:5050/favicon.png"
-      WEBUI_NAME: "b.ai"
-      WEBUI_BANNERS: '[{"id": "1", "type":"info", "title":"Welcome to b.well AI", "content":"Welcome to b.well AI! **[Click here for AI Resource Guide](https://icanbwell.atlassian.net/wiki/spaces/BRG/pages/5092442117/AI+Resource+Guide)**", "dismissible": false, "timestamp": 100000},{"id": "2", "type":"info", "title":"Help", "content":"Type \"help\" if you need help.  Reload page if you do not get results.  Use \"Prompt Helper\" model to create better prompts.", "dismissible": false, "timestamp": 100000}]'
+      WEBUI_AUTH: True
       ENABLE_FORWARD_USER_INFO_HEADERS: True
       ENABLE_FORWARD_OAUTH_TOKEN: True
-      # Speech to text settings
-      AUDIO_STT_ENGINE: "openai"
-      AUDIO_STT_OPENAI_API_BASE_URL: "http://localhost:5050/api/v1"
-      # text to speech settings
-      AUDIO_TTS_ENGINE: "openai"
-      AUDIO_TTS_OPENAI_API_BASE_URL: "http://localhost:5050/api/v1"
-      AUDIO_TTS_VOICE: "alloy"
       # Authentication settings (https://docs.openwebui.com/features/sso#oidc)
-#      ENABLE_SIGNUP: True
+      ENABLE_SIGNUP: True
 #      ENABLE_LOGIN_FORM: True
       ENABLE_API_KEY: False
       OAUTH_CLIENT_ID: "bwell-client-id"
@@ -65,29 +17,6 @@ services:
       OAUTH_PROVIDER_NAME: "keycloak"
       OAUTH_SCOPES: "openid email"
       OAUTH_USERNAME_CLAIM: "email"
-      SAFE_MODE: True
-      # curl --silent --fail http://localhost:8081/health | jq -ne 'input.status == true' || exit 1
-  #    volumes:
-  #      - ./openwebui/backend/data:/app/backend/data
-  #      - ./openwebui-config/config.json:/app/backend/data/config.json:cached
-
-  open-webui-db:
-    image: postgres:13
-    environment:
-      - POSTGRES_DB=myapp_db
-      - POSTGRES_USER=myapp_user
-      - POSTGRES_PASSWORD=myapp_pass
-    ports:
-      - "5431:5431"
-    command: -p 5431
-    healthcheck:
-      test: [ "CMD-SHELL", "pg_isready -U myapp_user -d myapp_db -p 5431" ]
-      interval: 3s
-      timeout: 5s
-      retries: 5
-    restart: always
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
 
   keycloak:
     # https://github.com/keycloak/keycloak/releases
@@ -143,6 +72,8 @@ services:
       interval: 10s
       timeout: 5s
       retries: 5
+    networks:
+      - web
 
   openid-connect-debugger:
     image: leplusorg/openid-connect-provider-debugger:latest
@@ -161,7 +92,5 @@ services:
       - oidc_ssl_verify=no
     depends_on:
       - keycloak
-
-volumes:
-  postgres_data:
-    driver: local
+    networks:
+      - web

docker-compose-openwebui-ssl.yml

@@ -0,0 +1,34 @@
+version: '3.8'
+
+services:
+  traefik:
+    image: traefik:v2.10
+    container_name: traefik
+    command:
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.file.filename=/traefik_dynamic_conf.yml"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "./traefik_dynamic_conf.yml:/traefik_dynamic_conf.yml"
+      - "./certs/open-webui.localhost.pem:/open-webui.localhost.pem"
+      - "./certs/open-webui.localhost-key.pem:/open-webui.localhost-key.pem"
+    restart: always
+    networks:
+        - web
+
+  open-webui:
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.open-webui.rule=Host(`open-webui.localhost`)"
+      - "traefik.http.routers.open-webui.entrypoints=websecure"
+      - "traefik.http.routers.open-webui.tls=true"
+      - "traefik.http.services.open-webui.loadbalancer.server.port=8080"
+    volumes:
+      - "./certs/open-webui.localhost.pem:/etc/ssl/certs/open-webui.localhost.crt:ro"
+      - "./certs/open-webui.localhost-key.pem:/etc/ssl/private/open-webui.localhost.key:ro"

docker-compose-openwebui.yml

@@ -1,17 +1,14 @@
-version: '3'
+version: '3.8'
+
 services:
   open-webui:
-    ports:
-      - '3050:8080'
     image: ghcr.io/open-webui/open-webui:v0.5.1
-#    image: openwebui-local:latest
-#    build:
-#        context: ../open-webui
-#        dockerfile: Dockerfile
     depends_on:
       - open-webui-db
     env_file:
       - docker.env
+    ports:
+      - "3050:8080"
     environment:
       # https://docs.openwebui.com/getting-started/advanced-topics/env-configuration
       BYPASS_MODEL_ACCESS_CONTROL: True
@@ -29,7 +26,6 @@ services:
       DEFAULT_MODELS: "us.anthropic.claude-3-5-sonnet-20241022-v2:0"
       ENABLE_MODEL_FILTER: True
       #      MODEL_FILTER_LIST: "anthropic.claude-3-5-sonnet-20240620-v1:0"
-      WEBUI_SECRET_KEY: ""
       WEBUI_DB_HOST: "open-webui-db"
       DATABASE_URL: "postgresql://myapp_user:myapp_pass@open-webui-db:5431/myapp_db"
       ENABLE_OLLAMA_API: False
@@ -54,11 +50,17 @@ services:
       AUDIO_TTS_OPENAI_API_BASE_URL: "http://localhost:5050/api/v1"
       AUDIO_TTS_VOICE: "alloy"
       SAFE_MODE: True
-      ENABLE_WEBSOCKET_SUPPORT: False
+      ENABLE_WEBSOCKET_SUPPORT: True
       # curl --silent --fail http://localhost:8081/health | jq -ne 'input.status == true' || exit 1
-  #    volumes:
-  #      - ./openwebui/backend/data:/app/backend/data
-  #      - ./openwebui-config/config.json:/app/backend/data/config.json:cached
+      WEBUI_SECRET_KEY: "${WEBUI_SECRET_KEY:-$(openssl rand -hex 32)}"
+    networks:
+      - web
+    healthcheck:
+      test: [ "CMD-SHELL", "curl --silent --fail http://localhost:8080/health | jq -ne 'input.status == true' || exit 1" ]
+      interval: 5s
+      timeout: 5s
+      start_period: 10s
+      retries: 20
 
   open-webui-db:
     image: postgres:13
@@ -69,15 +71,21 @@ services:
     ports:
       - "5431:5431"
     command: -p 5431
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    networks:
+      - web
     healthcheck:
       test: [ "CMD-SHELL", "pg_isready -U myapp_user -d myapp_db -p 5431" ]
       interval: 3s
       timeout: 5s
       retries: 5
     restart: always
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
 
 volumes:
   postgres_data:
     driver: local
+
+networks:
+  web:
+    driver: bridge

docker-compose.yml

@@ -47,3 +47,9 @@ services:
       interval: 10s
       timeout: 10s
       retries: 3
+    networks:
+      - web
+
+networks:
+  web:
+    driver: bridge