Ollama’s API is incredibly easy to expose securely to the outside world with Nginx, but the magic that makes it work is that Nginx is not simply forwarding traffic; it’s acting as a full-fledged reverse proxy that can terminate TLS and rewrite requests on the fly.
Let’s see it in action. Imagine you have Ollama running locally on http://localhost:11434. You want to expose it externally on https://ollama.example.com.
First, ensure you have Nginx installed. Then, you’ll need an SSL certificate. For testing, you can use mkcert to generate a local certificate:
mkcert -install
mkcert ollama.example.com
This will create ollama.example.com.pem and ollama.example.com-key.pem files.
Now, create an Nginx configuration file, say /etc/nginx/conf.d/ollama.conf, with the following content:
server {
listen 443 ssl http2;
server_name ollama.example.com;
ssl_certificate /path/to/your/ollama.example.com.pem;
ssl_certificate_key /path/to/your/ollama.example.com-key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
proxy_pass http://localhost:11434;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
}
}
server {
listen 80;
server_name ollama.example.com;
return 301 https://$host$request_uri;
}
After saving this file, test your Nginx configuration:
sudo nginx -t
If it’s syntax OK, reload Nginx:
sudo systemctl reload nginx
Now, you can access your Ollama API securely at https://ollama.example.com.
The primary problem this configuration solves is exposing a local, unencrypted service to the internet without sacrificing security. Ollama itself doesn’t natively handle HTTPS, and running it directly on a public IP address is a significant security risk. Nginx acts as a secure gateway. It terminates the TLS connection from your client, decrypts the traffic, and then forwards it as plain HTTP to the local Ollama instance. Crucially, it also adds headers like X-Forwarded-Proto which tell Ollama that the original request was made over HTTPS, even though the connection between Nginx and Ollama is not.
The proxy_set_header directives are vital. Host $host passes the original Host header from the client to Ollama, which is important for some applications. X-Real-IP $remote_addr and X-Forwarded-For $proxy_add_x_forwarded_for ensure that Ollama knows the actual IP address of the client making the request, not just the IP of the Nginx server. X-Forwarded-Proto $scheme is particularly important for Ollama. When Nginx receives an HTTPS request, $scheme will be https, and this header tells Ollama that the client initiated a secure connection.
The Upgrade and Connection "upgrade" headers are essential for WebSockets, which Ollama uses for streaming responses. Without these, long-polling or streaming interactions would fail. proxy_buffering off; is often recommended for real-time applications like this to reduce latency by preventing Nginx from buffering the entire response before sending it to the client.
The second server block is a standard redirect. It listens on port 80 (HTTP) and immediately redirects any incoming requests to the HTTPS version of the same URL. This ensures that all traffic to ollama.example.com is automatically upgraded to a secure connection.
Most people focus on the proxy_pass and TLS setup, but the Upgrade and Connection headers are the unsung heroes for enabling streaming capabilities. If you try to stream a response from a model without them, you’ll likely get a full response, but the streaming tokens will be missing or arrive all at once.
The next hurdle is often managing multiple Ollama models or applying more granular access controls per model endpoint.