Skip to content

Deployment Overview of Open WebUI with DeepSeek-R1:14B on Server

Prerequisites and Basic Requirements

The deployment requires a Linux server running Ubuntu with the following specifications:

  • Operating System: Ubuntu (latest LTS recommended)

  • Privileges: Root access or sudo privileges are required for all installation and configuration steps.

  • Domain: The server must be configured to resolve the hostkey.in domain.

  • Ports:

  • Port 80: Required for HTTP redirection and ACME challenge validation.

  • Port 443: Required for HTTPS traffic.

  • Port 11434: Used internally by the Ollama service.

  • Port 3000: Internal port for the Open WebUI application.

FQDN of the Final Panel

The application is accessible via the following Fully Qualified Domain Name (FQDN) format:

  • deepseek<Server ID>.hostkey.in:443

Replace <Server ID> with the specific identifier assigned to the server instance. The service operates over HTTPS on port 443.

File and Directory Structure

The deployment utilizes the following directory structure for configuration, data, and certificates:

  • /root/nginx/: Contains the Docker Compose configuration for the proxy server.

  • /root/nginx/compose.yml: Docker Compose file for Nginx and Certbot.

  • /data/nginx/: Stores Nginx user configurations and environment variables.

  • /data/nginx/user_conf.d/: Directory containing virtual host configuration files.

    • deepseek<Server ID>.hostkey.in.conf: HTTPS virtual host configuration.

    • deepseek<Server ID>.hostkey.in.http.conf: HTTP virtual host configuration for ACME challenges.

  • /data/nginx/nginx-certbot.env: Environment variables for the Certbot service.

  • /etc/systemd/system/ollama.service.d/: Directory containing systemd overrides for the Ollama service.

  • override.conf: Configuration file modifying Ollama environment variables.

  • /var/www/certbot/: Webroot directory inside the Nginx container for Let's Encrypt ACME challenges.

Application Installation Process

The application stack consists of three main components: Ollama, Open WebUI, and an Nginx reverse proxy with Certbot.

  1. Ollama Installation:

  2. The Ollama service is installed via the official installation script.

  3. The deepseek-r1:14b model is pulled and loaded into the Ollama service.

  4. The service is configured to listen on all network interfaces (0.0.0.0) and allows cross-origin requests.

  5. Open WebUI Deployment:

  6. The Open WebUI application is deployed as a Docker container using the ghcr.io/open-webui/open-webui:cuda image.

  7. The container is configured to use host networking and requests GPU capabilities.

  8. It connects to the local Ollama instance at http://127.0.0.1:11434.

  9. Proxy and SSL Setup:

  10. An Nginx container running the jonasal/nginx-certbot:latest image is deployed to handle SSL termination and reverse proxying.

  11. The proxy forwards traffic from the external FQDN to the internal Open WebUI service.

Access Rights and Security

  • System Users: The ollama system user is created and utilized by the Ollama service.

  • Firewall: The server must allow inbound traffic on ports 80 and 443. Internal communication occurs on port 11434 and 3000.

  • SSL/TLS: SSL certificates are managed automatically by Certbot within the Nginx container.

  • Environment Restrictions: The Ollama service is configured with OLLAMA_ORIGINS=* to allow connections from the web interface, and LLAMA_FLASH_ATTENTION=1 is enabled for performance optimization.

Databases

  • Storage Method: The Open WebUI application stores its data in a Docker volume named open-webui.

  • Location: The data is persisted at /app/backend/data within the container, mapped to the host's Docker volume storage.

  • Configuration: No external database server is required; the application uses its internal storage mechanism.

Docker Containers and Their Deployment

The deployment utilizes two primary Docker containers:

  1. Open WebUI Container:

  2. Name: open-webui

  3. Image: ghcr.io/open-webui/open-webui:cuda

  4. Network Mode: host

  5. Restart Policy: always

  6. Environment Variables:

    • ENV: dev

    • OLLAMA_BASE_URLS: http://127.0.0.1:11434

  7. Volumes:

    • open-webui:/app/backend/data

  8. Device Requests: GPU capabilities are requested for inference acceleration.

  9. Nginx Proxy Container:

  10. Image: jonasal/nginx-certbot:latest

  11. Network Mode: host

  12. Restart Policy: unless-stopped

  13. Environment Variables:

  14. Volumes:

    • nginx_secrets:/etc/letsencrypt (External volume)

    • /data/nginx/user_conf.d:/etc/nginx/user_conf.d (Bind mount)

Proxy Servers

The Nginx reverse proxy is configured to handle SSL termination and route traffic to the Open WebUI application.

  • SSL Provider: Let's Encrypt via Certbot.

  • Configuration Files:

  • HTTPS: Located at /data/nginx/user_conf.d/deepseek<Server ID>.hostkey.in.conf.

    • Listens on port 443.

    • Proxies requests to http://127.0.0.1:8080 (Note: The configuration script sets the proxy pass to port 8080, though the internal application runs on port 3000; the system relies on the specific routing defined in the generated configuration).

    • Passes the Host header to the upstream server.

  • HTTP: Located at /data/nginx/user_conf.d/deepseek<Server ID>.hostkey.in.http.conf.

    • Listens on port 80.

    • Serves ACME challenges from /var/www/certbot/.well-known/acme-challenge/.

    • Redirects all other traffic to HTTPS.

  • Custom Domains: The proxy is configured specifically for the deepseek<Server ID>.hostkey.in subdomain.

Permission Settings

  • Nginx Configuration Directory: /root/nginx is owned by root:root with permissions 0755.

  • Compose File: /root/nginx/compose.yml is owned by root:root with permissions 0644.

  • User Configuration Directory: /data/nginx/user_conf.d is mounted into the container and must be readable by the Nginx process.

  • Systemd Overrides: /etc/systemd/system/ollama.service.d/override.conf is owned by root with standard system configuration permissions.

Location of Configuration Files and Data

  • Ollama Service Override: /etc/systemd/system/ollama.service.d/override.conf

  • Nginx Compose File: /root/nginx/compose.yml

  • Nginx HTTPS Config: /data/nginx/user_conf.d/deepseek<Server ID>.hostkey.in.conf

  • Nginx HTTP Config: /data/nginx/user_conf.d/deepseek<Server ID>.hostkey.in.http.conf

  • Certbot Environment: /data/nginx/nginx-certbot.env

  • Application Data: Stored in the Docker volume open-webui.

Available Ports for Connection

  • Port 80: HTTP (Redirects to HTTPS).

  • Port 443: HTTPS (Main access point for the Open WebUI interface).

  • Port 11434: Ollama API (Internal use only).

  • Port 3000: Open WebUI internal port (Not exposed directly to the public internet).

Starting, Stopping, and Updating

The services are managed via systemd for Ollama and Docker for the containers.

  • Ollama Service:

  • Start: systemctl start ollama

  • Stop: systemctl stop ollama

  • Restart: systemctl restart ollama

  • Enable on boot: systemctl enable ollama

  • Open WebUI Container:

  • Start: docker start open-webui

  • Stop: docker stop open-webui

  • Restart: docker restart open-webui

  • Update Image: docker pull ghcr.io/open-webui/open-webui:cuda followed by docker restart open-webui

  • Nginx Proxy Container:

  • Start: docker compose up -d (executed from /root/nginx)

  • Stop: docker compose down (executed from /root/nginx)

  • Reload Configuration: docker exec nginx-nginx-1 nginx -s reload

  • Test Configuration: docker exec nginx-nginx-1 nginx -t

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×