LogoOllaMan Docs
Features Guide

Server Authentication Setup

Configure Basic Auth for Ollama servers

Overview

OllaMan supports connecting to protected Ollama servers via Basic Auth. Since Ollama itself doesn't provide authentication, you need to configure it through a reverse proxy (such as Nginx, Caddy, etc.) to protect your server.

When to Use Authentication

You should enable authentication for your Ollama server in the following scenarios:

  • Server exposed to the internet: Any server accessible from the public internet should be protected
  • Multiple users accessing the same server: Prevent unauthorized access and abuse
  • Security policy requirements: Organizational or team security standards require authentication
  • Protecting sensitive models: When running proprietary or sensitive AI models

Configuring Authentication for Ollama

Using Nginx with Basic Auth

Nginx is the most commonly used reverse proxy server. Here's the complete configuration guide:

Install Required Tools

First, ensure Nginx and Apache utilities (for generating password files) are installed:

# Ubuntu/Debian
sudo apt update
sudo apt install nginx apache2-utils

# macOS
brew install nginx

Create Password File

Use the htpasswd command to create authentication users and passwords:

sudo htpasswd -c /etc/nginx/.htpasswd username

The system will prompt you to enter a password. To add more users, omit the -c flag:

sudo htpasswd /etc/nginx/.htpasswd another_user

Configure Nginx Reverse Proxy

Create or edit the Nginx configuration file (e.g., /etc/nginx/sites-available/ollama):

server {
    listen 8080;
    server_name your-server-domain.com;

    location / {
        # Enable Basic Auth
        auth_basic "Ollama Server";
        auth_basic_user_file /etc/nginx/.htpasswd;

        # Proxy to Ollama default port
        proxy_pass http://localhost:11434;

        # Required proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Handle WebSocket connections (if needed)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Timeout settings (large model inference may take time)
        proxy_read_timeout 300s;
        proxy_connect_timeout 75s;
    }
}

Port explanation: In this configuration, Nginx listens on port 8080 and forwards to Ollama's default port 11434. Ollama remains running on localhost:11434 without any configuration changes. Clients access via http://your-server:8080.

Enable and Restart Nginx

# Create symbolic link (Ubuntu/Debian)
sudo ln -s /etc/nginx/sites-available/ollama /etc/nginx/sites-enabled/

# Test configuration
sudo nginx -t

# Restart Nginx
sudo systemctl restart nginx

Test Authentication Setup

Use curl to test if Basic Auth is working properly:

# Test unauthenticated request (should fail)
curl http://localhost:8080/api/tags

# Test authenticated request (should succeed)
curl -u username:password http://localhost:8080/api/tags

A successful response should return a list of models; failure will return a 401 Unauthorized error.

Using Caddy with Basic Auth

Caddy is another popular reverse proxy with simpler configuration:

Install Caddy

# Ubuntu/Debian
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

# macOS
brew install caddy

Generate Password Hash

caddy hash-password

After entering your password, copy the generated hash.

Configure Caddyfile

Create or edit /etc/caddy/Caddyfile:

Caddyfile
:8080 {
    basicauth {
        username $2a$14$hashed_password_here
    }

    reverse_proxy localhost:11434
}

Replace $2a$14$hashed_password_here with the password hash generated earlier.

Caddy listens on port 8080 and forwards to Ollama's default port 11434, no Ollama configuration changes needed.

Restart Caddy

sudo systemctl restart caddy

Configuring Authentication in OllaMan

After configuring authentication on the server side, you need to provide authentication information when adding the server in OllaMan:

Open Server Settings

Click the Settings icon in the sidebar, then select the Servers tab.

Server Settings

Add or Edit Server

Click the "Add Server" button, or edit an existing server.

Fill in Authentication Information

In the server configuration form:

  1. Server Name: Give the server an easily recognizable name
  2. Server URL: Enter the Nginx proxy address (e.g., http://192.168.1.100:8080)
  3. Username: Enter the authentication username
  4. Password: Enter the authentication password

Test Connection

Click the "Test Connection" button.

If the authentication information is correct, you'll see:

  • Connected: Green indicator
  • Server version information

If authentication fails, it will display:

  • Connection Failed: Red indicator
  • Error message (usually "401 Unauthorized")

Save Configuration

After a successful test, click the "Save" button.

OllaMan automatically detects if you've filled in authentication information and automatically adds the Basic Auth header to all requests.

Security Best Practices

Protect Your Server

Network Security

  • Don't expose directly: Avoid exposing Ollama directly to the public internet
  • Use VPN: Access remote servers through VPN or SSH tunnels
  • Configure firewall: Limit access to specific IP addresses only
  • Enable HTTPS: Always use HTTPS encrypted connections in production

Authentication Management

  • Strong passwords: Use passwords with 20+ characters
  • Regular rotation: Periodically change authentication credentials
  • Separate credentials: Don't share the same credentials among team members
  • Least privilege: If possible, assign different permission levels to different users

Access Control

  • Monitor logs: Regularly check access logs to detect anomalous behavior
  • Limit connections: Use IP whitelisting to restrict access sources
  • Timely cleanup: Remove user accounts that are no longer in use
  • Stay updated: Keep Ollama, Nginx/Caddy updated to the latest versions

For production environments and internet access, HTTPS configuration is strongly recommended:

Using Let's Encrypt with Nginx

# Install Certbot
sudo apt install certbot python3-certbot-nginx

# Obtain certificate and automatically configure Nginx
sudo certbot --nginx -d your-domain.com

Using Caddy (Automatic HTTPS)

Caddy automatically obtains and renews SSL certificates for your domain:

Caddyfile
your-domain.com {
    basicauth {
        username $2a$14$hashed_password_here
    }

    reverse_proxy localhost:11434
}

After restarting Caddy, it will automatically obtain and configure the SSL certificate.

Troubleshooting

Next Steps

Multi-Server Management

Learn how to manage multiple Ollama servers

Install Models

Download models to connected servers

Quick Start

Learn the basics of OllaMan

Multi-Server Management

Connect and switch between multiple Ollama servers

Model Recommendation Guide

Find the perfect Ollama AI model for your needs