Support for SSL client certificate

[bhenriq]

Hi there,

I have an ollama server running behind an HTTP reverse proxy.

This reverse proxy is configured to request a SSL client certificate.

As a result, any incoming HTTPs request that does not have this client certificate is rejected.

I do this out of security concerns, because I consider it to be a lot more safe than just exposing directly ollama to the web.

I have also installed the SSL client certificate on my iPhone.

If I try to access the URL with Safari, it automatically detects that the server is requesting a client certificate and uses the one that is configured at the OS level.

But it seems that the Enchanted app is not able to do the same. Is there any plan to support SSL client certificate with Enchanted?

[levicki]

@bhenriq I have an issue with iPhone app not connecting to my reverse proxy (Safari can connect just fine). Is your setup with iOS or Mac Enchanted app? If it's iOS do you mind sharing your reverse proxy setup (censored as needed of course)?

[bhenriq]

@levicki

My setup is the following:

• Enchanted app on iPhone (running on iOS 17.5.1)
• ollama server (version 0.2.5) on Raspberry Pi 5 (running Ubuntu 23.10) inside my home network
• My internet gateway has a public IP (with a public domain name) and is doing a port redirect towards the Pi
• Reverse proxy on Lighttpd (version 1.4.69)
• Self signed SSL certificate with openssl. The client certificate is installed on iOS as a profile

Tested already:

• I can query the ollama server using cURL on my laptop directly from the internet (using the SSL client certificate) => This validates that the ollama server and reverse proxy are working fine
• I can talk to the ollama server using Safari on my iPhone from the internet (using the SSL client certificate) => This validates that the SSL certificate is correctly installed on the iPhone
• I can query the ollama server using the Enchanted app on my iPhone inside my home network (not using SSL but HTTP only, and configuring the app to use the private IP of the Pi)

My assumption is that the Enchanted app is not able to leverage the SSL client certificate that is installed on the iPhone.

Hoping this helps.

[levicki]

@bhenriq Thanks for the clarification. What you are proposing (client cert) is not a bad idea, but I am wondering whether (when you apparently know your way around routers) you could perhaps setup a VPN and then you wouldn't need client certificate since Ollama wouldn't be forwarded ouside of your LAN? Wireguard VPN works pretty well and it's not hard to setup on iOS if your router supports it.

[bhenriq]

@levicki

The approach that you are suggesting is indeed what I used to do (Wireguard).
It works fine for the most part.
The inconvenience is that on iOS you can only have one VPN active at the same time.
But I use different VPNs for different use cases.
That essentially forces me to switch from one VPN connection to the next throughout my day.

For instance, if I want to stream a movie and bypass geofencing, I use NordVPN. If I want to connect to ollama, I would have to use Wireguard. If I need to conduct business, I use yet another VPN etc.

I found that having ollama directly available on the web, but protected by a reverse proxy, is both secure enough for my use case and more convenient accessible.

Hoping this makes sense.

[levicki]

@bhenriq I see, good luck with the feature request then.

In the meantime, you can consider not using the app and instead using a browser (which as you say supports client certificate properly) together with say open-webui. I know it's not the same, but it's pretty decent and not too difficult to setup even manually.

Don't get me wrong, I am not trying to dissuade you from pursuing the feature request, just offering a workaround until the dev(s) get around to considering and implementing it.