HTTPS & Reverse Proxies
π HTTPS Guide
HTTPS & Reverse Proxies
Secure your HridaAI deployment with TLS encryption, reverse proxies, or managed tunnels.
HTTPS encrypts all traffic between users and HridaAI, protecting chat history, credentials, and uploaded files. It is also required for browser features like Voice Calls, which need a secure context to access the microphone.
β οΈ Voice Calls require HTTPS
Modern browsers block microphone access on non-HTTPS origins. Voice Calls will not work over plain http:// unless you are on localhost.
πΊοΈ Choose your approach
β
Cloudflare Tunnel
Production without open ports
π Automatic (Cloudflare edge)β
ngrok
Development and testing
π Automatic (ngrok edge)β
Tailscale
Private access across devices
π Automatic (tailscale serve)β
Nginx
Self-hosted production with full control
π§ Manual or Let's Encryptβ
Caddy
Self-hosted production, minimal config
π Automatic (Let's Encrypt)β
HAProxy
High-availability / load balancing
π§ Manual or Let's EncryptCloud load balancers
AWS ALB, GCP LB, Azure App Gateway
βοΈ Managed by cloud providerβ‘ Quick recommendations
Just want HTTPS fast? Use Cloudflare Tunnel (production) or ngrok (development). No certificates to manage, no ports to open.
Need load balancing? Use HAProxy or your cloud provider's load balancer.
π Key configuration notes
Regardless of which approach you choose, keep these in mind:
| Setting | Why it matters |
|---|---|
| HRIDAAI_URL | Set this to your public HTTPS URL so OAuth callbacks and internal links resolve correctly |
| CORS_ALLOW_ORIGIN | Must match your public URL, or WebSocket connections will fail silently |
| Proxy buffering off | Required for SSE streaming. Buffering breaks markdown rendering in chat responses |
| WebSocket support | Ensure your proxy passes Upgrade and Connection headers for real-time features |
| Extended timeouts | LLM responses can take minutes. Set proxy read timeouts to at least 300s |