
Open WebUI: Authentication and Access
See how to use Agilicus AnyX to safely use your Open WebUI remotely, with single-sign-on authentication and no port-forwarding or firewall rules.
Use your GPU and AI remotely, safely, simple, securely.
Open WebUI And Ollama Overview
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform designed to operate entirely offline. It supports LLM runners like Ollama, with built-in inference engine for RAG. Given that is designed to operate offline, it is commonly used in home and office environments.
Open WebUI by default is entirely insecure: any user who can reach the port it is running on can use it. Thus it is not suitable for a simple port-forward (and, in addition, some networks have restrictive firewalls or NAT which don’t allow inbound access) to use remotely.
In this example using Agilicus AnyX, we will show how to safely, securely, simply use Open WebUI from a remote network, assigning permissions to individual users with single-sign-on, optional with multi-factor authentication, without modifying the local firewall config.
Installation Instructions
Overview
If you have not already, sign up for Agilicus AnyX. In the below instructions, we will refer to _ _MYDOMAIN_ _, this is the domain you chose during the Agilicus AnyX sign up process. If you have navigated to this page from the Agilicus admin console (https://admin.__MYDOMAIN__), this will be filled in automatically.
Once setup, the data flow will be as shown to the right. The user will have a new URL available (https://openwebui.__MYDOMAIN__). On navigating there, they will be required to sign in (in the same way as Sign in with Google or Sign in with Microsoft on other sites). Once done, they will see the Open WebUI directly, no client software is required, no changes are needed on the firewall.
Later, you can add an api key and directly access Ollama from elsewhere if needed.
Concepts
Agilicus Connector: this software installs as a service on some device in your network. It can support multiple operating systems. Each connector can support an arbitrary number of resources (web applications, shares, VNC, RDP, etc.). In general you need one connector per site.
Authentication: attesting you are who you say you are. Agilicus AnyX uses OpenID Connect, and supports zero-config of Microsoft, Google, Yahoo, Linkedin, or, you can configure your own such as Okta.
Identity: who you are. This is external to the Agilicus AnyX system.
Resource: an individually accessible and permissionable endpoint. In this example, Open WebUI
Permission: assigning a role and access rules per person<->resource pair.
1. Install Connector
For details see Agilicus Connector.
In this example, we are assuming you will install the Connector on the same machine as Open WebUI.
Select the appropriate tab for your Operating System.
Navigate to the admin console (https://admin.__MYDOMAIN__). Sign in with the credentials you used during sign up. Select resoures/connectors/new, and give the new connector a name (here we are using ‘openwebui’). Select ‘Install Connector’.
In the dialog that comes up, select Linux at the top, and then copy the command line. Paste this into a root shell.
Depending on your Linux distribution, this will install a service with systemd, upstart, init.d, etc. These instructions should also work on embedded devices (e.g. Raspberry pi).
When complete, the dialog should dismiss itself. We can now check the connector status in Resources/Connectors/Overview, and see it will go ‘good’.
If the connector doesn’t come online, check that the service is running and check for any errors in its log. Common errors include:
- NTP / timesync is not setup
- Outbound firewall prevents connections to port 443 (the Connector can support MITM proxies in corporate environments if needed)






(For more details, see Agilicus Connector – Microsoft Windows)
Navigate to the admin console (https://admin.__MYDOMAIN__). Sign in with the credentials you used during sign up. Select resoures/connectors/new, and give the new connector a name (here we are using ‘openwebui’). Select ‘Install Connector’.
In the dialog that comes up, select Windows-CMD at the top, and then copy the command line. Paste this into an Administrator cmd interface (e.g. on start menu, type ‘cmd’, and then select ‘Administrative shell’ on the right).
When complete, the dialog should dismiss itself. We can now check the connector status in Resources/Connectors/Overview, and see it will go ‘good’.
If the connector doesn’t come online, check that the service is running and check for any errors in eventvwr. Common errors include:
- NTP / timesync is not setup
- Outbound firewall prevents connections to port 443 (the Connector can support MITM proxies in corporate environments if needed)







2. Create Open WebUI Web Application
In this example we assume you already have Open WebUI running, in the default mode listening on port 8080.
don@office[ca-1]:~$ open-webui serve
WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS.
___ __ __ _ _ _ ___
/ _ \ _ __ ___ _ __ \ \ / /__| |__ | | | |_ _|
| | | | '_ \ / _ \ '_ \ \ \ /\ / / _ \ '_ \| | | || |
| |_| | |_) | __/ | | | \ V V / __/ |_) | |_| || |
\___/| .__/ \___|_| |_| \_/\_/ \___|_.__/ \___/|___|
|_|
v0.5.3 - building the best open-source AI user interface.
https://github.com/open-webui/open-webui
INFO: Started server process [2151942]
INFO: Waiting for application startup.
INFO: Application startup complete.
INFO: Uvicorn running on http://0.0.0.0:8080 (Press CTRL+C to quit)
We will create a Web Application in Agilicus AnyX. This will create a new URL, https://openwebui.__MYDOMAIN__, and, any user navigating there will be forced to authenticate via OpenID Connect and have a permission assigned. This means it is both publicly accessible on the Internet, and, secure.
Network data will from from the user, through the Agilicus AnyX cloud, to the Agilicus Connector, and onward to the Open WebUI. This will be TLS encrypted from the user to the Connector, making it secure and non interceptable (including by Agilicus).
First, navigate to resources/applications/new. Give this a name (it will become a hostname so no spaces or special characters). Here we use ‘openwebui’.
Second select the Access method (from your premises via a connector). Select the connector you installed in the previous step.
Third, configure the ‘upstream services’ (the local http://localhost:8080 information).
Fourth, configure how your application is authenticated. Here we configure authentication via proxy, if you wish to do more configuration you can integrate your applications directly via OpenID Connect. But ‘authenticated by proxy’ will work for all web applications. Optional, configure a pass-through logout (/api/v1/auths/signout) so that signing out of the web app also signs out of the proxy. Configure how users are assigned permissions. Here we select ‘named users, single role’, to allow us to control who can use this application.
You will be presented with a Summary. Hit APPLY.
Now, we will assign initial permissions to access this application to our user. You can also do this later under Access/Application Permissions.
At this stage we can navigate to https://profile.__MYDOMAIN__ (the end-user interface), hit refresh, and should see an icon for openwebui. We can also directly navigate to https://openwebui.__MYDOMAIN__ directly from your browser.






3. Add a second user (optional)
We can now add a second user to share. Enter their email address (this must match that given by the Identity Provider, e.g. user@gmail, user@outlook.com, user@google-workspace-domain, user@office365-domain etc.
(See below in ‘Next Steps: Single Sign On’ for configuring Open WebUI to automatically accept the user via the “WEBUI_AUTH_TRUSTED_EMAIL_HEADER” environment variable)

Now, add permissions to the user. If you have a lot of applications or a lot of users, consider using Groups.

Next Steps
Open WebUI supports a “WEBUI_AUTH_TRUSTED_EMAIL_HEADER”. See “Include User Context Headers” which allows setting “X-Gateway-User-Email”. If you set the environment variable WEBUI_AUTH_TRUSTED_EMAIL_HEADER=X-Gateway-User-Email, users will be automatically signed into Open WebUI.

