HTTPS using Cloudflare Tunnel

Expose Open WebUI to the internet securely. No open ports, no certificates, no reverse proxy.

Cloudflare Tunnel (cloudflared) creates an outbound-only connection from your machine to Cloudflare's edge network. Traffic flows through Cloudflare's infrastructure with automatic TLS, DDoS protection, and access controls, all without exposing a single port on your server.

When to use Cloudflare Tunnel

This is the recommended approach when you want production-grade public access without managing TLS certificates or firewall rules. It works on any network, including behind NAT or restrictive firewalls.

Prerequisites

Requirement	Details
Open WebUI	Running locally on port `8080` (default)
Cloudflare account	Free at cloudflare.com
Domain on Cloudflare	Your domain's DNS must be managed by Cloudflare

Option A: Dashboard setup (no CLI)

The simplest path. Everything configured through the Cloudflare dashboard.

1. Create the tunnel

Go to Zero Trust → Networks → Connectors
Click Create a tunnel → select Cloudflared
Name it (e.g., open-webui)
Follow the install instructions to run the connector on your machine

2. Add a public hostname

In the tunnel config, add a Public Hostname:

Field	Value
Subdomain	`chat` (or whatever you prefer)
Domain	Select your Cloudflare domain
Service type	`HTTP`
URL	`localhost:8080`

Save. Cloudflare creates the DNS record automatically.

3. Access Open WebUI

Open https://chat.your-domain.com. HTTPS is handled entirely by Cloudflare.

Option B: CLI setup

For automation, infrastructure-as-code, or headless servers.

1. Install cloudflared

macOS
Linux
Windows

brew install cloudflared

curl -sSL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 \
  -o /usr/local/bin/cloudflared && chmod +x /usr/local/bin/cloudflared

winget install Cloudflare.cloudflared

2. Authenticate

cloudflared tunnel login

This opens a browser to authorize cloudflared with your Cloudflare account.

3. Create the tunnel

cloudflared tunnel create open-webui

Note the Tunnel ID in the output. You'll need it for the config.

4. Configure

Create ~/.cloudflared/config.yml:

tunnel: YOUR_TUNNEL_ID
credentials-file: /home/YOUR_USER/.cloudflared/YOUR_TUNNEL_ID.json

ingress:
  - hostname: chat.your-domain.com
    service: http://localhost:8080
  - service: http_status:404

5. Create DNS record

cloudflared tunnel route dns open-webui chat.your-domain.com

6. Start the tunnel

cloudflared tunnel run open-webui

Open https://chat.your-domain.com.

Run as a system service

To keep the tunnel running after reboot:

sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared

This uses the config at ~/.cloudflared/config.yml automatically.

Configure Open WebUI

Set WEBUI_URL so OAuth callbacks and internal links resolve correctly:

docker run -d \
  -p 8080:8080 \
  -e WEBUI_URL=https://chat.your-domain.com \
  -v open-webui:/app/backend/data \
  --name open-webui \
  ghcr.io/open-webui/open-webui:main

Docker Compose with cloudflared

Run both Open WebUI and the tunnel connector in a single stack:

services:
  open-webui:
    image: ghcr.io/open-webui/open-webui:main
    container_name: open-webui
    volumes:
      - open-webui:/app/backend/data
    environment:
      - WEBUI_URL=https://chat.your-domain.com
    restart: unless-stopped

  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: tunnel --no-autoupdate run --token YOUR_TUNNEL_TOKEN
    restart: unless-stopped

volumes:
  open-webui:

Get your tunnel token from the Cloudflare dashboard → Go to [Networking → Tunnels] → Select your tunnel → Select Add a replica → Copy the install command. The token starts with eyJ....

tip

No ports needed on the open-webui service. cloudflared connects to it via Docker's internal network. To use this, change the service URL in your tunnel config to http://open-webui:8080.

Add access controls (optional)

Cloudflare Zero Trust lets you gate access behind authentication without touching Open WebUI:

Go to Zero Trust → Access controls → Applications
Create new application → Self-hosted and private
Set the public hostname to chat.your-domain.com
Create an Access Policy (e.g., allow only @your-company.com emails)

Users see a Cloudflare login page before reaching Open WebUI.

Quick reference

What	Command / Value
Create tunnel	`cloudflared tunnel create open-webui`
Start tunnel	`cloudflared tunnel run open-webui`
Add DNS	`cloudflared tunnel route dns open-webui chat.your-domain.com`
Install as service	`sudo cloudflared service install`
Dashboard	https://dash.cloudflare.com/?to=/:account/one/networks/connectors
Set CORS origin	`CORS_ALLOW_ORIGIN=https://chat.your-domain.com`

This content is for informational purposes only and does not constitute a warranty, guarantee, or contractual commitment. Open WebUI is provided "as is." See your license for applicable terms.

Prerequisites​

Option A: Dashboard setup (no CLI)​

1. Create the tunnel​

2. Add a public hostname​

3. Access Open WebUI​

Option B: CLI setup​

1. Install cloudflared​

2. Authenticate​

3. Create the tunnel​

4. Configure​

5. Create DNS record​

6. Start the tunnel​

Run as a system service​

Configure Open WebUI​

Docker Compose with cloudflared​

Add access controls (optional)​

Quick reference​