Complete guide to install and configure Open WebUI on Oracle Cloud with auto-updates, SSL, and custom domain.
- Oracle Cloud VM (Ubuntu 22.04)
- Domain with DNS management access
- SSH access to your Oracle Cloud instance
ssh -i your-ssh-key.key ubuntu@your-vm-ipsudo apt update
sudo apt install docker.io -y
sudo systemctl start docker
sudo systemctl enable dockermkdir ~/openwebui
cd ~/openwebuisudo iptables -I INPUT 6 -p tcp --dport 3001 -j ACCEPT
sudo mkdir -p /etc/iptables
sudo iptables-save | sudo tee /etc/iptables/rules.v4Note: You do NOT need to add port 3001 to Oracle Cloud Security Lists if you're using Nginx proxy (recommended). The traffic will come through port 443 (HTTPS) which should already be open.
Only add port 3001 to Oracle Cloud Security Lists if you want direct IP access:
- Go to Networking → Virtual Cloud Networks
- Select your VCN → Security Lists → Default Security List
- Add Ingress Rules:
- Source CIDR:
0.0.0.0/0 - IP Protocol:
TCP - Destination Port Range:
3001
- Source CIDR:
sudo docker run -d \
--name openwebui \
-p 3001:8080 \
-v $(pwd)/data:/app/backend/data \
--restart unless-stopped \
ghcr.io/open-webui/open-webui:mainsudo docker psYou should see the openwebui container running.
Open your browser and navigate to:
http://your-vm-ip:3001
Add an A-record for your subdomain pointing to your VM's IP:
- Host:
chat - Type:
A - Value:
your-vm-ip
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbotsudo certbot certonly --nginx -d chat.yourdomain.comsudo nano /etc/nginx/sites-available/openwebui.confAdd this configuration:
server {
server_name chat.yourdomain.com;
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/chat.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/chat.yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = chat.yourdomain.com) {
return 301 https://$host$request_uri;
}
listen 80;
server_name chat.yourdomain.com;
return 404;
}sudo ln -s /etc/nginx/sites-available/openwebui.conf /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginxOpen your browser and navigate to:
https://chat.yourdomain.com
nano ~/openwebui/update_openwebui.shAdd this content:
#!/bin/bash
LOG_FILE="/var/log/openwebui_update.log"
echo "=== Open WebUI Update Started: $(date) ===" >> $LOG_FILE
sudo docker stop openwebui >> $LOG_FILE 2>&1
sudo docker rm openwebui >> $LOG_FILE 2>&1
sudo docker pull ghcr.io/open-webui/open-webui:main >> $LOG_FILE 2>&1
cd ~/openwebui
sudo docker run -d \
--name openwebui \
-p 3001:8080 \
-v $(pwd)/data:/app/backend/data \
--restart unless-stopped \
ghcr.io/open-webui/open-webui:main >> $LOG_FILE 2>&1
sudo docker image prune -af >> $LOG_FILE 2>&1
echo "=== Open WebUI Update Completed: $(date) ===" >> $LOG_FILEchmod +x ~/openwebui/update_openwebui.shsudo crontab -eAdd these lines:
# Open WebUI auto-update every Sunday at 4 AM
0 4 * * 0 /bin/bash /home/ubuntu/openwebui/update_openwebui.sh >/dev/null 2>&1
# Auto-start after reboot
@reboot sleep 60 && cd /home/ubuntu/openwebui && /usr/bin/docker run -d --name openwebui -p 3001:8080 -v $(pwd)/data:/app/backend/data --restart unless-stopped ghcr.io/open-webui/open-webui:main- User data, chats, and configurations are stored in
~/openwebui/data/ - This directory persists through container updates
- No backup needed for updates - data is preserved automatically
- API keys and user accounts remain intact during updates
sudo docker logs openwebuisudo docker stop openwebuicd ~/openwebui
sudo docker run -d \
--name openwebui \
-p 3001:8080 \
-v $(pwd)/data:/app/backend/data \
--restart unless-stopped \
ghcr.io/open-webui/open-webui:mainbash ~/openwebui/update_openwebui.shtail -f /var/log/openwebui_update.logsudo docker ps -a
sudo docker logs openwebuisudo netstat -tlnp | grep 3001Certificates auto-renew, but to manually renew:
sudo certbot renew
sudo systemctl reload nginxEnsure your Oracle Cloud Security Lists allow outbound HTTPS traffic for API calls:
- Destination CIDR:
0.0.0.0/0 - IP Protocol:
TCP - Port Range:
443(HTTPS outbound)
To check current iptables rules:
sudo iptables -L INPUT -n -v- Install:
sudo docker run -d --name openwebui -p 3001:8080 -v $(pwd)/data:/app/backend/data --restart unless-stopped ghcr.io/open-webui/open-webui:main - Access (if using domain): https://chat.yourdomain.com Direct IP access: Only works if you add port 3001 to Oracle Cloud Security Lists
- Optional: Setup domain + SSL following steps 5
- Optional: Setup auto-updates following steps 6
Your Open WebUI instance will be accessible and automatically maintained!