Security and Privacy for Local AI

09. HTTPS for Local APIs

Chapter 9 of 16 · 20 min

TLS encryption protects data in transit, prevents man-in-the-middle attacks, and provides authentication of the server identity. For local AI services, HTTPS is essential when clients access across network segments or when sensitive data appears in prompts and responses.

Certificate options for local deployments:

Self-signed certificates work for internal services. Generate with openssl, distribute CA cert to clients. Suitable for trusted internal networks.

Internal CA issues certificates validated within your organization. More management overhead but certificates auto-renew and are trusted by all internal systems.

Let's Encrypt (or similar public CAs) provides publicly-trusted certificates. Useful if your AI service is accessible from the internet or if clients are public systems.

Generate self-signed certificate for local API:

# Generate private key and certificate
openssl req -x509 -newkey rsa:4096 -keyout ai-server.key \
    -out ai-server.crt -days 365 -nodes \
    -subj "/CN=ai-server.internal/O=LocalAI/C=US" \
    -addext "subjectAltName=DNS:ai-server.internal,IP:10.0.1.50"

# For Ollama with custom certificate
mkdir -p /etc/ollama/certs
cp ai-server.crt /etc/ollama/certs/
# Configure Ollama to use HTTPS by setting environment
export OLLAMA_HOST="https://0.0.0.0:11434"
export OLLAMA_CERT="/etc/ollama/certs/ai-server.crt"
export OLLAMA_KEY="/etc/ollama/certs/ai-server.key"

Configure reverse proxy with TLS termination:

# /etc/nginx/sites-available/ai-api
server {
    listen 443 ssl;
    server_name ai-server.internal;

    ssl_certificate /etc/ssl/certs/ai-server.crt;
    ssl_certificate_key /etc/ssl/private/ai-server.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    # Client certificate verification (optional, for mTLS)
    ssl_client_certificate /etc/ssl/certs/internal-ca.crt;
    ssl_verify_client optional;

    location / {
        proxy_pass http://127.0.0.1:11434;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Verify TLS configuration:

# Test with openssl client
openssl s_client -connect localhost:11434 -CAfile /etc/ssl/certs/ai-server.crt

# Check certificate details
openssl x509 -in ai-server.crt -text -noout | head -30

# Test with curl
curl -v https://localhost:11434/api/tags \
    --cacert ai-server.crt \
    -H "Authorization: Bearer $API_KEY"
EXERCISE

Generate a self-signed certificate, configure your AI service to use TLS, and verify connections work with curl or a Python client. Document the certificate expiration date and create a renewal reminder.