Security hardening guide for production LobeChat deployments.
LobeChat provides several security features out of the box, but proper configuration is essential for production deployments.
LobeChat supports MFA through Better Auth:
For team deployments, configure OAuth:
# GitHub OAuth
GITHUB_CLIENT_ID=your-client-id
GITHUB_CLIENT_SECRET=your-client-secret
# Google OAuth
GOOGLE_CLIENT_ID=your-client-id
GOOGLE_CLIENT_SECRET=your-client-secret
# Generic OIDC
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret
OIDC_ISSUER=https://your-idp.com
# Set secure session configuration
NEXT_AUTH_SECRET=your-32-character-secret-key
NEXTAUTH_URL=https://chat.example.com
# Session timeout (recommended: 24 hours)
SESSION_MAX_AGE=86400
Always set KEY_VAULTS_SECRET in production:
# Generate secure random key
openssl rand -hex 32
# Set in environment
KEY_VAULTS_SECRET=your-64-character-hex-key
Important: Once set, never change KEY_VAULTS_SECRET or encrypted data will be lost.
Configure API key rotation mode:
# Rotate through multiple keys
API_KEY_SELECT_MODE=turn
# Random selection
API_KEY_SELECT_MODE=random
Never commit API keys to version control. Use:
Prevent Server-Side Request Forgery:
# Block private IP addresses (recommended)
SSRF_ALLOW_PRIVATE_IP_ADDRESS=0
# Whitelist specific IPs if needed
SSRF_ALLOW_IP_ADDRESS_LIST=192.168.1.100,10.0.0.50
Route traffic through secure proxy:
# Use authenticated proxy
PROXY_URL=http://user:pass@proxy.example.com:8080
# Enable DNS through proxy
ENABLE_PROXY_DNS=1
Always use HTTPS in production:
server {
listen 443 ssl http2;
server_name chat.example.com;
ssl_certificate /etc/ssl/certs/chat.example.com.crt;
ssl_certificate_key /etc/ssl/private/chat.example.com.key;
# Strong SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:3210;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name chat.example.com;
return 301 https://$server_name$request_uri;
}
services:
traefik:
image: traefik:v2.10
command:
- "--providers.docker"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.email=admin@example.com"
- "--certificatesresolvers.myresolver.acme.storage=/acme/acme.json"
# Use strong password
DATABASE_URL=postgresql://lobechat:very-secure-password@db:5432/lobechat
# Enable SSL for database connections (production)
DATABASE_URL=postgresql://lobechat:password@db:5432/lobechat?sslmode=require
-- Create dedicated user with limited privileges
CREATE USER lobechat WITH PASSWORD 'secure-password';
GRANT CONNECT ON DATABASE lobechat TO lobechat;
GRANT USAGE ON SCHEMA public TO lobechat;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO lobechat;
-- Revoke dangerous operations
REVOKE CREATE ON SCHEMA public FROM lobechat;
REVOKE ALL ON ALL TABLES IN SCHEMA public FROM lobechat;
# Encrypt backups
pg_dump lobechat | gpg --encrypt --recipient backup@example.com > backup.sql.gpg
# Secure backup storage
chmod 600 /backups/*.sql.gpg
services:
lobe-chat:
image: lobehub/lobe-chat:latest
user: "1000:1000"
security_opt:
- no-new-privileges:true
read_only: true
tmpfs:
- /tmp
services:
lobe-chat:
deploy:
resources:
limits:
cpus: '2'
memory: 4G
reservations:
cpus: '0.5'
memory: 1G
services:
lobe-chat:
networks:
- lobechat-internal
db:
networks:
- lobechat-internal
networks:
lobechat-internal:
internal: true
# Disable specific features
FEATURE_FLAGS="-welcome_suggest,-analytics,-telemetry"
# Use trusted plugin marketplace only
PLUGINS_INDEX_URL=https://chat-plugins.lobehub.com
# Configure plugin-specific security
PLUGIN_SETTINGS="search-engine:SECURE_MODE=true"
# Restrict available models
OPENAI_MODEL_LIST=+gpt-4,+gpt-4-turbo,-gpt-3.5-turbo
# Set default model
DEFAULT_AGENT_CONFIG=model=gpt-4-1106-preview
# Enable detailed logging
LOG_LEVEL=info
# Log authentication events
AUTH_LOG_LEVEL=debug
Watch for:
services:
lobe-chat:
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
KEY_VAULTS_SECRET# Find failed logins
docker compose logs lobe-chat | grep -i "failed login"
# Find suspicious IPs
docker compose logs lobe-chat | grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort | uniq -c | sort -rn
# Find API errors
docker compose logs lobe-chat | grep -i "error"
Any questions?
Feel free to contact us. Find all contact information on our contact page.