-
-
Notifications
You must be signed in to change notification settings - Fork 130
AllTalk SSL Proxy System ‐ Technical Guide
This is an advanced feature intended for users who need to expose AllTalk services to the internet with SSL/HTTPS capabilities. If you're running AllTalk locally or don't specifically need HTTPS support, you should use the standard Gradio interface (http://localhost:7852) and API port (7851).
This guide is specifically for:
- System administrators
- Users with networking/SSL certificate experience
- Those requiring HTTPS for production deployments
- Users needing secure external access to AllTalk services
Not recommended for:
- Local installations
- Testing environments
- Users unfamiliar with SSL certificates & DNS
- Those without specific HTTPS requirements
- Important Notice
- Technical Overview
- Implementation Requirements
- SSL Certificate Options
- Technical Limitations
- Advanced Configuration
- Security Considerations
- Monitoring and Maintenance
- Additional Resources
- Prerequisites
- Initial Setup
- Certificate Setup
- Starting the Service
- Verifying Operation
- Troubleshooting
- Shutting Down
- Maintenance
The AllTalk Proxy System implements a reverse proxy using Twisted, providing SSL termination and port forwarding capabilities for both the Gradio interface and API endpoints. It sits between your AllTalk services and external networks, handling all incoming connections and routing them appropriately.
External Request → Proxy (SSL Termination) → Internal Services
- Gradio UI: External Port → 7852
- API: External Port → 7851
- Understanding of SSL certificates and key management
- Knowledge of networking and port forwarding
- Properly configured DNS if using valid SSL certificates
- Access to modify firewall rules
- Understanding of HTTP/HTTPS protocols
For production use, obtain certificates from trusted Certificate Authorities:
-
Let's Encrypt (recommended for most users)
- Free, automated certificates
- 90-day validity with automatic renewal
- Requires domain name and DNS configuration
-
Cloudflare SSL
- Free with Cloudflare CDN services
- Includes proxy and DDoS protection
- Requires domain name management through Cloudflare
-
Commercial CAs
- DigiCert, GlobalSign, etc.
- Extended validation options
- Wildcard certificate support
- Valid SSL certificate (.crt/.pem)
- Private key (.key)
- Must be from trusted CA for the Gradio interface to work
- Minimum 2048-bit RSA or equivalent
- Valid dates and proper CN/SAN fields
- Requires valid SSL certificates from trusted CA
- Self-signed certificates will not work & will cause errors for Gradio
- No workaround for invalid certificates due to Gradio's security model
- Supports both valid and self-signed certificates
- Can operate in HTTP mode if needed
- More flexible security options
The proxy system allows separate configuration for API and Gradio endpoints:
- Independent port selection
- Individual enable/disable controls
- SSL termination happens at proxy level
- Internal traffic remains unencrypted
- Certificate private keys must be properly secured
- Regular certificate rotation recommended
- Monitor logs for unauthorized access attempts
- Consider implementing rate limiting
- Keep system packages updated
- Basic logging available in
system/proxy_module/logs/ - Debug mode available for troubleshooting
- Certificate expiration monitoring
- Connection tracking and metrics
- Health checks for both endpoints
Remember: This proxy system is a technical tool for specific use cases. If you're unsure whether you need it, you probably don't. Stick with the standard AllTalk interface for typical usage.
- Valid SSL certificates (if using HTTPS)
- Knowledge of your desired external ports
- Understanding of proxy/SSL concepts
-
Navigate to
Global Settingstab in the AllTalk interface -
Configure Basic Settings:
- Enable "Master switch/safety lockout for proxy functionality"
- Select "Start Proxy Automatically on Startup" if desired
- Set "External IP" (use 0.0.0.0 to bind to all interfaces)
-
Configure API Endpoint:
- Set "API (TTS Generation) Proxy" to "Enabled"
- Set "API Port" (e.g., 1234)
- Note: This port must be different from Gradio port
-
Configure Gradio Endpoint:
- Set "Gradio Interface Proxy" to "Enabled"
- Set "Gradio Interface Port" (e.g., 5678)
- Note: Must be different from API port
- Obtain valid SSL certificates from a trusted CA
- In the Certificate Management section:
- Upload your certificate file (.crt/.pem)
- Upload your private key file (.key)
- Enter a descriptive name (e.g., "production_cert")
- Click "Upload Certificate"
- Skip certificate upload
- System will operate in HTTP mode
- Suitable for internal testing only
-
Click "Save Configuration" to apply settings
-
Click "Start Service"
-
Check "Status" output for:
[AllTalk PRX] Gradio HTTP Proxy : From 0.0.0.0:444 -> 127.0.0.1:7852 is now active. [AllTalk PRX] API HTTP Proxy : From 0.0.0.0:443 -> 127.0.0.1:7851 is now active.
-
Test API Endpoint:
- Try accessing:
http(s)://your-ip:api-port
- Try accessing:
-
Test Gradio Interface:
- Try accessing:
http(s)://your-ip:gradio-port - Note: HTTPS requires valid CA certificates
- Try accessing:
If status shows errors:
- Click "Check Status" for detailed information
- Enable debug_proxy in settings
- Restart AllTalk to see detailed logs
- Check Status/Result box for error messages
- Click "Stop Service"
- Wait up to 60 seconds for complete shutdown
- Status will show "Proxy Server: Stopped"
To remove certificates:
- Click "Delete All Certificates"
- System will revert to HTTP mode
- Restart proxy service
To update certificates:
- Upload new certificates
- Keep same certificate name
- Restart proxy service
Remember: For production use, always use valid SSL certificates from trusted CAs. Self-signed certificates will cause errors with the Gradio interface.