NGINX & HTTPS Setup

Set up NGINX reverse proxy with SSL/TLS for secure HTTPS access. This enables browser microphone recording from devices other than localhost.

Why HTTPS?

Modern browsers enforce strict security policies. The getUserMedia() API (used for microphone access) only works in:

localhost connections (development exception)
HTTPS connections (production requirement)

If you access OpenTranscribe over HTTP from another device or IP address, browsers will block microphone recording.

Quick Setup (Homelab/Local Network)

Step 1: Run SSL Setup

cd opentranscribe
./opentranscribe.sh setup-ssl

This interactive command will:

Prompt for hostname (e.g., opentranscribe.local)
Generate self-signed SSL certificates
Update your .env configuration
Show next steps

Step 2: Configure DNS

Option A: Router DNS (Recommended) Add a DNS entry in your router pointing your hostname to your server's IP address.

Option B: Local Hosts File On each client device, add to:

Linux/Mac: /etc/hosts
Windows: C:\Windows\System32\drivers\etc\hosts

192.168.1.100  opentranscribe.local

Step 3: Restart Services

./opentranscribe.sh restart

Step 4: Trust the Certificate

Import nginx/ssl/server.crt on each client device:

Windows

Double-click the .crt file
Click Install Certificate → Local Machine
Select Trusted Root Certification Authorities
Complete wizard and restart browser

macOS

Double-click to open in Keychain Access
Find the certificate, double-click it
Expand Trust → Set to Always Trust
Close and enter password

Linux (Chrome)

Go to chrome://settings/certificates
Click Authorities → Import
Select server.crt and trust for websites

iOS

Email or AirDrop the .crt file
Open → Install profile
Settings → General → About → Certificate Trust Settings
Enable trust for OpenTranscribe

Android

Copy server.crt to device
Settings → Security → Install certificate
Select CA certificate

Step 5: Access via HTTPS

https://opentranscribe.local

All services are available through the reverse proxy:

Frontend: https://your-hostname
API: https://your-hostname/api
Flower: https://your-hostname/flower/
MinIO Console: https://your-hostname/minio/

Production Setup (Let's Encrypt)

For production with a public domain, use Let's Encrypt for trusted certificates.

Prerequisites

Domain name pointing to your server
Ports 80 and 443 accessible from internet

Generate Certificates

# Install certbot
sudo apt install certbot  # Ubuntu/Debian

# Stop services
./opentranscribe.sh stop

# Generate certificates
sudo certbot certonly --standalone -d transcribe.example.com

# Link certificates
mkdir -p nginx/ssl
sudo ln -sf /etc/letsencrypt/live/transcribe.example.com/fullchain.pem nginx/ssl/server.crt
sudo ln -sf /etc/letsencrypt/live/transcribe.example.com/privkey.pem nginx/ssl/server.key

Configure Environment

Edit .env:

NGINX_SERVER_NAME=transcribe.example.com
NGINX_CERT_FILE=/etc/letsencrypt/live/transcribe.example.com/fullchain.pem
NGINX_CERT_KEY=/etc/letsencrypt/live/transcribe.example.com/privkey.pem

Auto-Renewal

# Test renewal
sudo certbot renew --dry-run

# Add cron job
echo "0 0 1 * * certbot renew --quiet && docker compose restart nginx" | sudo tee -a /etc/crontab

Environment Variables

Variable	Default	Description
`NGINX_SERVER_NAME`	(none)	Hostname for NGINX. Setting this enables HTTPS.
`NGINX_HTTP_PORT`	`80`	HTTP port (redirects to HTTPS)
`NGINX_HTTPS_PORT`	`443`	HTTPS port
`NGINX_CERT_FILE`	`./nginx/ssl/server.crt`	Path to SSL certificate
`NGINX_CERT_KEY`	`./nginx/ssl/server.key`	Path to SSL private key

Troubleshooting

SSL Certificates Not Found

# Generate certificates
./scripts/generate-ssl-cert.sh opentranscribe.local --auto-ip

Browser Shows Security Warning

Expected with self-signed certificates. Options:

Trust the certificate on each device (recommended for homelab)
Use Let's Encrypt for publicly trusted certificates

Connection Refused on Port 443

# Check NGINX container
docker compose ps nginx
docker compose logs nginx

Microphone Still Not Working

Verify using HTTPS (not HTTP)
Check browser console for errors
Ensure certificate is trusted
Try incognito/private window

Advanced: Custom NGINX Configuration

Edit nginx/site.conf.template for customizations:

HTTP Basic Auth for Flower/MinIO
Custom headers
Rate limiting
Larger file upload limits

Restart after changes:

docker compose restart nginx

Why HTTPS?​

Quick Setup (Homelab/Local Network)​

Step 1: Run SSL Setup​

Step 2: Configure DNS​

Step 3: Restart Services​

Step 4: Trust the Certificate​

Windows​

macOS​

Linux (Chrome)​

iOS​

Android​

Step 5: Access via HTTPS​

Production Setup (Let's Encrypt)​

Prerequisites​

Generate Certificates​

Configure Environment​

Auto-Renewal​

Environment Variables​

Troubleshooting​

SSL Certificates Not Found​

Browser Shows Security Warning​

Connection Refused on Port 443​

Microphone Still Not Working​

Advanced: Custom NGINX Configuration​