I want to host Ollama on a central server in my office so my team can use it as a backend for their local coding assistants. However, it only binds to 127.0.0.1 by default. How do I change the host settings for Ollama without leaving the port completely open to the public internet? We are worried about unauthorized access to our private models.
3 answers
The easiest way is to set the OLLAMA_HOST environment variable to 0.0.0.0:11434. This allows the service to listen on all network interfaces. However, for real security, you should put an Nginx reverse proxy in front of it. Within Nginx, you can whitelist specific IP addresses from your office subnet and block everything else. I set this up for my dev team in late 2023, and it works perfectly. We even added a basic auth layer so that even if someone gets onto our Wi-Fi, they still can't hit the Ollama endpoints without a proper set of credentials.
Have you considered using a tool like Tailscale to create a private mesh network instead of messing with firewall rules?
You also need to set OLLAMA_ORIGINS if you plan on accessing the API through a browser-based frontend like Open WebUI.
Exactly, Laura. Without setting the origins, the browser will block the requests due to CORS policies, even if the Ollama service itself is reachable on the network.
Tailscale is a great shout, Jeffrey. It allows the team to access the Ollama instance as if it were local, even if they are working from home, without ever exposing the port to the "real" public internet.