Stable Diffusion ComfyUI SSL TLS Certificate

ComfyUI SSL/TLS

ComfyUI SSL TLS HTTPS Certificate Let's Encrypt Nginx Caddy Reverse Proxy Self-signed Cloudflare Tunnel Security Remote Access

Nginx Configuration

# === Nginx Reverse Proxy for ComfyUI ===

# Step 1: Install Nginx
# sudo apt update && sudo apt install nginx

# Step 2: Create Nginx Config
# sudo nano /etc/nginx/sites-available/comfyui

# server {
#     listen 80;
#     server_name comfyui.example.com;
#
#     location / {
#         proxy_pass http://127.0.0.1:8188;
#         proxy_http_version 1.1;
#         proxy_set_header Upgrade $http_upgrade;
#         proxy_set_header Connection "upgrade";
#         proxy_set_header Host $host;
#         proxy_set_header X-Real-IP $remote_addr;
#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#         proxy_set_header X-Forwarded-Proto $scheme;
#         proxy_read_timeout 86400;
#         client_max_body_size 100M;
#     }
# }

# Step 3: Enable site
# sudo ln -s /etc/nginx/sites-available/comfyui /etc/nginx/sites-enabled/
# sudo nginx -t && sudo systemctl reload nginx

# Step 4: Get SSL Certificate
# sudo apt install certbot python3-certbot-nginx
# sudo certbot --nginx -d comfyui.example.com

from dataclasses import dataclass

@dataclass
class SetupStep:
    step: int
    action: str
    command: str
    verify: str

steps = [
    SetupStep(1, "Install Nginx",
        "sudo apt update && sudo apt install nginx -y",
        "sudo systemctl status nginx (Active: running)"),
    SetupStep(2, "Create Config",
        "sudo nano /etc/nginx/sites-available/comfyui",
        "sudo nginx -t (syntax is ok)"),
    SetupStep(3, "Enable Site",
        "sudo ln -s /etc/nginx/sites-available/comfyui /etc/nginx/sites-enabled/",
        "curl http://localhost → ComfyUI"),
    SetupStep(4, "Install Certbot",
        "sudo apt install certbot python3-certbot-nginx -y",
        "certbot --version"),
    SetupStep(5, "Get Certificate",
        "sudo certbot --nginx -d comfyui.example.com",
        "https://comfyui.example.com → ComfyUI"),
    SetupStep(6, "Auto Renewal",
        "sudo certbot renew --dry-run",
        "crontab -l → certbot renew ทุกวัน"),
]

print("=== Setup Steps ===")
for s in steps:
    print(f"  Step {s.step}: {s.action}")
    print(f"    Command: {s.command}")
    print(f"    Verify: {s.verify}")

Alternative Methods

# === Caddy & Self-signed & Cloudflare ===

# Method 2: Caddy (Easiest)
# sudo apt install caddy
# sudo nano /etc/caddy/Caddyfile
#
# comfyui.example.com {
#     reverse_proxy localhost:8188
# }
#
# sudo systemctl restart caddy
# Done! Caddy auto-gets Let's Encrypt certificate

# Method 3: Self-signed Certificate
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
#     -keyout /etc/ssl/private/comfyui.key \
#     -out /etc/ssl/certs/comfyui.crt \
#     -subj "/CN=comfyui.local"

# Method 4: Cloudflare Tunnel
# curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
# chmod +x cloudflared
# ./cloudflared tunnel login
# ./cloudflared tunnel create comfyui
# ./cloudflared tunnel route dns comfyui comfyui.example.com
# ./cloudflared tunnel run --url http://localhost:8188 comfyui

@dataclass
class Method:
    method: str
    pros: str
    cons: str
    setup_time: str
    use_case: str

methods = [
    Method("Caddy Reverse Proxy",
        "Auto HTTPS, Config 2 บรรทัด, Auto Renewal",
        "ไม่ Flexible เท่า Nginx, Community เล็กกว่า",
        "5 นาที",
        "Quick Setup, Small Project"),
    Method("Self-signed Certificate",
        "ไม่ต้องมี Domain, ใช้ IP ได้, Offline ได้",
        "Browser Warning, ต้อง Accept ทุกครั้ง",
        "5 นาที",
        "Internal Use, Development, LAN"),
    Method("Cloudflare Tunnel",
        "ไม่ต้องเปิด Port, ไม่ต้องมี Public IP, HTTPS อัตโนมัติ",
        "ต้องมี Cloudflare Account, Latency เพิ่มเล็กน้อย",
        "10 นาที",
        "Home Server, No Port Forward, Dynamic IP"),
    Method("Traefik (Docker)",
        "Auto HTTPS, Docker Native, Load Balancing",
        "ซับซ้อน, เรียนรู้นาน",
        "30 นาที",
        "Docker Compose, Multi-service"),
]

print("=== Alternative Methods ===")
for m in methods:
    print(f"\n  [{m.method}]")
    print(f"    Pros: {m.pros}")
    print(f"    Cons: {m.cons}")
    print(f"    Setup: {m.setup_time}")
    print(f"    Use: {m.use_case}")

Security Hardening

# === Security Best Practices ===

@dataclass
class SecurityRule:
    rule: str
    config: str
    impact: str

rules = [
    SecurityRule("TLS 1.2+ Only",
        "ssl_protocols TLSv1.2 TLSv1.3; (Nginx)",
        "ปิด TLS 1.0/1.1 ที่มีช่องโหว่"),
    SecurityRule("Strong Cipher Suite",
        "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:...;",
        "ใช้เฉพาะ Cipher ที่แข็งแรง"),
    SecurityRule("HSTS Header",
        "add_header Strict-Transport-Security 'max-age=31536000';",
        "บังคับ Browser ใช้ HTTPS เสมอ"),
    SecurityRule("Firewall",
        "sudo ufw allow 443/tcp && sudo ufw deny 8188",
        "เปิดเฉพาะ HTTPS ปิด ComfyUI Port จากภายนอก"),
    SecurityRule("Basic Auth",
        "auth_basic 'ComfyUI'; auth_basic_user_file /etc/nginx/.htpasswd;",
        "ต้อง Login ก่อนเข้า ComfyUI"),
    SecurityRule("Rate Limiting",
        "limit_req_zone $binary_remote_addr zone=comfyui:10m rate=10r/s;",
        "ป้องกัน DDoS Abuse"),
]

print("=== Security Rules ===")
for r in rules:
    print(f"  [{r.rule}]")
    print(f"    Config: {r.config}")
    print(f"    Impact: {r.impact}")

เคล็ดลับ

• Caddy: ถ้าต้องการง่ายที่สุด ใช้ Caddy Config 2 บรรทัด
• WebSocket: ต้องตั้ง Upgrade Connection ใน Nginx สำหรับ ComfyUI
• Firewall: ปิด Port 8188 จากภายนอก เปิดเฉพาะ 443
• Renewal: Let's Encrypt หมดอายุ 90 วัน ตั้ง Auto Renewal
• Auth: ใส่ Basic Auth หรือ OAuth ป้องกันคนแปลกหน้าเข้า

ทำไมต้องใช้ SSL/TLS กับ ComfyUI

HTTP Plaintext ดักฟังได้ Prompt ภาพ API Key Browser Block Mixed Content Clipboard API ต้อง HTTPS Security Best Practice

สรุป

ComfyUI SSL TLS HTTPS Nginx Let's Encrypt Caddy Self-signed Cloudflare Tunnel Reverse Proxy WebSocket Firewall Auth Security