# Reverse Proxying SillyTavern

Is Termux confusing to setup? Are you tired of updating and installing ST on every device you have? Want organization of your chats and characters? Well you are in luck. This guide will hopefully cover how to host SillyTavern on your PC where you can connect from anywhere and chat to your bots on the same PC you use to run AI models!

# Fair Warning

You will have to buy a domain for yourself and configure a CNAME for your SillyTavern page. We suggest adding or buying the domain on Cloudflare as this guide will cover how to do this with Cloudflare itself.

# Installation

# Linux (Bare-Metal SillyTavern)

For Linux, we will reverse proxying SillyTavern through Traefik. There are other options such as NGINX or Caddy, but for this guide, we will use Traefik as it is what we use ourselves.

1. Get the private IP of your computer using ifconfig or from your router.

   Tip

   It is recommended to set your private IP to a Static IP. Refer to your router's manual or Google to configure static IPs.

2. Get your public IP of your modem by Googling what's my ip.

   About Public IPs

   Most residential/home networks use Dynamic IPs which are renewed after months of use. If you have a dynamic IP, use either DDClient or remember to check and change your public IP ever so often on the Cloudflare Dashboard.

3. Install Docker by following the Docker installation guide here.

   Note

   Do not install Docker Desktop.

4. Follow the steps in Manage Docker as a non-root user in the Docker post-installation guide here.

5. Go to your root folder in Linux and make a new folder named docker.

   cd /
   sudo mkdir docker && cd docker

6. Execute chown, replacing with your Linux username to set the permissions in the docker folder.

   sudo chown -R <USER>:<USER> .

7. Make a folder inside the docker folder, that being secrets and inside secrets being cloudflare.

   mkdir secrets && mkdir secrets/cloudflare

8. Make a folder inside the docker folder, that being appdata and inside appdata being traefik. Enter the appdata/traefik folder afterwards.

   mkdir appdata && mkdir appdata/traefik
   cd appdata/traefik

9. Create a acme.json file using touch and set the permissions of it to 600.

   touch acme.json
   chmod 600 acme.json

10. Using nano or a similar editor, create a file name traefik.yml and paste the following. Replace the template email with your own, then save the file.

    api:
        dashboard: true
        debug: true
        insecure: true
    entryPoints:
        http:
            address: ":80"
            http:
                redirections:
                    entryPoint:
                        to: https
                        scheme: https
        https:
            address: ":443"
    serversTransport:
        insecureSkipVerify: true
    providers:
        docker:
            endpoint: "unix:///var/run/docker.sock"
            exposedByDefault: false
        file:
            filename: /config.yml
            watch: true
    certificatesResolvers:
        cloudflare:
            acme:
                email: YOUR_CLOUDFLARE_EMAL@DOMAIN.com
                storage: acme.json
                dnsChallenge:
                    provider: cloudflare
                    #disablePropagationCheck: true  # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
                    resolvers:
                        - "1.1.1.1:53"
                        - "1.0.0.1:53"

11. Return back to the docker folder.

    cd /docker

12. Using nano or a similar editor, create a file name docker-compose.yaml and paste the following. Save the file afterwards.

    secrets:
        CF_DNS_API_KEY:
            file: ./secrets/cloudflare/CF_DNS_API_KEY
    
    services:
        traefik:
            image: traefik:latest
            container_name: traefik
            restart: unless-stopped
            secrets:
                - CF_DNS_API_KEY
            ports:
                - 80:80
                - 443:443
                - 8080:8080
            environment:
                CLOUDFLARE_DNS_API_TOKEN_FILE: /run/secrets/CF_DNS_API_KEY
                CLOUDFLARE_ZONE_API_TOKEN_FILE: /run/secrets/CF_DNS_API_KEY
            volumes:
                - /var/run/docker.sock:/var/run/docker.sock:ro
                - ./appdata/traefik/traefik.yml:/traefik.yml:ro
                - ./appdata/traefik/config.yml:/config.yml:ro
                - ./appdata/traefik/acme.json:/acme.json
                - /etc/localtime:/etc/localtime:ro
    
    networks:
        internal:
            driver: bridge

13. Login to Cloudflare and click on your Domain, followed by Get your API token.

14. Click on Create Token then Create Custom Token and make sure you give your token the following permissions.

    Token Permissions

    Zone -> DNS -> Edit

    Zone -> Zone -> Read

    Click on Continue to summary followed by Create Token.

15. Copy the Token Key given to you and store it somewhere secure.

16. cd into secrets/cloudflare and using nano or a similar editor, create a file named CF_DNS_API_KEY and paste your key inside.

17. Return to your domain page and go to DNS. Create a new record using Add record and create two A type keys like the ones below. Replace PUBLIC_IP with your own public IP, then click Save.

    Type	Name (required)	Target (required)	Proxy Status	TTL
    A	DOMAIN.com	PUBLIC_IP	Proxied	Auto
    A	www	PUBLIC_IP	Proxied	Auto

18. Create another record of the CNAME type, then click Save. Here is an example on how it should appear on the Cloudflare dashboard.

    Type	Name (required)	Target (required)	Proxy Status	TTL
    CNAME	silly	DOMAIN.com	Proxied	N/A

19. cd into appdata/traefik and using nano or a similar editor, create a file name config.yml and paste the following. Replace PRIVATE_IP with the private IP you obtained, and silly.DOMAIN.com with the name of your subdomain and domain page, then save the file.

    http:
        routers:
            sillytavern:
                entryPoints:
                    - "https"
                rule: "Host(`silly.DOMAIN.com`)"
                middlewares:
                    - https-redirectscheme
                tls: {}
                service: sillytavern
    
        services:
            sillytavern:
                loadBalancer:
                    servers:
                        - url: "http://PRIVATE_IP:8000"
                    passHostHeader: true
    
        middlewares:
            https-redirectscheme:
                redirectScheme:
                    scheme: https
                    permanent: true

20. Run Docker Compose using the following commands:

    cd /docker
    docker compose up -d

21. Go to your SillyTavern folder and edit config.yaml to enable listen mode and basic authentication, whilst disabling whitelistMode.

    listen: yes
    whitelistMode: false
    basicAuthMode: true

    Tip

    Make sure to change the default username and password to something strong that you can remember.

22. Wait a few minutes, then open your domain page you made for ST. At the end of it, you should be able to open SillyTavern from anywhere you go just with one URL and one account.

    Tip

    If nothing happens after several minutes, check the container logs for Traefik for any possible errors.

23. Enjoy! :D

# Linux (Docker SillyTavern)

1. Follow Steps 1-11 of Linux (Bare-Metal SillyTavern).

2. Login to Cloudflare and click on your Domain, followed by Get your API token.

3. Click on Create Token then Create Custom Token and make sure you give your token the following permissions.

   Token Permissions

   Zone -> DNS -> Edit

   Zone -> Zone -> Read

   Click on Continue to summary followed by Create Token.

4. Copy the Token Key given to you and store it somewhere secure.

5. cd into secrets/cloudflare and using nano or a similar editor, create a file named CF_DNS_API_KEY and paste your key inside.

6. Return to your domain page and go to DNS. Create a new record using Add record and create two A type keys like the ones below. Replace PUBLIC_IP with your own public IP and the example domain with your domain, then click Save.

   Type	Name (required)	Target (required)	Proxy Status	TTL
   A	DOMAIN.com	PUBLIC_IP	Proxied	Auto
   A	www	PUBLIC_IP	Proxied	Auto

7. Create another record of the CNAME type, then click Save. Here is an example on how it should appear on the Cloudflare dashboard.

   Type	Name (required)	Target (required)	Proxy Status	TTL
   CNAME	silly	DOMAIN.com	Proxied	N/A

8. Git clone SillyTavern into the docker folder.

   cd /docker && git clone https://github.com/SillyTavern/SillyTavern

9. Using nano or a similar editor, create a file name docker-compose.yaml and paste the following. Replace silly.DOMAIN.com with the subdomain you added above, the save the file afterwards.

   secrets:
       CF_DNS_API_KEY:
           file: ./secrets/cloudflare/CF_DNS_API_KEY
   
   services:
       traefik:
           image: traefik:latest
           container_name: traefik
           restart: unless-stopped
           secrets:
               - CF_DNS_API_KEY
           ports:
               - 80:80
               - 443:443
               - 8080:8080
           environment:
               CLOUDFLARE_DNS_API_TOKEN_FILE: /run/secrets/CF_DNS_API_KEY
               CLOUDFLARE_ZONE_API_TOKEN_FILE: /run/secrets/CF_DNS_API_KEY
           volumes:
               - /var/run/docker.sock:/var/run/docker.sock:ro
               - ./appdata/traefik/traefik.yml:/traefik.yml:ro
               - ./appdata/traefik/config.yml:/config.yml:ro
               - ./appdata/traefik/acme.json:/acme.json
               - /etc/localtime:/etc/localtime:ro
       sillytavern:
           build: ./SillyTavern
           container_name: sillytavern
           hostname: sillytavern
           image: ghcr.io/sillytavern/sillytavern:latest
           volumes:
               - "./appdata/sillytavern/config:/home/node/app/config"
               - "./appdata/sillytavern/data:/home/node/app/data"
           restart: unless-stopped
           labels:
               - "traefik.enable=true"
               - "traefik.http.routers.sillytavern.entrypoints=http"
               - "traefik.http.routers.sillytavern.rule=Host(`silly.DOMAIN.com`)"
               - "traefik.http.middlewares.sillytavern-https-redirect.redirectscheme.scheme=https"
               - "traefik.http.routers.sillytavern.middlewares=sillytavern-https-redirect"
               - "traefik.http.routers.sillytavern-secure.entrypoints=https"
               - "traefik.http.routers.sillytavern-secure.rule=Host(`silly.DOMAIN.com`)"
               - "traefik.http.routers.sillytavern-secure.tls=true"
               - "traefik.http.routers.sillytavern-secure.service=sillytavern"
               - "traefik.http.services.sillytavern.loadbalancer.server.port=8000"
   
   networks:
       internal:
           driver: bridge

10. Run Docker Compose using the following commands:

    docker compose up -d

11. Stop the SillyTavern Docker container.

    docker compose stop sillytavern

12. Go to your SillyTavern folder (appdata/sillytavern/config) and edit config.yaml to enable listen mode and basic authentication, whilst disabling whitelistMode.

    listen: yes
    whitelistMode: false
    basicAuthMode: true

    Tip

    Make sure to change the default username and password to something strong that you can remember.

13. Start the SillyTavern Docker container again.

    docker compose up -d sillytavern

14. Wait a few minutes, then open your domain page you made for ST. At the end of it, you should be able to open SillyTavern from anywhere you go just with one URL and one account.

    Tip

    If nothing happens after several minutes, check the container logs for Traefik for any possible errors.

15. Enjoy! :D

# Windows

With Windows, reverse proxying is a bit different. Currently your only options available for Windows (from what we know) is by running a VPN on your router or a Cloudflare/NGROK Tunnel. Refer to Other Options for more information.

# Optional Things

While we won't necessarily cover these things in much detail, here are some things we suggest trying to use if you want to secure your SillyTavern instance better. (Stuff will be added when it fits)

1. Use Authelia or Authentik.

   Authelia/Authentik is a open-source single sign-on (SSO) app that allows you to create users and secure many different pages using a login portal presented on sites you want to secure. One of us primarily use this over ST's basic authentication for their own domain use and while it is complex to setup, it is a good way to both learn SSO and secure your ST instance out on the internet more.

   If you plan to use Authelia over ST's basic auth, you must disable basicAuthMode and enable securityOverride in config.yaml.

2. Use DDClient.

   DDClient allows you to sync your public IP to Cloudflare in the situation that your ISP changes it, allowing you to continue accessing your ST instance as if nothing ever happened.

# Other Options

If reverse proxying is a bit much for you, there are still other ways to connect to your ST instance.

1. Use a home-made VPN.

   Several routers come with the ability to host a VPN server (primarily OpenVPN or WireGuard) in the router administration page. Refer to your router's manual to setup a VPN and add your devices to the VPN. Once connected, just go to the private IP you have set for SillyTavern and you can connect just fine. Easier for users and for Windows use.

2. Use Cloudflare Zero Trust.

   Cloudflare Zero Trust is a free organizational feature in Cloudflare that allows you to add 50 users. This will proxy your traffic through Cloudflare and by adding your ST PC as a tunnel using cloudflared, you can connect to your ST instance as if you were home.

   Do note that after making a tunnel, you will have to add a route to your router's private IP addresses and calculate IP CIDR values to have full local access on the go using Cloudflare Zero Trust.

3. Use a standalone Cloudflare/NGROK Tunnel.

   Similar to how AI backends can connect, you can also connect your ST instance via a Cloudflare Tunnel and open the Cloudflare Tunnel page. However, you will have to copy and paste each new link generated by Cloudflare/NGROK each time you want to use ST on-the-go.