Building a Secure Full-Stack LLM Platform on iarium.com
This article documents the full installation and configuration of a secure Large Language Model (LLM) platform hosted on iarium.com.
The objective is to deploy a production-grade AI stack with:
- Hardened SSH access
- Strict firewalling (UFW)
- Intrusion protection (Fail2Ban)
- Local LLM inference (Ollama)
- Web interface (OpenWebUI in Docker)
- HTTPS reverse-proxy with automatic certificates (Caddy)
All steps below were executed on a Debian-based VPS.
1. Server Hardening (SSH, UFW, Fail2Ban)
SSH Configuration
sudo nano /etc/ssh/sshd_config
Only specific IPs were allowed to connect to port 22.
Install Fail2Ban
sudo apt install fail2ban
sudo reboot
Firewall Reset & Reconfiguration
sudo ufw --force reset
sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from YOUR_IP to any port 22 proto tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw logging on
Monitoring
sudo ufw status numbered
sudo journalctl -u fail2ban.service -n 200 -o cat
2. Installing Ollama (LLM Backend)
Installation
curl -fsSL https://ollama.com/install.sh | sh
sudo systemctl enable --now ollama
Pulling Models
ollama pull llama3.1:8b-instruct
ollama pull llama3
ollama pull phi3
Exposing the API Externally
[Service]
Environment=OLLAMA_HOST=0.0.0.0
Environment=OLLAMA_ORIGINS=*
Reload:
sudo systemctl daemon-reload
sudo systemctl restart ollama
API Test
curl http://127.0.0.1:11434/api/version
3. Running OpenWebUI (Front-End)
sudo docker run -d --name openwebui -p 3000:8080 --add-host=host.docker.internal:host-gateway -e OLLAMA_BASE_URL=http://host.docker.internal:11434 -v openwebui_data:/app/backend/data --restart unless-stopped ghcr.io/open-webui/open-webui:main
Backend Status Check
sudo docker ps
sudo docker logs -f openwebui | grep ollama
4. HTTPS Reverse-Proxy Using Caddy
Install Caddy
sudo apt install caddy
Example Caddyfile
iarium.com {
reverse_proxy 127.0.0.1:11434
}
chat.iarium.com {
reverse_proxy 127.0.0.1:3000
}
Reload:
sudo systemctl reload caddy
DNS Diagnostics
dig +short chat.iarium.com
host chat.iarium.com
5. Final End-to-End Tests
curl -I http://127.0.0.1:11434/api/version
curl -I http://127.0.0.1:3000
curl -I https://iarium.com/api/version
curl -I https://chat.iarium.com
6. Result: A Fully Secure LLM Platform
Architecture:
+----------------------+
| Internet |
+-----------+----------+
HTTPS | 80/443
|
+------------------------------------------------------+
| Caddy Proxy |
| iarium.com/api → 127.0.0.1:11434 (Ollama API) |
| chat.iarium.com → 127.0.0.1:3000 (OpenWebUI) |
+----------------------+-------------------------------+
|
+-------+--------+
| UFW + F2B |
+-------+--------+
|
+-------------+-------------+
| |
+--------+--------+ +---------+--------+
| Ollama LLM | | OpenWebUI |
| (local models) | | (Docker) |
| 11434/tcp | | 3000/tcp |
+------------------+ +-----------------+
7. Asking
curl http://5.135.138.96:11434/api/generate -d '{ "model":"llama3", "prompt":"Explique la différence entre un serveur et un client en 3 points." }'
Conclusion
The platform deployed on iarium.com is now a secure, production-grade AI stack, capable of running modern LLMs locally with a clean web interface served over HTTPS.