在Ubuntu下使用Api-key的方式安全部署ollama
我来为你提供一个完整的 Ubuntu 生产环境 Ollama API Key 部署指南。
一、安装 Ollama
# 1. 下载并安装 Ollama
curl -fsSL https://ollama.com/install.sh | sh
# 2. 验证安装
ollama --version二、配置生产环境(API Key 认证)
Ollama 本身不直接支持 API Key,但我们可以通过 Nginx 反向代理 + Lua 认证 或 轻量级 API 网关 来实现生产级的 API Key 保护。
方案 A:使用 Nginx + Lua 实现 API Key(推荐)
# 1. 安装 OpenResty(带 Lua 支持的 Nginx)
sudo apt-get update
sudo apt-get install -y software-properties-common
sudo add-apt-repository -y ppa:openresty/ppa
sudo apt-get update
sudo apt-get install -y openresty
# 2. 创建 API Key 认证配置
sudo mkdir -p /etc/openresty/conf.d
# 3. 生成安全的 API Key(保存好这个密钥!)
API_KEY=$(openssl rand -hex 32)
echo "Your API Key: $API_KEY"创建 Nginx 配置文件:
sudo tee /etc/openresty/nginx.conf << 'EOF'
worker_processes auto;
error_log /var/log/openresty/error.log;
pid /run/openresty.pid;
events {
worker_connections 1024;
}
http {
include /etc/openresty/conf.d/*.conf;
}
EOF创建 Ollama 代理配置:
# 替换 YOUR_API_KEY_HERE 为上面生成的密钥
sudo tee /etc/openresty/conf.d/ollama.conf << EOF
server {
listen 11435 ssl http2;
server_name localhost;
# SSL 证书配置(生产环境必须使用 HTTPS)
ssl_certificate /etc/ssl/certs/ollama.crt;
ssl_certificate_key /etc/ssl/private/ollama.key;
ssl_protocols TLSv1.2 TLSv1.3;
# 访问日志
access_log /var/log/openresty/ollama_access.log;
# API Key 验证
access_by_lua_block {
local api_key = "YOUR_API_KEY_HERE" -- 替换为你的 API Key
local auth_header = ngx.req.get_headers()["Authorization"]
if not auth_header then
ngx.status = 401
ngx.say('{"error":"Missing Authorization header"}')
ngx.exit(401)
end
-- 支持 Bearer Token 格式
local key = auth_header:match("Bearer%s+(.+)")
if key ~= api_key then
ngx.status = 401
ngx.say('{"error":"Invalid API Key"}')
ngx.exit(401)
end
}
# 反向代理到 Ollama
location / {
proxy_pass http://127.0.0.1:11434;
proxy_http_version 1.1;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Connection '';
# 超时设置
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
# 流式响应支持
proxy_buffering off;
proxy_cache off;
}
}
EOF生成自签名 SSL 证书(生产环境建议用 Let's Encrypt):
sudo mkdir -p /etc/ssl/private
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/ollama.key \
-out /etc/ssl/certs/ollama.crt \
-subj "/CN=localhost"方案 B:使用轻量级 Python 网关(更简单)
如果你不想用 Nginx,可以用这个 Python 方案:
# 1. 安装依赖
pip3 install fastapi uvicorn httpx python-dotenv
# 2. 创建网关服务
mkdir -p ~/ollama-gateway && cd ~/ollama-gateway创建 gateway.py:
import os
import httpx
from fastapi import FastAPI, HTTPException, Header
from fastapi.responses import StreamingResponse
from dotenv import load_dotenv
load_dotenv()
app = FastAPI(title="Ollama Secure Gateway")
API_KEY = os.getenv("OLLAMA_API_KEY", "your-secure-api-key-here")
OLLAMA_HOST = os.getenv("OLLAMA_HOST", "http://localhost:11434")
@app.api_route("/{path:path}", methods=["GET", "POST", "PUT", "DELETE"])
async def proxy(
path: str,
authorization: str = Header(None)
):
# 验证 API Key
if not authorization or not authorization.startswith("Bearer "):
raise HTTPException(status_code=401, detail="Missing or invalid Authorization header")
token = authorization.replace("Bearer ", "")
if token != API_KEY:
raise HTTPException(status_code=401, detail="Invalid API Key")
# 转发请求到 Ollama
client = httpx.AsyncClient(base_url=OLLAMA_HOST, timeout=300.0)
try:
# 获取原始请求
from fastapi import Request
request = Request.scope.get("request")
method = request.method
body = await request.body()
headers = {k: v for k, v in request.headers.items() if k.lower() not in ['host', 'authorization']}
response = await client.request(
method=method,
url=f"/{path}",
content=body,
headers=headers
)
return StreamingResponse(
content=response.aiter_raw(),
status_code=response.status_code,
headers=dict(response.headers)
)
finally:
await client.aclose()
if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="0.0.0.0", port=11435, ssl_keyfile=None, ssl_certfile=None)创建 .env 文件:
cat > ~/ollama-gateway/.env << EOF
OLLAMA_API_KEY=$(openssl rand -hex 32)
OLLAMA_HOST=http://localhost:11434
EOF
echo "API Key 已保存到 .env 文件"
cat ~/ollama-gateway/.env三、启动服务
启动 Ollama 服务
# 1. 创建 systemd 服务
sudo tee /etc/systemd/system/ollama.service << 'EOF'
[Unit]
Description=Ollama Service
After=network.target
[Service]
Type=simple
User=ollama
Environment="OLLAMA_HOST=0.0.0.0:11434"
Environment="OLLAMA_ORIGINS=*"
ExecStart=/usr/local/bin/ollama serve
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target
EOF
# 2. 创建用户并启动
sudo useradd -r -s /bin/false -m -d /usr/share/ollama ollama 2>/dev/null || true
sudo systemctl daemon-reload
sudo systemctl enable ollama
sudo systemctl start ollama
# 3. 验证状态
sudo systemctl status ollama启动 API 网关(选择你的方案)
如果使用 Python 方案:
cd ~/ollama-gateway
# 创建 systemd 服务
sudo tee /etc/systemd/system/ollama-gateway.service << 'EOF'
[Unit]
Description=Ollama API Gateway
After=ollama.service
Wants=ollama.service
[Service]
Type=simple
User=ubuntu
WorkingDirectory=/home/ubuntu/ollama-gateway
Environment=PATH=/home/ubuntu/.local/bin:/usr/local/bin:/usr/bin
ExecStart=/home/ubuntu/.local/bin/uvicorn gateway:app --host 0.0.0.0 --port 11435
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable ollama-gateway
sudo systemctl start ollama-gateway如果使用 Nginx 方案:
sudo systemctl restart openresty
sudo systemctl enable openresty四、下载模型并测试
# 1. 拉取模型(以 llama3.2 为例)
ollama pull llama3.2
# 2. 查看已安装模型
ollama list
# 3. 测试本地访问(无需认证)
curl http://localhost:11434/api/generate -d '{
"model": "llama3.2",
"prompt": "Hello, how are you?"
}'五、客户端使用(带 API Key)
Python 示例
import requests
API_KEY = "your-api-key-here" # 替换为你的密钥
BASE_URL = "https://localhost:11435" # 或 http://localhost:11435(Python方案)
headers = {
"Authorization": f"Bearer {API_KEY}",
"Content-Type": "application/json"
}
# 流式生成
response = requests.post(
f"{BASE_URL}/api/generate",
headers=headers,
json={
"model": "llama3.2",
"prompt": "Explain quantum computing in simple terms",
"stream": True
},
stream=True,
verify=False # 如果是自签名证书,临时使用
)
for line in response.iter_lines():
if line:
print(line.decode('utf-8'))cURL 示例
curl -k -X POST https://localhost:11435/api/generate \
-H "Authorization: Bearer your-api-key-here" \
-H "Content-Type: application/json" \
-d '{
"model": "llama3.2",
"prompt": "What is the capital of France?",
"stream": false
}'OpenAI 兼容格式
Ollama 支持 OpenAI API 格式,只需修改 base_url:
from openai import OpenAI
client = OpenAI(
base_url="https://localhost:11435/v1", # 注意 /v1 路径
api_key="your-api-key-here",
http_client=httpx.Client(verify=False) # 跳过 SSL 验证(仅测试)
)
response = client.chat.completions.create(
model="llama3.2",
messages=[{"role": "user", "content": "Hello!"}]
)
print(response.choices[0].message.content)六、生产环境加固
# 1. 防火墙配置(仅开放网关端口)
sudo ufw allow 11435/tcp
sudo ufw deny 11434/tcp # 禁止直接访问 Ollama
sudo ufw enable
# 2. 配置 Let's Encrypt SSL(生产环境必需)
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain.com
# 3. 设置资源限制(防止 OOM)
sudo systemctl edit ollama.service
# 添加:
# [Service]
# MemoryMax=16G
# CPUQuota=800%
# 4. 日志轮转
sudo tee /etc/logrotate.d/ollama-gateway << 'EOF'
/var/log/ollama/*.log {
daily
rotate 7
compress
missingok
notifempty
create 0640 ollama ollama
}
EOF七、监控与维护
# 查看服务状态
sudo systemctl status ollama ollama-gateway
# 查看实时日志
sudo journalctl -u ollama -f
sudo journalctl -u ollama-gateway -f
# 模型管理
ollama list # 列出模型
ollama rm modelname # 删除模型
ollama ps # 查看运行中的模型关键安全提醒:
永远不要在生产环境使用默认端口 11434 直接暴露
必须启用 HTTPS(使用 Let's Encrypt 真实证书)
API Key 要定期轮换,存储在环境变量中
考虑添加 IP 白名单和速率限制(Nginx 方案可用
limit_req)
在Ubuntu下使用Api-key的方式安全部署ollama
http://localhost:8090//archives/1772169368622