Skip to main content

TLS Configuration

The On-Prem Agent is required to by deployed with TLS/HTTPS with a valid certificate trusted by your organization's computers due to the security requirements of browsers.

flowchart LR
    comp["Computer
    Browser or IDE"]

    comp -- HTTPS (HTTP over TLS) --> agent[On-Prem Agent]
    agent -- HTTPS (HTTP over TLS) --> openai[Azure OpenAI]

A proper TLS setup requires a valid certificate trusted by the computers that are going to connect to the On-Prem Agent. Such a certificate is also accompanyed by a private key that is used by the server side of the connection.

There are a few common options:

  1. The deployment platform deploys a load balancer/proxy in front of the On-Prem Agent which automatically obtains a certificate for a valid domain.

  2. A certificate signed by a private enterprise certificate authority (CA) whose CA certificate was installed automatically on developer machiens by the enterprise IT department.

  3. A publicly trusted certificate, either bought and paid for, or obtained for free from a service like Let's Encrypt (Let's Encrypt requires validation of ownership of the domain on the internet).

The On-Prem Agent supports the configuration of a static certificate and private key file in its configuration file in the case you don't have or want to use a load balancer/proxy in front of it to handle it:

ssl:
  https_cert_path: /etc/onprem-agent.crt
  https_key_path: /etc/onprem-agent.key

Note that the server does not reload the certificate if the file changes and will need to be restarted if the certificate is rotated.