Open Creative Studio

for ComfyUI

Securing ComfyUI with SSL

If you want to secure the connection to your ComfyUI instance with SSL, you have multiple options.

In production environments, you typically use signed SSL certificates served by a reverse proxy, such as Nginx or Traefik.

In small development environments, you might want to serve SSL certificates directly from the machine where ComfyUI is installed.

If so, you have multiple possibilities, described below.

Use a Signed SSL Certificate

Use the following flags to start your ComfyUI instance:

--tls-keyfile "path_to_your_folder_of_choice\your_certificate_key.pem" --tls-certfile "path_to_your_folder_of_choice\your_certificate_cert.pem"

Use a Self-Signed SSL Certificate

To use a self-signed SSL certificate to secure your connection to ComfyUI, you’ll have to perform a few steps on both the machine where ComfyUI is installed (the host) and on the machine you want to use to connect to ComfyUI (the client).

The steps are identical on the ComfyUI host, no matter what operating system you are using.

However, depending on the operating system installed in the ComfyUI client, the steps are quite different.

On the ComfyUI Host

  1. Download the latest mkcert binary for your operating system, save it in an appropriate folder, and rename it as mkcert (purely for convenience).
  2. Open the terminal app you prefer and go to the folder where you stored the mkcert binary.
  3. Install the mkcert certificate authority by executing the following command:

    mkcert -install
  4. Generate a new certificate for your ComfyUI machine by executing the following command:

    mkcert hostname_or_ip_address_of_your_comfyui_machine

    For example, if you want to create a certificate for comfyui.home.arpa, run:

    mkcert comfyui.home.arpa

    (Notice that you must be able to resolve the name via your hosts file or an internal DNS)

    If, instead, you want to create a certificate for 192.168.1.1 (avoiding DNS resolution), run:

    mkcert 192.168.1.1
  5. Move the two .pem files generated by mkcert to a folder where you want to store the certificate in a permanent way.

    For example: C:\Certificates\
  6. Use the following flags to start your ComfyUI instance:

    --tls-keyfile "C:\Certificates\comfyui.home.arpa_key.pem" --tls-certfile "C:\Certificates\comfyui.home.arpa.pem"
  7. Find the mkcert rootCA.pem file created at step #3.

    For example, in Windows 11, the file is located in: C:\Users\your_username\Application Data\mkcert
  8. Copy rootCA.pem on a USB key and transfer it to the machine/s that you want to use to connect to ComfyUI.

On a macOS Client

On the macOS machine that you want to use to connect to ComfyUI:

  1. Open Keychain Access
  2. Drag and drop the rootCA.pem file from the USB key into the System keychain.
  3. Enter your administrator password if prompted.
  4. Find the rootCA.pem certificate in the System keychain, double-click it, and expand the Trust section.
  5. Set When using this certificate to Always Trust.
  6. Close the certificate window and enter your administrator password again if prompted.
  7. If you had a ComfyUI tab already open in your browser, close it and connect to ComfyUI again.

On a Windows Client

On the Windows machine that you want to use to connect to ComfyUI:

  1. Open the Microsoft Management Console by pressing Win + R and typing mmc.
  2. In the Microsoft Management Console, go to File > Add/Remove Snap-in.
  3. In the Add or Remove Snap-ins window, select Certificates from the list and click Add.
  4. Choose Computer account when prompted for which type of account to manage.
  5. Select Local computer (the computer this console is running on).
  6. Click Finish, then OK to close the Add or Remove Snap-ins window.
  7. In the Microsoft Management Console, expand Certificates (Local Computer) in the left-hand pane.
  8. Expand Trusted Root Certification Authorities.
  9. Right-click on Certificates under Trusted Root Certification Authorities and select All Tasks > Import.
  10. In the Certificate Import Wizard, click Next.
  11. Click Browse and navigate to the USB key where you saved the rootCA.pem file.
  12. Change the file type to All Files (*.*) to see the rootCA.pem file.
  13. Select the rootCA.pem file and click Open, then Next.
  14. Ensure Place all certificates in the following store is selected and Trusted Root Certification Authorities is chosen as the store.
  15. Click Next, then Finish to complete the import process.
  16. To verify that the certificate is installed, go back to the Microsoft Management Console. Expand Trusted Root Certification Authorities and click on Certificates. Look for your rootCA certificate in the list. It should now be trusted by the system.
  17. Restart the Windows machine if necessary.

On a Linux Client

On the Ubuntu Linux machine that you want to use to connect to ComfyUI:

  1. Copy the rootCA.pem file from the USB key to the /usr/local/share/ca-certificates directory.
  2. Update the CA store by running the following command in a terminal window:

    sudo update-ca-certificates
  3. Verify the installation by running the following command in a terminal window:

    sudo ls /etc/ssl/certs/ | grep rootCA.pem