LibreChat on AWS User Guide
Overview
This image runs LibreChat, the open source AI chat platform - a self-hosted, ChatGPT-style web interface that connects to many model providers (OpenAI, Azure OpenAI, Anthropic, Google, AWS Bedrock, Ollama and any OpenAI-compatible endpoint) behind one UI, with conversation search, presets and multi-user accounts.
The LibreChat Node server runs behind nginx as a reverse proxy. MongoDB is the datastore and Meilisearch powers conversation search; both bind to the loopback interface only. The server listens on 127.0.0.1:3080 and is reached through nginx on port 80 (and 443 once you add TLS).
LibreChat encrypts user-saved provider keys at rest and signs sessions with secrets that are generated fresh on the first boot of every deployed instance, so no two instances share an encryption or session key. Open registration is disabled, and a single login is created on first boot and written to /root/librechat-credentials.txt with mode 0600. The image ships no model provider API keys - you add your own after signing in.
Prerequisites
Before you deploy this image you need:
- An Amazon Web Services account where you can launch EC2 instances
- IAM permissions to launch instances, create security groups, and subscribe to AWS Marketplace products
- An EC2 key pair in the target Region for SSH access to the instance
- A VPC and subnet in the target Region, with a security group allowing inbound port 22 from your management network and inbound ports 80 and 443 from the networks your users will reach LibreChat on
- The AWS CLI (version 2) installed locally if you plan to deploy from the command line
- An API key for at least one model provider (OpenAI, Anthropic, AWS Bedrock credentials, a local Ollama endpoint, etc.) to actually chat
Step 1: Launch the Instance from the AWS Marketplace
Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for LibreChat. Select the cloudimg listing and choose Select, then Continue on the subscription summary.
Pick an instance type of m5.large or larger. Choose your EC2 key pair under Key pair (login). Under Network settings select your VPC and subnet, and either create or select a security group that allows inbound port 22 from your management network and inbound ports 80 and 443 from the networks your users use. Leave the root volume at the default size or larger.
Select Launch instance. First boot initialisation takes approximately one to two minutes after the instance state becomes Running and the status checks pass.
Step 2: Launch the Instance from the AWS CLI
The following block launches an instance from the cloudimg LibreChat Marketplace AMI into an existing subnet and security group. Replace <ami-id> with the AMI ID shown on the Marketplace listing, <key-name> with your EC2 key pair name, <subnet-id> with your subnet ID, and <security-group-id> with a security group that opens ports 22, 80, and 443 as described above.
aws ec2 run-instances \
--image-id <ami-id> \
--instance-type m5.large \
--key-name <key-name> \
--subnet-id <subnet-id> \
--security-group-ids <security-group-id> \
--block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":30,"VolumeType":"gp3"}}]' \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=librechat-01}]'
The command prints a JSON document on success. Note the instance ID, then retrieve its public address once it is running with aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[].Instances[].PublicIpAddress" --output text.
Step 3: Connect and Retrieve the Initial Login
Connect over SSH with the key pair you selected and the public IP address from step 2. The SSH login user depends on the operating system of the AMI variant you launched:
| AMI variant | SSH login user |
|---|---|
| LibreChat 0.8 on Ubuntu 24.04 | ubuntu |
The first boot service runs before the SSH daemon becomes ready, so the credentials file is always in place when you log in for the first time.
ssh <login-user>@<public-ip>
sudo cat /root/librechat-credentials.txt
You will see a plain text file containing the LibreChat URL, the login email (admin@example.com) and the password. Copy these values somewhere secure. From the same SSH session you can confirm the deployment is healthy - the health endpoint is open:
curl -fsS -o /dev/null -w 'health HTTP %{http_code}\n' http://127.0.0.1/health
A health HTTP 200 response confirms the full stack - nginx, the LibreChat server, MongoDB and Meilisearch - is serving.
Step 4: First Sign-in
Open a web browser and navigate to http://<public-ip>/. LibreChat presents its sign-in page. Enter the email and password from /root/librechat-credentials.txt and select Continue.
The LibreChat sign-in page, served on first boot with a per-instance login and registration disabled.
After signing in you reach the chat interface. The first boot service set LibreChat's domain to the instance's own address automatically, so the app works immediately on its launch address.
The LibreChat conversation interface - one UI for many model providers, with conversation search and presets.
Step 5: Connect a Model Provider
The image ships no model provider API keys, so before you can chat you must connect at least one provider. Select Select a model at the top of the chat, choose a provider (for example OpenAI, Anthropic, or a custom OpenAI-compatible endpoint), and enter your API key when prompted - keys you enter in the UI are encrypted at rest with this instance's unique key. For AWS Bedrock, supply the instance an IAM role with Bedrock access and configure the Bedrock endpoint. To use a private model server in the same VPC (for example an Ollama or vLLM instance), point a custom endpoint at its address so prompts never leave your account.
Provider defaults can also be set server-side in /opt/LibreChat/.env and /opt/LibreChat/librechat.yaml; restart the service after editing with sudo systemctl restart librechat.
Step 6: Agents and Conversation Search
LibreChat includes an Agent Marketplace for building and sharing AI agents across categories, reached from the left sidebar.
The Agent Marketplace for discovering and using AI agents.
Conversation search is provided by Meilisearch and is available from the search box in the sidebar once you have some conversations.
Step 7: Enable Registration and Add Users
By default open registration is disabled so the instance is not open to the world on launch. To let users self-register, set ALLOW_REGISTRATION=true in /opt/LibreChat/.env and restart. To add a user from the command line without enabling registration:
cd /opt/LibreChat && sudo -u librechat npm run create-user -- <your-email> "<full name>" <username> --email-verified=true
Step 8: Enable HTTPS with Let's Encrypt
For any production deployment serve LibreChat over HTTPS so session tokens and prompts cannot be intercepted. The image ships with nginx, which certbot can configure automatically.
The following assumes you have a DNS record pointing your fully qualified domain name at the instance's public IP address.
sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d librechat.your-domain.example \
--non-interactive --agree-tos -m you@your-domain.example \
--redirect
After certbot finishes, set the domain so LibreChat generates correct links, then restart:
sudo sed -i 's|^DOMAIN_CLIENT=.*|DOMAIN_CLIENT=https://<your-domain>|; s|^DOMAIN_SERVER=.*|DOMAIN_SERVER=https://<your-domain>|' /opt/LibreChat/.env
sudo systemctl restart librechat
Step 9: Backups and Maintenance
LibreChat keeps its state in MongoDB and uploaded files under /opt/LibreChat. Back up both together:
sudo mongodump --db LibreChat --archive=<backup-dir>/librechat-mongo-$(date +%F).archive
sudo tar -czf <backup-dir>/librechat-files-$(date +%F).tgz -C /opt/LibreChat uploads
Ship both artifacts to an Amazon S3 bucket or another object store. Because the database and application tiers are on their own EBS volumes, you can also take coordinated EBS snapshots. For kernel and package updates, Ubuntu's unattended-upgrades is enabled by default. To upgrade LibreChat itself, follow the upgrade guidance at https://www.librechat.ai/docs.
Step 10: Scaling Beyond a Single Instance
For larger deployments decouple LibreChat from the single instance pattern:
- Move MongoDB to Amazon DocumentDB or a managed MongoDB and update
MONGO_URIin/opt/LibreChat/.env - Run Meilisearch on its own instance and point
MEILI_HOSTat it - Put the web tier behind an Application Load Balancer with sticky sessions and scale horizontally
- Serve static assets through Amazon CloudFront
Each of these is documented in the official LibreChat documentation at https://www.librechat.ai/docs.
Support
cloudimg provides 24/7/365 expert technical support for this image. Guaranteed response within 24 hours, one hour average for critical issues. Contact support@cloudimg.co.uk.
For general LibreChat questions consult the documentation at https://www.librechat.ai/docs. LibreChat is a trademark of its respective owner; use here is nominative and does not imply affiliation or endorsement.