Opening to the Network
May 5, 2026 ยท View on GitHub
Important: Before exposing OpenC3 COSMOS to any network, even a local network, make sure you have changed all default credentials and secrets!!!
We support three different configurations for COSMOS networking:
- Only accessible from localhost - default development configuration - great for single terminal access
- Open to the network with user provided SSL certificates - recommended production configuration
- Open to the network using Let's Encrypt generated SSL certificates - requires the server being available on the public internet - generally not recommended
- Open to the network without encryption - Insecure and will expose passwords!!!
Open to the network using https/SSL and your own certificates
Note: For local testing you can use mkcert to make certificates. In general you should ask your IT department for a domain name, and associated certificates.
Using mkcert:
- Install mkcert (brew install mkcert on MacOs)
- mkcert -install
- mkcert "your ip or domain name here"
- cat "
mkcert -CAROOT"/rootCA.pem >> cacert.pem - The previous step will add the local certificate authority to your cacert.pem file so that COSMOS will accept it as not self-signed.
You now have certificates to test with.
- Copy your public SSL certificate to ./openc3-traefik/cert.crt
- Copy your private SSL certificate to ./openc3-traefik/cert.key
- Edit compose.yaml
- Comment out this openc3-traefik line:
./openc3-traefik/traefik.yaml:/etc/traefik/traefik.yaml:z - Uncomment this openc3-traefik line:
./openc3-traefik/traefik-ssl.yaml:/etc/traefik/traefik.yaml - Uncomment this openc3-traefik line:
./openc3-traefik/cert.key:/etc/traefik/cert.key - Uncomment this openc3-traefik line:
./openc3-traefik/cert.crt:/etc/traefik/cert.crt - Modify this openc3-traefik line to remove the ip address and modify the first port number if desired (Note: leave the last :2900):
127.0.0.1:2900:2900 - Modify this openc3-traefik line to remove the ip address and modify the first port number if desired (Note: leave the last :2943):
127.0.0.1:2943:2943
- Comment out this openc3-traefik line:
- Edit ./openc3-traefik/traefik-ssl.yaml
- Update line 22 to your domain: - main: "mydomain.com" # Update with your domain
- Start OpenC3
- On Linux/Mac: ./openc3.sh run
- On Windows: openc3.bat run
- After approximately 2 minutes, open a web browser to https://mydomain.com
- If you run "docker ps", you can watch until the openc3-cosmos-init container completes, at which point the system should be fully configured and ready to use.
Open to the network using a global certificate from Let's Encrypt
Warning: These directions only work when exposing COSMOS to the internet. Make sure you understand the risks and have properly configured your server settings and firewall.
- Make sure that your public DNS settings are mapping your domain name to your server
- Edit compose.yaml
- Comment out this openc3-traefik line:
./openc3-traefik/traefik.yaml:/etc/traefik/traefik.yaml:z - Uncomment this openc3-traefik line:
./openc3-traefik/traefik-letsencrypt.yaml:/etc/traefik/traefik.yaml - Comment out this openc3-traefik line:
127.0.0.1:2900:2900 - Comment out this openc3-traefik line:
127.0.0.1:2943:2943 - Uncomment out this openc3-traefik line:
80:2900 - Uncomment out this openc3-traefik line:
443:2943
- Comment out this openc3-traefik line:
- Start OpenC3
- On Linux/Mac: ./openc3.sh run
- On Windows: openc3.bat run
- After approximately 2 minutes, open a web browser to https://mydomain.com
- If you run "docker ps", you can watch until the openc3-cosmos-init container completes, at which point the system should be fully configured and ready to use.
Open to the network insecurely using http
Warning: This is not recommended except for temporary testing on a local network. This will send plain text passwords over the network!
- Edit .env
- Uncomment OPENC3_ALLOW_HTTP=1
- Edit compose.yaml
- Modify this openc3-traefik line to remove the ip address and optionally modify the first port number if desired (Note: leave the last :2900):
127.0.0.1:2900:2900
- Modify this openc3-traefik line to remove the ip address and optionally modify the first port number if desired (Note: leave the last :2900):
- Start OpenC3
- On Linux/Mac: ./openc3.sh run
- On Windows: openc3.bat run
- In the Chrome Browser go to: chrome://flags/#unsafely-treat-insecure-origin-as-secure or Edge go to: edge://flags/#unsafely-treat-insecure-origin-as-secure
- Add your
http://<Your IP Address>:2900 - Enable the Setting
- Completely restart Chrome. On MacOS make sure the dot below the icon in chrome is gone by long pressing the icon and choosing Quit.
- Add your
- After approximately 2 minutes, open a web browser to
http://<Your IP Address>:2900(or different port if changed above)- If you run "docker ps", you can watch until the openc3-cosmos-init container completes, at which point the system should be fully configured and ready to use.