From 75b8c795561983b515f2ce1bb445bdb6fda7ff4d Mon Sep 17 00:00:00 2001
From: Nicolas Cantu <nicolas.cantu@pm.me>
Date: Mon, 23 Mar 2026 01:12:51 +0100
Subject: [PATCH] Restore ia.enso upstreams to 192.168.1.164 for Ollama and
 AnythingLLM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**Motivations:**
- Ollama and AnythingLLM run on 192.168.1.164, not 192.168.1.173.

**Root causes:**
- Previous commit pointed upstreams at the ia host IP by mistake.

**Correctifs:**
- Upstreams back to 192.168.1.164:11434 and :3001; docs aligned.

**Evolutions:**
- N/A.

**Pages affectées:**
- deploy/nginx/sites/ia.enso.4nkweb.com.conf
- deploy/nginx/README-ia-enso.md
- docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
- docs/infrastructure.md
- docs/services.md
---
 deploy/nginx/README-ia-enso.md                          | 8 ++++----
 deploy/nginx/sites/ia.enso.4nkweb.com.conf              | 4 ++--
 docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md | 6 +++---
 docs/infrastructure.md                                  | 2 +-
 docs/services.md                                        | 2 +-
 5 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/deploy/nginx/README-ia-enso.md b/deploy/nginx/README-ia-enso.md
index 412e95e..794d583 100644
--- a/deploy/nginx/README-ia-enso.md
+++ b/deploy/nginx/README-ia-enso.md
@@ -1,13 +1,13 @@
 # ia.enso.4nkweb.com — Nginx sur le proxy (192.168.1.100)
 
-Reverse TLS vers l’hôte LAN **`192.168.1.173`** (rôle *ia* ; ajuster dans `sites/ia.enso.4nkweb.com.conf` si l’IP change) :
+Reverse TLS vers l’hôte LAN **`192.168.1.164`** (Ollama + AnythingLLM ; ajuster dans `sites/ia.enso.4nkweb.com.conf` si l’IP change) :
 
 | Chemin public | Backend | Port | Protection |
 |---------------|---------|------|------------|
 | `/ollama/` | Ollama API | `11434` | **Bearer** vérifié par nginx ; en-tête `Authorization` **retiré** avant Ollama |
 | `/anythingllm/` | AnythingLLM | `3001` | Auth **application** AnythingLLM (pas le Bearer Ollama) |
 
-**Contexte Cursor :** une URL en IP privée (ex. `http://192.168.1.173:11434`) peut être refusée par Cursor (`ssrf_blocked`). Un **nom public** HTTPS vers le proxy évite ce blocage si le DNS résolu depuis Internet n’est pas une IP RFC1918.
+**Contexte Cursor :** une URL en IP privée (ex. `http://192.168.1.164:11434`) peut être refusée par Cursor (`ssrf_blocked`). Un **nom public** HTTPS vers le proxy évite ce blocage si le DNS résolu depuis Internet n’est pas une IP RFC1918.
 
 **Fichiers dans le dépôt :** `sites/ia.enso.4nkweb.com.conf`, `http-maps/*.example`, `deploy-ia-enso-to-proxy.sh`. Détails d’architecture : [docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md](../../docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md).
 
@@ -123,7 +123,7 @@ Si les assets statiques échouent, vérifier la doc upstream (sous-chemin, en-t
 
 ## Pare-feu backend
 
-Sur l’hôte IA (`192.168.1.173` dans la conf actuelle), n’autoriser **11434** et **3001** TCP que depuis **192.168.1.100** (proxy) si un pare-feu hôte est actif.
+Sur **`192.168.1.164`**, n’autoriser **11434** et **3001** TCP que depuis **192.168.1.100** (proxy) si un pare-feu hôte est actif.
 
 ---
 
@@ -141,6 +141,6 @@ Sur l’hôte IA (`192.168.1.173` dans la conf actuelle), n’autoriser **11434*
 |----------|--------|
 | `nginx -t` erreur sur `connection_upgrade` | Doublon de `map $http_upgrade $connection_upgrade` : retirer l’un des blocs ou n’installer que le `map` Bearer. |
 | `401` sur `/ollama/` | Secret différent entre client et `map` ; en-tête `Authorization` absent ou mal formé (`Bearer ` + secret exact). |
-| `502` / timeout | Ollama ou AnythingLLM arrêtés sur l’hôte IA ; pare-feu ; mauvais IP/upstream dans le fichier site. |
+| `502` / timeout | Ollama ou AnythingLLM arrêtés sur `.164` ; pare-feu ; mauvais IP/upstream dans le fichier site. |
 | Erreur SSL | Certificat absent ou chemins `ssl_certificate` incorrects pour `ia.enso.4nkweb.com`. |
 | Cursor `ssrf_blocked` | L’hôte utilisé résout encore vers une IP privée côté infrastructure Cursor ; vérifier DNS public / NAT. |
diff --git a/deploy/nginx/sites/ia.enso.4nkweb.com.conf b/deploy/nginx/sites/ia.enso.4nkweb.com.conf
index 059e617..ba33b79 100644
--- a/deploy/nginx/sites/ia.enso.4nkweb.com.conf
+++ b/deploy/nginx/sites/ia.enso.4nkweb.com.conf
@@ -7,12 +7,12 @@
 # Upstream: adjust IA_ENSO_BACKEND_IP if the AI host IP changes.
 
 upstream ia_enso_ollama {
-    server 192.168.1.173:11434;
+    server 192.168.1.164:11434;
     keepalive 8;
 }
 
 upstream ia_enso_anythingllm {
-    server 192.168.1.173:3001;
+    server 192.168.1.164:3001;
     keepalive 8;
 }
 
diff --git a/docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md b/docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
index 760a8a7..fe265a5 100644
--- a/docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
+++ b/docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
@@ -9,14 +9,14 @@ Expose Ollama and AnythingLLM on the public proxy hostname with HTTPS, path pref
 ## Impacts
 
 - **Proxy (nginx):** new `server_name`, TLS, locations, HTTP `map` for Bearer validation; maps deployed under `/etc/nginx/conf.d/` when using the provided script.
-- **Backend (192.168.1.173, role *ia*):** must accept connections from the proxy on `11434` and `3001`; Ollama must not rely on the client `Authorization` header (nginx clears it after validation).
+- **Backend (192.168.1.164):** must accept connections from the proxy on `11434` and `3001`; Ollama must not rely on the client `Authorization` header (nginx clears it after validation).
 - **Clients:** Cursor uses `https://ia.enso.4nkweb.com/ollama/v1` and the shared secret as API key; avoids private-IP SSRF blocks in Cursor when the hostname resolves publicly from the client infrastructure.
 
 ## Repository layout
 
 | Path | Purpose |
 |------|---------|
-| `deploy/nginx/sites/ia.enso.4nkweb.com.conf` | `server` blocks, upstreams to `192.168.1.173` (edit if IA host IP changes) |
+| `deploy/nginx/sites/ia.enso.4nkweb.com.conf` | `server` blocks, upstreams to `192.168.1.164` (edit if host IP changes) |
 | `deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example` | Example Bearer `map` (manual install) |
 | `deploy/nginx/http-maps/websocket-connection.map.conf.example` | Example WebSocket `map` (manual install) |
 | `deploy/nginx/deploy-ia-enso-to-proxy.sh` | SSH deploy: maps + site, `nginx -t`, reload; Bearer-only retry if websocket `map` already exists |
@@ -28,7 +28,7 @@ Expose Ollama and AnythingLLM on the public proxy hostname with HTTPS, path pref
 
 **Manual:** DNS → TLS (certbot) → install `map` directives inside `http { }` (via `conf.d` or `http-maps` includes) → install site under `sites-available` / `sites-enabled` → `nginx -t` → reload. Details: `deploy/nginx/README-ia-enso.md`.
 
-Restrict backend ports on the IA host (`192.168.1.173` in repo config) to the proxy source where a host firewall is used.
+Restrict backend ports on `192.168.1.164` to the proxy source where a host firewall is used.
 
 ## Analysis modalities
 
diff --git a/docs/infrastructure.md b/docs/infrastructure.md
index db1fd79..2cc1e5d 100644
--- a/docs/infrastructure.md
+++ b/docs/infrastructure.md
@@ -27,7 +27,7 @@ Internet access to backends uses **SSH ProxyJump** via `ncantu@4nk.myftp.biz` (s
 
 ## Reverse proxy `ia.enso.4nkweb.com` (Ollama / AnythingLLM)
 
-Hostname TLS sur le **proxy** `192.168.1.100` : préfixes `/ollama` et `/anythingllm` vers l’hôte LAN **ia** `192.168.1.173` (ports `11434` et `3001`, voir `deploy/nginx/sites/ia.enso.4nkweb.com.conf`). Gate Ollama par **Bearer** au nginx ; AnythingLLM reste derrière son auth applicative.
+Hostname TLS sur le **proxy** `192.168.1.100` : préfixes `/ollama` et `/anythingllm` vers l’hôte LAN `192.168.1.164` (ports `11434` et `3001`, voir `deploy/nginx/sites/ia.enso.4nkweb.com.conf`). Gate Ollama par **Bearer** au nginx ; AnythingLLM reste derrière son auth applicative.
 
 Documentation opérationnelle : [deploy/nginx/README-ia-enso.md](../deploy/nginx/README-ia-enso.md). Fiche évolution : [features/ia-enso-nginx-proxy-ollama-anythingllm.md](./features/ia-enso-nginx-proxy-ollama-anythingllm.md).
 
diff --git a/docs/services.md b/docs/services.md
index e80b135..08cf78b 100644
--- a/docs/services.md
+++ b/docs/services.md
@@ -99,7 +99,7 @@ The last command must succeed after `OLLAMA_HOST=0.0.0.0:11434` and `host.docker
 
 ## Public reverse proxy (ia.enso.4nkweb.com)
 
-When Ollama runs on a LAN host (e.g. **ia** `192.168.1.173` in `deploy/nginx/sites/ia.enso.4nkweb.com.conf`) and must be reached via the **proxy** with HTTPS and a **Bearer** gate (for clients such as Cursor that block private IPs), use `deploy/nginx/` and **[deploy/nginx/README-ia-enso.md](../deploy/nginx/README-ia-enso.md)** (script `deploy-ia-enso-to-proxy.sh`, checks, troubleshooting).
+When Ollama runs on a LAN host (e.g. `192.168.1.164` in `deploy/nginx/sites/ia.enso.4nkweb.com.conf`) and must be reached via the **proxy** with HTTPS and a **Bearer** gate (for clients such as Cursor that block private IPs), use `deploy/nginx/` and **[deploy/nginx/README-ia-enso.md](../deploy/nginx/README-ia-enso.md)** (script `deploy-ia-enso-to-proxy.sh`, checks, troubleshooting).
 
 - Cursor base URL: `https://ia.enso.4nkweb.com/ollama/v1`
 - Cursor API key: same value as the Bearer secret configured on the proxy