# Feature: Reverse proxy ia.enso.4nkweb.com for Ollama and AnythingLLM **Author:** 4NK team ## Objective Expose Ollama and AnythingLLM on the public proxy hostname with HTTPS, path prefixes `/ollama` and `/anythingllm`, and **gate `/ollama/`** with a **Bearer token** at nginx (compatible with OpenAI clients that send `Authorization: Bearer `). The secret is **not** forwarded to Ollama. ## Public URLs (HTTPS) - AnythingLLM UI: `https://ia.enso.4nkweb.com/anythingllm/` - Ollama native API (example): `https://ia.enso.4nkweb.com/ollama/api/tags` — Bearer required at nginx - OpenAI-compatible base (Cursor): `https://ia.enso.4nkweb.com/ollama/v1` ## Impacts - **Proxy (nginx):** `server_name`, TLS, locations; `conf.d/ia-enso-http-maps.conf` with `map_hash_bucket_size`, Bearer `map`, and WebSocket `map` (or Bearer-only if WebSocket map exists elsewhere). - **Backend (192.168.1.164):** must accept connections from the proxy on `11434` and `3001`. - **Clients:** send `Authorization: Bearer ` for `/ollama/*`; Cursor API key field = same secret as in the nginx `map`. ## Repository layout | Path | Purpose | |------|---------| | `deploy/nginx/sites/ia.enso.4nkweb.com.conf` | `server` blocks ; upstreams use `__IA_ENSO_BACKEND_IP__` | | `deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example` | Bearer `map` reference for manual installs | | `deploy/nginx/http-maps/websocket-connection.map.conf.example` | WebSocket `map` reference | | `deploy/nginx/deploy-ia-enso-to-proxy.sh` | SSH deploy; retry Bearer-only if duplicate WebSocket `map` | | `deploy/nginx/sites/ia.enso.4nkweb.com.http-only.conf` | TLS bootstrap HTTP-only vhost | | `deploy/nginx/README-ia-enso.md` | Operator reference (includes note on Cursor `streamFromAgentBackend`) | ## Deployment modalities Run `./deploy/nginx/deploy-ia-enso-to-proxy.sh` with optional `IA_ENSO_OLLAMA_BEARER_TOKEN`. See `README-ia-enso.md`. ## Analysis modalities - `curl` to `/ollama/v1/models` with and without Bearer (200 / 401). - Browser: `/anythingllm/`. ## Security notes - Bearer secret is equivalent to an API key; rotate in `ia-enso-http-maps.conf` and client configs together. - AnythingLLM uses its own application login on `/anythingllm/`.