# ia.enso.4nkweb.com — Nginx on the proxy (192.168.1.100) ## Automated deploy (from a machine with SSH access) From the `smart_ide` repository root: ```bash export IA_ENSO_OLLAMA_BEARER_TOKEN='your-long-secret' # optional: omit to auto-generate (printed once) export DEPLOY_SSH_PROXY_HOST='4nk.myftp.biz' # optional: empty for direct LAN SSH to proxy ./deploy/nginx/deploy-ia-enso-to-proxy.sh ``` Uses `ia_dev/deploy/_lib/ssh.sh` (BatchMode, ProxyJump). Requires passwordless `sudo` for `nginx` on the proxy. --- Reverse proxy to `192.168.1.164`: - `https://ia.enso.4nkweb.com/ollama/` → Ollama `11434` (Bearer gate, then `Authorization` cleared upstream). - `https://ia.enso.4nkweb.com/anythingllm/` → AnythingLLM `3001`. ## 1. DNS and TLS DNS must resolve `ia.enso.4nkweb.com` to the public entry that reaches this proxy. Issue a certificate, for example: ```bash sudo certbot certonly --webroot -w /var/www/certbot -d ia.enso.4nkweb.com ``` Adjust `ssl_certificate` paths in `sites/ia.enso.4nkweb.com.conf` if the live directory name differs. ## 2. HTTP-level maps (required) Copy the examples on the proxy and include them **inside** `http { }` **before** `server` blocks that use the variables: From a checkout of this repository on the admin machine (paths relative to `deploy/nginx/http-maps/`): ```bash sudo mkdir -p /etc/nginx/http-maps sudo cp deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example /etc/nginx/http-maps/ia-enso-ollama-bearer.map.conf sudo cp deploy/nginx/http-maps/websocket-connection.map.conf.example /etc/nginx/http-maps/websocket-connection.map.conf sudo nano /etc/nginx/http-maps/ia-enso-ollama-bearer.map.conf # set the Bearer secret (single line value) ``` In `/etc/nginx/nginx.conf` (or a file already included from `http { }`). Include the websocket map **only if** `$connection_upgrade` is not already defined elsewhere (duplicate `map` names will fail `nginx -t`): ```nginx include /etc/nginx/http-maps/websocket-connection.map.conf; include /etc/nginx/http-maps/ia-enso-ollama-bearer.map.conf; ``` Do not commit the non-example `ia-enso-ollama-bearer.map.conf` with a real secret. ## 3. Site file ```bash sudo cp deploy/nginx/sites/ia.enso.4nkweb.com.conf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf sudo ln -sf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf /etc/nginx/sites-enabled/ sudo nginx -t && sudo systemctl reload nginx ``` ## 4. Checks ```bash curl -sS -o /dev/null -w "%{http_code}\n" -H "Authorization: Bearer CHANGE_ME_TO_LONG_RANDOM_SECRET" \ https://ia.enso.4nkweb.com/ollama/v1/models ``` Expect `200`. Without the header or with a wrong token, expect `401`. AnythingLLM: open `https://ia.enso.4nkweb.com/anythingllm/` and use the **application** login. If static assets fail to load, verify upstream base-path settings for AnythingLLM or adjust proxy headers per upstream docs. ## 5. Cursor (OpenAI-compatible) - Override base URL: `https://ia.enso.4nkweb.com/ollama/v1` - API key: **exactly** the same string as in the map after `Bearer ` (Cursor sends `Authorization: Bearer `; nginx compares the full `Authorization` value to `Bearer `). ## 6. Backend firewall Allow from the proxy host only: TCP `11434` and `3001` on `192.168.1.164` if a host firewall is enabled.