4nk/smart_ide
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
smart_ide/deploy/nginx/README-ia-enso.md
Nicolas Cantu 24077e749e Add ia.enso.4nkweb.com nginx proxy for Ollama and AnythingLLM 
**Motivations:**
- Expose Ollama and AnythingLLM via HTTPS paths on the LAN proxy with Bearer auth for Ollama.

**Root causes:**
- Cursor blocks direct requests to private IPs (SSRF policy).

**Correctifs:**
- N/A (new configuration artifacts).

**Evolutions:**
- Nginx site template, HTTP map for Bearer validation, websocket map example, deployment README, services doc link, feature documentation.

**Pages affectées:**
- deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example
- deploy/nginx/http-maps/websocket-connection.map.conf.example
- deploy/nginx/sites/ia.enso.4nkweb.com.conf
- deploy/nginx/README-ia-enso.md
- docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
- docs/services.md
2026-03-23 00:56:43 +01:00

2.8 KiB
Raw Blame History

ia.enso.4nkweb.com — Nginx on the proxy (192.168.1.100)

Reverse proxy to 192.168.1.164:

  • https://ia.enso.4nkweb.com/ollama/ → Ollama 11434 (Bearer gate, then Authorization cleared upstream).
  • https://ia.enso.4nkweb.com/anythingllm/ → AnythingLLM 3001.

1. DNS and TLS

DNS must resolve ia.enso.4nkweb.com to the public entry that reaches this proxy. Issue a certificate, for example:

sudo certbot certonly --webroot -w /var/www/certbot -d ia.enso.4nkweb.com

Adjust ssl_certificate paths in sites/ia.enso.4nkweb.com.conf if the live directory name differs.

2. HTTP-level maps (required)

Copy the examples on the proxy and include them inside http { } before server blocks that use the variables:

From a checkout of this repository on the admin machine (paths relative to deploy/nginx/http-maps/):

sudo mkdir -p /etc/nginx/http-maps
sudo cp deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example /etc/nginx/http-maps/ia-enso-ollama-bearer.map.conf
sudo cp deploy/nginx/http-maps/websocket-connection.map.conf.example /etc/nginx/http-maps/websocket-connection.map.conf
sudo nano /etc/nginx/http-maps/ia-enso-ollama-bearer.map.conf   # set the Bearer secret (single line value)

In /etc/nginx/nginx.conf (or a file already included from http { }). Include the websocket map only if $connection_upgrade is not already defined elsewhere (duplicate map names will fail nginx -t):

include /etc/nginx/http-maps/websocket-connection.map.conf;
include /etc/nginx/http-maps/ia-enso-ollama-bearer.map.conf;

Do not commit the non-example ia-enso-ollama-bearer.map.conf with a real secret.

3. Site file

sudo cp deploy/nginx/sites/ia.enso.4nkweb.com.conf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf
sudo ln -sf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx

4. Checks

curl -sS -o /dev/null -w "%{http_code}\n" -H "Authorization: Bearer CHANGE_ME_TO_LONG_RANDOM_SECRET" \
  https://ia.enso.4nkweb.com/ollama/v1/models

Expect 200. Without the header or with a wrong token, expect 401.

AnythingLLM: open https://ia.enso.4nkweb.com/anythingllm/ and use the application login. If static assets fail to load, verify upstream base-path settings for AnythingLLM or adjust proxy headers per upstream docs.

5. Cursor (OpenAI-compatible)

  • Override base URL: https://ia.enso.4nkweb.com/ollama/v1
  • API key: exactly the same string as in the map after Bearer (Cursor sends Authorization: Bearer <key>; nginx compares the full Authorization value to Bearer <secret>).

6. Backend firewall

Allow from the proxy host only: TCP 11434 and 3001 on 192.168.1.164 if a host firewall is enabled.