4nk/smart_ide
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
smart_ide/deploy/nginx/README-ia-enso.md
Nicolas Cantu 24077e749e Add ia.enso.4nkweb.com nginx proxy for Ollama and AnythingLLM 
**Motivations:**
- Expose Ollama and AnythingLLM via HTTPS paths on the LAN proxy with Bearer auth for Ollama.

**Root causes:**
- Cursor blocks direct requests to private IPs (SSRF policy).

**Correctifs:**
- N/A (new configuration artifacts).

**Evolutions:**
- Nginx site template, HTTP map for Bearer validation, websocket map example, deployment README, services doc link, feature documentation.

**Pages affectées:**
- deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example
- deploy/nginx/http-maps/websocket-connection.map.conf.example
- deploy/nginx/sites/ia.enso.4nkweb.com.conf
- deploy/nginx/README-ia-enso.md
- docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
- docs/services.md
2026-03-23 00:56:43 +01:00

67 lines
2.8 KiB
Markdown
Raw Blame History

# ia.enso.4nkweb.com — Nginx on the proxy (192.168.1.100)
Reverse proxy to `192.168.1.164`:
- `https://ia.enso.4nkweb.com/ollama/` → Ollama `11434` (Bearer gate, then `Authorization` cleared upstream).
- `https://ia.enso.4nkweb.com/anythingllm/` → AnythingLLM `3001`.
## 1. DNS and TLS
DNS must resolve `ia.enso.4nkweb.com` to the public entry that reaches this proxy. Issue a certificate, for example:
```bash
sudo certbot certonly --webroot -w /var/www/certbot -d ia.enso.4nkweb.com
```
Adjust `ssl_certificate` paths in `sites/ia.enso.4nkweb.com.conf` if the live directory name differs.
## 2. HTTP-level maps (required)
Copy the examples on the proxy and include them **inside** `http { }` **before** `server` blocks that use the variables:
From a checkout of this repository on the admin machine (paths relative to `deploy/nginx/http-maps/`):
```bash
sudo mkdir -p /etc/nginx/http-maps
sudo cp deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example /etc/nginx/http-maps/ia-enso-ollama-bearer.map.conf
sudo cp deploy/nginx/http-maps/websocket-connection.map.conf.example /etc/nginx/http-maps/websocket-connection.map.conf
sudo nano /etc/nginx/http-maps/ia-enso-ollama-bearer.map.conf # set the Bearer secret (single line value)
```
In `/etc/nginx/nginx.conf` (or a file already included from `http { }`). Include the websocket map **only if** `$connection_upgrade` is not already defined elsewhere (duplicate `map` names will fail `nginx -t`):
```nginx
include /etc/nginx/http-maps/websocket-connection.map.conf;
include /etc/nginx/http-maps/ia-enso-ollama-bearer.map.conf;
```
Do not commit the non-example `ia-enso-ollama-bearer.map.conf` with a real secret.
## 3. Site file
```bash
sudo cp deploy/nginx/sites/ia.enso.4nkweb.com.conf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf
sudo ln -sf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
```
## 4. Checks
```bash
curl -sS -o /dev/null -w "%{http_code}\n" -H "Authorization: Bearer CHANGE_ME_TO_LONG_RANDOM_SECRET" \
https://ia.enso.4nkweb.com/ollama/v1/models
```
Expect `200`. Without the header or with a wrong token, expect `401`.
AnythingLLM: open `https://ia.enso.4nkweb.com/anythingllm/` and use the **application** login. If static assets fail to load, verify upstream base-path settings for AnythingLLM or adjust proxy headers per upstream docs.
## 5. Cursor (OpenAI-compatible)
- Override base URL: `https://ia.enso.4nkweb.com/ollama/v1`
- API key: **exactly** the same string as in the map after `Bearer ` (Cursor sends `Authorization: Bearer <key>`; nginx compares the full `Authorization` value to `Bearer <secret>`).
## 6. Backend firewall
Allow from the proxy host only: TCP `11434` and `3001` on `192.168.1.164` if a host firewall is enabled.
Reference in New Issue View Git Blame Copy Permalink