4nk/smart_ide
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
smart_ide/deploy/nginx/README-ia-enso.md
Nicolas Cantu f39de69e55 Add SSH deploy script for ia.enso nginx on proxy 
**Motivations:**
- Apply proxy configuration from a workstation without manual scp steps.

**Root causes:**
- No automation existed for pushing nginx files to 192.168.1.100.

**Correctifs:**
- N/A.

**Evolutions:**
- deploy-ia-enso-to-proxy.sh with ProxyJump, optional generated Bearer token, retry without duplicate websocket map.

**Pages affectées:**
- deploy/nginx/deploy-ia-enso-to-proxy.sh
- deploy/nginx/README-ia-enso.md
- docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
2026-03-23 01:03:22 +01:00

3.2 KiB
Raw Blame History

ia.enso.4nkweb.com — Nginx on the proxy (192.168.1.100)

Automated deploy (from a machine with SSH access)

From the smart_ide repository root:

export IA_ENSO_OLLAMA_BEARER_TOKEN='your-long-secret'   # optional: omit to auto-generate (printed once)
export DEPLOY_SSH_PROXY_HOST='4nk.myftp.biz'            # optional: empty for direct LAN SSH to proxy
./deploy/nginx/deploy-ia-enso-to-proxy.sh

Uses ia_dev/deploy/_lib/ssh.sh (BatchMode, ProxyJump). Requires passwordless sudo for nginx on the proxy.

Reverse proxy to 192.168.1.164:

  • https://ia.enso.4nkweb.com/ollama/ → Ollama 11434 (Bearer gate, then Authorization cleared upstream).
  • https://ia.enso.4nkweb.com/anythingllm/ → AnythingLLM 3001.

1. DNS and TLS

DNS must resolve ia.enso.4nkweb.com to the public entry that reaches this proxy. Issue a certificate, for example:

sudo certbot certonly --webroot -w /var/www/certbot -d ia.enso.4nkweb.com

Adjust ssl_certificate paths in sites/ia.enso.4nkweb.com.conf if the live directory name differs.

2. HTTP-level maps (required)

Copy the examples on the proxy and include them inside http { } before server blocks that use the variables:

From a checkout of this repository on the admin machine (paths relative to deploy/nginx/http-maps/):

sudo mkdir -p /etc/nginx/http-maps
sudo cp deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example /etc/nginx/http-maps/ia-enso-ollama-bearer.map.conf
sudo cp deploy/nginx/http-maps/websocket-connection.map.conf.example /etc/nginx/http-maps/websocket-connection.map.conf
sudo nano /etc/nginx/http-maps/ia-enso-ollama-bearer.map.conf   # set the Bearer secret (single line value)

In /etc/nginx/nginx.conf (or a file already included from http { }). Include the websocket map only if $connection_upgrade is not already defined elsewhere (duplicate map names will fail nginx -t):

include /etc/nginx/http-maps/websocket-connection.map.conf;
include /etc/nginx/http-maps/ia-enso-ollama-bearer.map.conf;

Do not commit the non-example ia-enso-ollama-bearer.map.conf with a real secret.

3. Site file

sudo cp deploy/nginx/sites/ia.enso.4nkweb.com.conf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf
sudo ln -sf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx

4. Checks

curl -sS -o /dev/null -w "%{http_code}\n" -H "Authorization: Bearer CHANGE_ME_TO_LONG_RANDOM_SECRET" \
  https://ia.enso.4nkweb.com/ollama/v1/models

Expect 200. Without the header or with a wrong token, expect 401.

AnythingLLM: open https://ia.enso.4nkweb.com/anythingllm/ and use the application login. If static assets fail to load, verify upstream base-path settings for AnythingLLM or adjust proxy headers per upstream docs.

5. Cursor (OpenAI-compatible)

  • Override base URL: https://ia.enso.4nkweb.com/ollama/v1
  • API key: exactly the same string as in the map after Bearer (Cursor sends Authorization: Bearer <key>; nginx compares the full Authorization value to Bearer <secret>).

6. Backend firewall

Allow from the proxy host only: TCP 11434 and 3001 on 192.168.1.164 if a host firewall is enabled.