4nk/smart_ide
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
smart_ide/docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
Nicolas Cantu f39de69e55 Add SSH deploy script for ia.enso nginx on proxy 
**Motivations:**
- Apply proxy configuration from a workstation without manual scp steps.

**Root causes:**
- No automation existed for pushing nginx files to 192.168.1.100.

**Correctifs:**
- N/A.

**Evolutions:**
- deploy-ia-enso-to-proxy.sh with ProxyJump, optional generated Bearer token, retry without duplicate websocket map.

**Pages affectées:**
- deploy/nginx/deploy-ia-enso-to-proxy.sh
- deploy/nginx/README-ia-enso.md
- docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
2026-03-23 01:03:22 +01:00

2.4 KiB
Raw Blame History

Feature: Reverse proxy ia.enso.4nkweb.com for Ollama and AnythingLLM

Author: 4NK team

Objective

Expose Ollama and AnythingLLM on the public proxy hostname with HTTPS, path prefixes /ollama and /anythingllm, and gate Ollama with a Bearer token checked at the proxy (compatible with Cursors OpenAI base URL + API key).

Impacts

  • Proxy (nginx): new server_name, TLS, locations, HTTP map for Bearer validation; optional new includes under /etc/nginx/http-maps/.
  • Backend (192.168.1.164): must accept connections from the proxy on 11434 and 3001; Ollama must not rely on the client Authorization header (nginx clears it after validation).
  • Clients: Cursor uses https://ia.enso.4nkweb.com/ollama/v1 and the shared secret as API key; avoids private-IP SSRF blocks in Cursor when the hostname resolves publicly.

Modifications (repository)

  • deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.examplemap for $ia_enso_ollama_authorized.
  • deploy/nginx/http-maps/websocket-connection.map.conf.examplemap for $connection_upgrade (AnythingLLM WebSocket).
  • deploy/nginx/sites/ia.enso.4nkweb.com.confserver blocks and upstreams.
  • deploy/nginx/deploy-ia-enso-to-proxy.sh — push maps + site over SSH, nginx -t, reload (Bearer-only retry if websocket map already exists).
  • deploy/nginx/README-ia-enso.md — installation and verification on the proxy.

Deployment modalities

  1. DNS for ia.enso.4nkweb.com points to the proxy entry used for HTTPS.
  2. Obtain TLS certificates (e.g. certbot) for that name.
  3. Install map files under /etc/nginx/http-maps/, set the Bearer secret, include maps inside http { }.
  4. Install the site file under sites-available / sites-enabled, nginx -t, reload nginx.
  5. Restrict backend ports at the firewall to the proxy source where applicable.

Analysis modalities

  • curl to /ollama/v1/models with and without Authorization: Bearer <secret> (expect 200 / 401).
  • Browser access to /anythingllm/ and application login.
  • Cursor connectivity after configuration change (no ssrf_blocked if hostname resolves to a public IP from Cursors perspective).

Security notes

  • The Bearer secret is equivalent to an API key; rotate by updating the map file and client configs together.
  • AnythingLLM remains protected by its own application authentication; the /anythingllm location does not add the Ollama Bearer gate.