4nk/smart_ide
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
smart_ide/docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
Nicolas Cantu f39de69e55 Add SSH deploy script for ia.enso nginx on proxy 
**Motivations:**
- Apply proxy configuration from a workstation without manual scp steps.

**Root causes:**
- No automation existed for pushing nginx files to 192.168.1.100.

**Correctifs:**
- N/A.

**Evolutions:**
- deploy-ia-enso-to-proxy.sh with ProxyJump, optional generated Bearer token, retry without duplicate websocket map.

**Pages affectées:**
- deploy/nginx/deploy-ia-enso-to-proxy.sh
- deploy/nginx/README-ia-enso.md
- docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
2026-03-23 01:03:22 +01:00

41 lines
2.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Feature: Reverse proxy ia.enso.4nkweb.com for Ollama and AnythingLLM
**Author:** 4NK team
## Objective
Expose Ollama and AnythingLLM on the public proxy hostname with HTTPS, path prefixes `/ollama` and `/anythingllm`, and **gate Ollama** with a **Bearer token** checked at the proxy (compatible with Cursors OpenAI base URL + API key).
## Impacts
- **Proxy (nginx):** new `server_name`, TLS, locations, HTTP `map` for Bearer validation; optional new includes under `/etc/nginx/http-maps/`.
- **Backend (192.168.1.164):** must accept connections from the proxy on `11434` and `3001`; Ollama must not rely on the client `Authorization` header (nginx clears it after validation).
- **Clients:** Cursor uses `https://ia.enso.4nkweb.com/ollama/v1` and the shared secret as API key; avoids private-IP SSRF blocks in Cursor when the hostname resolves publicly.
## Modifications (repository)
- `deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example``map` for `$ia_enso_ollama_authorized`.
- `deploy/nginx/http-maps/websocket-connection.map.conf.example``map` for `$connection_upgrade` (AnythingLLM WebSocket).
- `deploy/nginx/sites/ia.enso.4nkweb.com.conf``server` blocks and upstreams.
- `deploy/nginx/deploy-ia-enso-to-proxy.sh` — push maps + site over SSH, `nginx -t`, reload (Bearer-only retry if websocket `map` already exists).
- `deploy/nginx/README-ia-enso.md` — installation and verification on the proxy.
## Deployment modalities
1. DNS for `ia.enso.4nkweb.com` points to the proxy entry used for HTTPS.
2. Obtain TLS certificates (e.g. certbot) for that name.
3. Install map files under `/etc/nginx/http-maps/`, set the Bearer secret, include maps inside `http { }`.
4. Install the site file under `sites-available` / `sites-enabled`, `nginx -t`, reload nginx.
5. Restrict backend ports at the firewall to the proxy source where applicable.
## Analysis modalities
- `curl` to `/ollama/v1/models` with and without `Authorization: Bearer <secret>` (expect 200 / 401).
- Browser access to `/anythingllm/` and application login.
- Cursor connectivity after configuration change (no `ssrf_blocked` if hostname resolves to a public IP from Cursors perspective).
## Security notes
- The Bearer secret is equivalent to an API key; rotate by updating the map file and client configs together.
- AnythingLLM remains protected by **its own** application authentication; the `/anythingllm` location does not add the Ollama Bearer gate.
Reference in New Issue View Git Blame Copy Permalink