AMI: route AI Gateway / Hub agent surface / SCIM through nginx#23
Merged
Conversation
The appliance nginx only proxied the Control Plane (/api, /oauth, /authserver, /.well-known, /healthz). Every other service surface fell through to the SPA, so the AI Gateway was unreachable over 443 despite first-boot advertising publicURL https://<ip>/v1. nginx-nexus.conf: - AI Gateway (:3050): one regex location for /v1, /v1beta, /openai/deployments, /api/paas (OpenAI/Gemini/Azure/GLM ingress), regex so /api/paas wins over the plain /api/ prefix; proxy_buffering off + HTTP/1.1 for SSE streaming. - Nexus Hub (:3060): /ws (WebSocket upgrade, 1h timeout) and /api/internal/things/ (enrollment + thingclient HTTP fallback) so remote agents can enroll/connect over 443. Token-gated by the Hub; /api/hub admin + /metrics stay loopback-only. - SCIM: /scim/ -> Control Plane for Okta/Entra provisioning. - /api/: proxy_buffering off so admin SSE (compliance export, AI Gateway Simulator forward) streams instead of buffering. - /healthz: was proxied to CP /api/healthz which 404s; CP serves /healthz at root. proxy_pass now preserves the path. Added /ready. No new ports or EC2 Security Group changes — everything rides on 443 (already open). README documents the endpoint map, OpenAI verification curl, remote-agent enrollment, and the internet-exposure security note. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The appliance's
nginx-nexus.confonly reverse-proxied the Control Plane (/api,/oauth,/authserver,/.well-known,/healthz). Every other service surface fell through to the SPAtry_files, so the AI Gateway was unreachable over 443 even though first-boot advertisespublicURL https://<ip>/v1. This wires up the missing surfaces.Found while debugging a live deployment:
GET https://<ip>/v1/modelsreturned the UI'sindex.html(HTTP 200text/html), and/healthzreturned{"message":"Not Found"}(404).No new ports and no EC2 Security Group change — everything rides on 443, which is already open.
Changes (
nexus-ami/artifacts/configs/nginx-nexus.conf):3050) — one regexlocationcovering/v1,/v1beta,/openai/deployments,/api/paas(OpenAI / Gemini / Azure / GLM ingress wire formats). Regex so/api/paaswins over the plain/api/prefix.proxy_buffering off+ HTTP/1.1 so SSE streaming relays chunk-by-chunk.:3060) —/ws(WebSocket upgrade, 1h read timeout) and/api/internal/things/(agent enrollment + thingclient HTTP fallback) so remote endpoint-agents can enroll/connect over 443. Confirmed no namespace clash: CP's/api/internalonly registers/auth/revoke-device. Bearer/device/enrollment-token gated by the Hub. The Hub admin API (/api/hub/*) and/metricsstay loopback-only./scim/→ Control Plane for Okta/Entra user provisioning./api/— addedproxy_buffering offso admin SSE (compliance-overview export, AI Gateway Simulator forward) streams./healthzbug fix — wasproxy_pass .../api/healthz(CP serves/healthzat root → 404). Now preserves the path. Added/ready.Verification
routes.go(/v1/*,/v1beta,/openai/deployments,/api/paas), Hubroutes.go(GET /ws,/api/internal/things/*), CProutes.go(/scim/v2,/healthz,/ready,/api/internal/authonly)./api/paasand/api/internal/things/cases./internal/*, both/metrics, CP/debug/runtime, Hub/api/hub/*.Security note
/v1/*,/ws, and/api/internal/things/*become internet-reachable. They are not anonymous:/v1/*requires a virtual key; the Hub agent surface is gated by per-device / enrollment / internal-service tokens. Documented innexus-ami/README.mdalong with the endpoint map, an OpenAI-verification curl, and the remote-agent enrollment command.🤖 Generated with Claude Code