Skip to main content

Reverse Proxy

CoreCube runs on port 7400 and expects a reverse proxy to handle TLS termination in production. Without HTTPS, API keys and session cookies are transmitted in plaintext.

:::info Required for production CoreCube enforces Strict-Transport-Security (HSTS) and sets secure: true on session cookies when accessed over HTTPS. These controls are inactive over plain HTTP. :::

Nginx

server {
    listen 443 ssl http2;
    server_name docs.yourdomain.com;

    ssl_certificate     /etc/ssl/certs/yourdomain.crt;
    ssl_certificate_key /etc/ssl/private/yourdomain.key;
    ssl_protocols       TLSv1.2 TLSv1.3;

    location / {
        proxy_pass         http://localhost:7400;
        proxy_http_version 1.1;

        # Required for SSE streaming
        proxy_buffering    off;
        proxy_cache        off;

        # WebSocket / streaming support
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection "upgrade";

        # Forward client info
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;

        # Timeout for long-running LLM streams
        proxy_read_timeout 300s;
    }
}

server {
    listen 80;
    server_name docs.yourdomain.com;
    return 301 https://$host$request_uri;
}

:::warning Streaming requires proxy_buffering off CoreCube's chat completions endpoint uses Server-Sent Events (SSE) for streaming. Without proxy_buffering off, the client will not receive tokens as they are generated — the entire response will be buffered and delivered at once. :::

Caddy

Caddy handles TLS automatically via Let's Encrypt:

corecube.yourdomain.com {
    reverse_proxy localhost:7400 {
        flush_interval -1
    }
}

flush_interval -1 disables response buffering, which is required for SSE streaming.

Traefik

Add labels to your CoreCube service in Docker Compose:

services:
  corecube:
    image: registry.arantic.cloud/corecube/corecube:latest
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.corecube.rule=Host(`corecube.yourdomain.com`)'
      - 'traefik.http.routers.corecube.entrypoints=websecure'
      - 'traefik.http.routers.corecube.tls.certresolver=letsencrypt'
      - 'traefik.http.services.corecube.loadbalancer.server.port=7400'
      # Disable buffering for SSE streaming
      - 'traefik.http.middlewares.corecube-buffering.buffering.maxResponseBodyBytes=0'

Access restriction

To restrict admin console access to specific IP addresses, add an allowlist at the reverse proxy level:

Nginx:

location /admin {
    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    deny all;
    proxy_pass http://localhost:7400;
}

Caddy:

corecube.yourdomain.com {
    @admin path /admin/*
    handle @admin {
        @allowed remote_ip 192.168.1.0/24 10.0.0.0/8
        handle @allowed {
            reverse_proxy localhost:7400 { flush_interval -1 }
        }
        respond 403
    }
    reverse_proxy localhost:7400 { flush_interval -1 }
}

The /v1 API and /mcp endpoints should remain accessible from anywhere (they are authenticated via API keys). Admin console access can be restricted by IP without affecting connected AI clients.

We use cookies for analytics to improve our website. More information in our Privacy Policy.