Skip to main content

Reverse Proxy

CoreCube runs on port 7400 and expects a reverse proxy to handle TLS termination in production. Without HTTPS, API keys and session cookies are transmitted in plaintext.

Required for production

CoreCube does not emit a Strict-Transport-Security (HSTS) header itself — terminate TLS and set HSTS at the reverse proxy (see the examples below). CoreCube marks session cookies Secure only when CORECUBE_PUBLIC_URL is set to an https:// URL, so configure that variable to match your public HTTPS address.

Nginx

server {
    listen 443 ssl http2;
    server_name docs.yourdomain.com;

    ssl_certificate     /etc/ssl/certs/yourdomain.crt;
    ssl_certificate_key /etc/ssl/private/yourdomain.key;
    ssl_protocols       TLSv1.2 TLSv1.3;

    location / {
        proxy_pass         http://localhost:7400;
        proxy_http_version 1.1;

        # Required for SSE streaming
        proxy_buffering    off;
        proxy_cache        off;

        # Forward client info
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;

        # Timeout for long-running LLM streams
        proxy_read_timeout 300s;
    }
}

server {
    listen 80;
    server_name docs.yourdomain.com;
    return 301 https://$host$request_uri;
}
Streaming requires proxy_buffering off

CoreCube's chat completions endpoint uses Server-Sent Events (SSE) for streaming. Without proxy_buffering off, the client will not receive tokens as they are generated — the entire response will be buffered and delivered at once.

Caddy

Caddy handles TLS automatically via Let's Encrypt:

corecube.yourdomain.com {
    reverse_proxy localhost:7400 {
        flush_interval -1
    }
}

flush_interval -1 disables response buffering, which is required for SSE streaming.

Traefik

Add labels to your CoreCube service in Docker Compose:

services:
  corecube:
    image: registry.arantic.cloud/corecube/corecube:latest
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.corecube.rule=Host(`corecube.yourdomain.com`)'
      - 'traefik.http.routers.corecube.entrypoints=websecure'
      - 'traefik.http.routers.corecube.tls.certresolver=letsencrypt'
      - 'traefik.http.services.corecube.loadbalancer.server.port=7400'
      # Disable buffering for SSE streaming
      - 'traefik.http.middlewares.corecube-buffering.buffering.maxResponseBodyBytes=0'

Access restriction

To restrict admin console access to specific IP addresses, add an allowlist at the reverse proxy level:

Nginx:

location /admin {
    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    deny all;
    proxy_pass http://localhost:7400;
}

Caddy:

corecube.yourdomain.com {
    @admin path /admin/*
    handle @admin {
        @allowed remote_ip 192.168.1.0/24 10.0.0.0/8
        handle @allowed {
            reverse_proxy localhost:7400 { flush_interval -1 }
        }
        respond 403
    }
    reverse_proxy localhost:7400 { flush_interval -1 }
}

The /v1 API should remain accessible from anywhere (it is authenticated via API keys). Admin console access can be restricted by IP without affecting connected AI clients.

We use cookies for analytics to improve our website. More information in our Privacy Policy.