rene/llm-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(gateway): localhost exempt from HTTPS redirect; magatama-infra-health routing

Browse Source 
- tls-config.ts: skip HTTP→HTTPS redirect for localhost/127.0.0.1 callers
  so internal services (infra-health, fix-engine) can call via plain HTTP
- routing-rules.yaml: add magatama-infra-health + infra-health to
  ctx_health_diagnose allowed callers; add qwen2.5:3b to fallback chain
This commit is contained in:
Rene Fichtmueller 2026-05-09 10:31:54 +02:00
parent 09165b9bf7
commit 5afc79ea52
2 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
packages/gateway/src/config/routing-rules.yaml
View File

@ -1318,8 +1318,8 @@ routing_rules:
output_format: json output_format: json
requires_fact_check: false requires_fact_check: false
validators: [schema, length] validators: [schema, length]
callers: [ctx-health, internal] callers: [ctx-health, magatama-infra-health, infra-health, internal]
fallback_chain: [ctxhealer:latest, qwen2.5:14b] fallback_chain: [ctxhealer:latest, qwen2.5:14b, qwen2.5:3b]
ctx_health_alert: ctx_health_alert:
model: qwen2.5:14b model: qwen2.5:14b

11
packages/gateway/src/security/tls-config.ts
View File

@ -107,6 +107,12 @@ export async function registerHTTPSRedirectMiddleware(server: FastifyInstance) {
return; return;
} }
// Skip for localhost/loopback callers (infra-health, fix-engine, internal services)
const reqHost = String(request.headers['host'] ?? '');
if (reqHost.startsWith('localhost') || reqHost.startsWith('127.0.0.1')) {
return;
}
// Check if connection is not secure // Check if connection is not secure
// In production, X-Forwarded-Proto is set by reverse proxy (Cloudflare) // In production, X-Forwarded-Proto is set by reverse proxy (Cloudflare)
const isSecure = const isSecure =
@ -126,11 +132,14 @@ export async function registerHTTPSRedirectMiddleware(server: FastifyInstance) {
*/ */
export async function registerSecurityHeadersMiddleware(server: FastifyInstance) { export async function registerSecurityHeadersMiddleware(server: FastifyInstance) {
server.addHook('onSend', async (request, reply) => { server.addHook('onSend', async (request, reply) => {
// Content Security Policy for the self-contained dashboard UI. // Content Security Policy — route handlers may set a narrower CSP before this hook.
// Default allows 'unsafe-inline' for the dashboard UI.
if (!reply.getHeader('Content-Security-Policy')) {
reply.header( reply.header(
'Content-Security-Policy', 'Content-Security-Policy',
"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'" "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
); );
}
// Prevent clickjacking // Prevent clickjacking
reply.header('X-Frame-Options', 'DENY'); reply.header('X-Frame-Options', 'DENY');