Reverse Proxy and Networking#

A reverse proxy is a server that forwards requests from clients to one or more upstream servers. It receives requests from clients, processes them, and then forwards the requests to the appropriate upstream server. The upstream server returns the response to the reverse proxy, which then sends the response back to the client.

In AI Workbench, we utilize a reverse proxy to direct your web browser’s requests to project containers and the applications within them. This design choice simplifies connecting to remote locations by requiring only a single SSH tunnel for accessing all projects and apps running in a particular location.

Overview#

AI Workbench uses Traefik as its reverse proxy, which automatically runs in a container when the AI Workbench server starts. All project containers operate within a custom bridge network named workbench. Due to this network setup and the way AI Workbench initiates project containers, direct connections to the applications within these containers aren’t possible. However, the proxy operates on this bridge network and is mapped to port 10000 on the host. This configuration allows your host to communicate with the proxy, which then routes requests to the applications in the isolated project containers as needed.

By default, the proxy is accessible only on localhost without SSL/TLS encryption. In remote scenarios, an SSH tunnel is automatically established to securely access the proxy.

For corporate environments that do deep packet inspection and use custom private Certificate Authorities (CAs), SSL/TLS certificates—including custom CAs—can be configured.

Custom CA Support#

AI Workbench automatically detects and configures custom SSL/TLS certificates already installed on the host machine, including custom CAs. This seamless integration ensures that your development environment aligns with your organization’s security protocols without manual intervention.

Supported Operating Systems:

  • Windows: AI Workbench accesses the Windows certificate store to retrieve and apply necessary certificates.

  • macOS: The system keychain is utilized to source SSL/TLS certificates.

  • Linux: AI Workbench interfaces with the system’s certificate authorities directory to obtain required certificates.

Limitations:

  • User Interface Controls: Currently, there are no UI controls for managing certificates within AI Workbench. All configurations are handled automatically in the background.

  • Certificate Store Updates: If you update your host’s certificate store while AI Workbench is running, please restart the AI Workbench server to apply the changes.

Dynamic Configuration#

Note

Only webapp class apps use the Reverse Proxy.

The Traefik proxy configuration is dynamically managed by AI Workbench automatically. This means that you, as a user, do not have to worry about configuring Traefik manually. Each “webapp” class app gets routed through the proxy based on its configuration in the project specification file, ensuring that your applications are properly routed and accessible.

When you start a webapp class app, AI Workbench writes a configuration file for Traefik in the directory $HOME/.nvwb/traefik-configs. This file contains the necessary configuration details for Traefik to properly route your application. Traefik detects any changes in the configuration files and automatically reload and adjust routing.

Configuring Apps to Work Behind a Proxy#

  • Depending on your app, you may need additional configuration to make it work behind a proxy

  • The environment variable PROXY_PREFIX is available for use. It contains the route that that app runs on. This follows the format /projects/<name of project>/applications/<name of application>.

  • Apps have the “trim prefix” option. If enabled, the proxy strips off the PROXY_PREFIX before routing to the app. This is very useful for things like APIs that don’t expect a prefix.

If your webapp needs to “know” the route at which it runs to function properly, the environment variable PROXY_PREFIX is always injected into app process when started. This environment variable follows the format /projects/PROJECT_NAME/applications/APP_NAME.

Additionally, you can enable the “trim prefix” option for your app. This option instructs the proxy to strip off the PROXY_PREFIX value before routing to the app, which is useful for things like APIs that don’t expect a prefix.

For example, if your app is named “myapp” and it’s in a project named “myproject”, the app would be available at http://localhost:10000/projects/myproject/applications/myapp. If the “trim prefix” option is enabled, the proxy removes projects/myproject/applications/myapp before routing the request to your app.