Skip to content

feat(caddy): expose LiteLLM at /llm/* for tailnet API clients#62

Merged
AlienWalker1995 merged 1 commit into
mainfrom
feat/caddy-llm-route
Jun 28, 2026
Merged

feat(caddy): expose LiteLLM at /llm/* for tailnet API clients#62
AlienWalker1995 merged 1 commit into
mainfrom
feat/caddy-llm-route

Conversation

@AlienWalker1995

Copy link
Copy Markdown
Owner

Why

Programmatic OpenAI-compatible clients on the tailnet (Cline, Cursor, scripts) had no way to reach the model gateway — it's 127.0.0.1-only and Caddy had no route for it (the compose comment claiming "tailnet peers reach this via Caddy" was aspirational). SSO can't gate a non-interactive API client anyway.

What

  • auth/caddy/Caddyfile/llm/* bypass handle_path (no forward_auth) → model-gateway:11435, prefix stripped so LiteLLM sees /v1/.... Auth is LiteLLM's own Bearer master key (gateway returns 401 without it). Safe over the tailnet (the only interface Caddy binds).
  • docker-compose.yml — add model-gateway to proxy-net (Caddy couldn't resolve it otherwise); correct the stale ports comment.

Client config

  • Provider: OpenAI Compatible
  • Base URL: https://<tailnet-host>/llm/v1
  • API Key: LITELLM_MASTER_KEY
  • Model: local-chat

Validation (live)

  • GET /llm/v1/models with the key → local-chat, local-embed.
  • without the key → HTTP 401 (LiteLLM), not a 302 SSO redirect.

🤖 Generated with Claude Code

…Cursor)

Programmatic OpenAI-compatible clients on the tailnet (Cline, Cursor, scripts)
had no way to reach the model gateway: it's bound 127.0.0.1-only and Caddy had no
route for it (the compose comment claiming "tailnet peers reach this via Caddy"
was aspirational — no such route existed, and SSO can't gate a non-interactive
API client anyway).

- auth/caddy/Caddyfile: add a `/llm/*` bypass handle (no forward_auth) that strips
  the prefix and reverse-proxies to model-gateway:11435. Auth is LiteLLM's own
  Bearer master key, which the gateway enforces (401 without it) — safe over the
  tailnet, which is the only interface Caddy binds.
- docker-compose.yml: add model-gateway to proxy-net so Caddy can reach it; correct
  the previously-stale ports comment to describe the real /llm/* path.

Clients use: base URL https://<tailnet-host>/llm/v1 , key = LITELLM_MASTER_KEY,
model = local-chat. No new host port, no 0.0.0.0 exposure.

Validated live: GET /llm/v1/models with the key returns local-chat/local-embed;
without the key returns 401 (LiteLLM), not a 302 SSO redirect.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@AlienWalker1995 AlienWalker1995 merged commit 624aa9f into main Jun 28, 2026
5 checks passed
@AlienWalker1995 AlienWalker1995 deleted the feat/caddy-llm-route branch June 28, 2026 11:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant