Spaces:
Sleeping
API gateway
The monitor Go binary (port 3001) is also a reverse-proxy gateway. HF exposes only one public
port, so all three backend APIs are reached under one base URL by path prefix.
Routing (monitor/main.go)
| Public prefix | β forwards to | Prefix stripped |
|---|---|---|
/gpt/β¦ |
127.0.0.1:9225 |
/gpt/api/chat β /api/chat |
/gemini/β¦ |
127.0.0.1:8000 |
/gemini/chat β /chat |
/flow/β¦ |
127.0.0.1:8101 |
/flow/generate/video β /generate/video |
gatewayHandler(prefix, target) builds one httputil.ReverseProxy whose Director rewrites the
host and strips the prefix. The monitor's own routes (/, /api/*, /chrome.log) are untouched.
Auth β API_KEY (fail-closed)
authOK() gates the three prefixes:
- Reads
API_KEYfrom env once at startup. - Requires
Authorization: Bearer <API_KEY>(also accepts?key=). - Unset
API_KEYβ every gateway call returns503(so accounts are never accidentally open). - Wrong/missing key β
401. - The monitor UI stays open (no key) so the live view keeps working.
Set it: HF secret API_KEY (Settings) or Docker .env API_KEY=β¦. Use a long random string,
e.g. openssl rand -hex 24.
Why not a separate Space for the servers?
The extensions dial ws://127.0.0.1:9225/9226/9227 β hardcoded localhost
(*/background.js). A second Space is a different machine with a different 127.0.0.1, so its
servers could never receive the extension connections. Hence: one container, gateway out front.
Adding a new route
- Server listens on a new localhost port inside the container.
- Launch it in
start_hf.sh(step 6a). - Add
http.HandleFunc("/x/", gatewayHandler("/x", "http://127.0.0.1:PORT"))inmonitor/main.go.