Skip to content

Cloudflare And Railway Access Contract

Status: Active — backend-only integration surface Last updated: 2026-06-02

Fedora local-AI is reachable from hosted backend runtimes through a dedicated Cloudflare Tunnel. This is for Railway/RapidDraft backend calls only, not browser-side JavaScript.

Endpoint Contract

Purpose Public URL Fedora upstream Auth
Knowledge/RAG API https://knowledge.rapiddraft.ai http://127.0.0.1:4100 Authorization: Bearer <LOCALAI_RAG_API_KEY> for protected routes
Local model API https://localai.rapiddraft.ai http://127.0.0.1:4000 Authorization: Bearer <LITELLM_API_KEY>

The raw llama.cpp model servers and PostgreSQL database remain loopback-only.

Railway Environment Shape

Recommended backend-only Railway variables:

RAPIDDRAFT_KNOWLEDGE_BASE_URL=https://knowledge.rapiddraft.ai
RAPIDDRAFT_KNOWLEDGE_API_KEY=<LOCALAI_RAG_API_KEY>
RAPIDDRAFT_LOCALAI_BASE_URL=https://localai.rapiddraft.ai/v1
RAPIDDRAFT_LOCALAI_API_KEY=<LITELLM_API_KEY>

The exact variable names may change to match the RapidDraft backend, but the boundary should not: RapidDraft browser code calls the RapidDraft backend; the backend calls Fedora.

Fedora Service

cloudflared-rapiddraft-localai.service

Config:

/etc/cloudflared/config.yml
/etc/cloudflared/<tunnel-id>.json

Ingress:

ingress:
  - hostname: knowledge.rapiddraft.ai
    service: http://127.0.0.1:4100
  - hostname: localai.rapiddraft.ai
    service: http://127.0.0.1:4000
  - service: http_status:404

Validation

On Fedora:

sudo /srv/localai/bin/validate-cloudflare-localai.sh

Expected result:

knowledge health public -> 200
knowledge inventory no auth -> 401
knowledge inventory auth -> 200
localai health no auth -> 401
localai health auth -> 200
localai models auth -> 200
Cloudflare local-AI endpoint smoke passed.

Validated model aliases:

local/qwen-coder
local/qwen-vision-fast
local/embed-engineering

Guardrails

  • Keep all keys backend-only.
  • Do not expose Fedora keys through Vite/frontend environment variables.
  • Do not call knowledge.rapiddraft.ai or localai.rapiddraft.ai directly from the browser.
  • Keep raw backend ports 8010, 8011, and 8012 private.
  • Add deploy smoke checks before RapidDraft Agent or Knowledge features depend on these endpoints.
  • Consider Cloudflare Access service-token protection on top of bearer auth before broader demo use.