Integrations
API Proxy Architecture
How Arcturus-Prime SSR routes proxy requests to backend services with credential injection, caching, and dev/prod URL switching
API Proxy Architecture
Arcturus-Prime runs on Cloudflare Pages (Workers) with no direct access to the homelab network. To reach backend services, the site uses API proxy routes that forward requests from the browser through Cloudflare’s edge to internal services exposed via Cloudflare Tunnels or Tailscale.
Why Proxies?
The browser cannot directly call 10.42.0.199:8093 or 192.168.20.50:8888 — those are private LAN addresses. Instead:
- The browser calls
Arcturus-Prime.com/api/services/health - The Cloudflare Worker validates admin auth
- The Worker fetches
https://status.Arcturus-Prime.com/health(a tunnel hostname) - The Worker injects server-side credentials the browser never sees
- The response is returned to the browser
This keeps all backend credentials server-side and provides a single origin for CORS.
Routing: Dev vs. Production
Each proxy reads its backend URL from an environment variable with a fallback default:
| Env Var | Production Default | Dev Default |
|---|---|---|
GATEWAY_API_URL | https://gateway.Arcturus-Prime.com | http://10.42.0.194:8100 |
COMMAND_CENTER_URL | https://status.Arcturus-Prime.com | http://10.42.0.199:8093 |
SWARM_API_URL | https://swarm.Arcturus-Prime.com | http://10.42.0.100:8100 |
SWARM_ADMIN_URL | https://swarm-admin.Arcturus-Prime.com | http://10.42.0.100:8093 |
MM_ARGOBOX_URL | https://mm-admin.Arcturus-Prime.com | http://192.168.20.50:8888 |
TITAN_ADMINBOX_URL | https://Tarn-Host-admin.Arcturus-Prime.com | Tailscale only |
JOBS_API_URL | https://jobs-api.Arcturus-Prime.com | http://10.42.0.100:8585 |
LAB_ENGINE_URL | https://labs.Arcturus-Prime.com | Direct |
PLAYGROUND_SWITCH_URL | https://playground-switch.Arcturus-Prime.com | Direct |
OPENCLAW_API_URL | https://oc.Arcturus-Prime.com | Direct |
OLLAMA_API_URL | http://localhost:11434 | http://localhost:11434 |
In production, all backends are reached via Cloudflare Tunnel hostnames. In dev mode (npm run dev), direct LAN IPs are used.
Complete Proxy Route Table
Build Swarm Proxies
| Route | Backend | Auth | Purpose |
|---|---|---|---|
/api/gateway/[...path] | gateway.Arcturus-Prime.com | Read: public, Write: admin | v4 gateway. Status, binhost, build submission. KV-cached reads. |
/api/command/[...path] | gateway.Arcturus-Prime.com | Read: public, Write: admin | Control plane (v4 combines gateway + orchestrator). |
/api/orchestrator/[...path] | Auto-discovery | Read: public, Write: admin | Resilient orchestrator discovery with 60s cache. |
/api/swarm/[...path] | swarm.Arcturus-Prime.com | Read: public, Write: admin | v3 control plane. Mutations inject SWARM_CONTROL_KEY. |
/api/swarm-admin/[...path] | swarm-admin.Arcturus-Prime.com | Admin | Direct orchestrator admin. Injects SWARM_ADMIN_KEY. |
Infrastructure Proxies
| Route | Backend | Auth | Purpose |
|---|---|---|---|
/api/services/[...path] | status.Arcturus-Prime.com | Admin | Full unsanitized services data. |
/api/proxy/[...path] | status.Arcturus-Prime.com | Public | Public API with KV caching. Legacy shorthand paths. |
/api/mm-Arcturus-Prime/[...path] | mm-admin.Arcturus-Prime.com | Admin | Meridian-Host Unraid admin. Injects MM_ARGOBOX_TOKEN. |
/api/Tarn-Host-adminbox/[...path] | Tarn-Host-admin.Arcturus-Prime.com | Admin | Proxmox Tarn-Host admin. Injects TITAN_ADMINBOX_TOKEN. |
/api/uptime-kuma/[...path] | status.Arcturus-Prime.com | Public | Uptime Kuma status. Restricted to status-page paths. |
Lab & Playground Proxies
| Route | Backend | Auth | Purpose |
|---|---|---|---|
/api/labs/health | labs.Arcturus-Prime.com | Public | Lab engine health check (Izar-Host CT 130). |
/api/playground/health | playground-switch.Arcturus-Prime.com | Secret/Admin | Dual-node playground health. |
/api/playground/status | labs.Arcturus-Prime.com | Secret/Admin | Lab engine admin status. |
/api/playground/switch | playground-switch.Arcturus-Prime.com | Secret/Admin | Node switching (50s timeout). |
/api/playground/node-control | labs.Arcturus-Prime.com | Secret/Admin | Node enable/disable control. |
Specialized Proxies
| Route | Backend | Auth | Purpose |
|---|---|---|---|
/api/jobs/[...path] | jobs-api.Arcturus-Prime.com | Admin | Auto-Apply job engine. SSE on status/stream. |
/api/admin/pentest/[...path] | Config-driven | Admin | Multi-node pentest (Izar-Host/Tarn-Host via ?node=). |
/api/admin/rt-control/[...path] | mm-admin.Arcturus-Prime.com | Admin | rt-controller on Meridian-Host. |
/api/admin/openclaw | oc.Arcturus-Prime.com | Admin | OpenClaw AI gateway health + chat. |
/api/admin/openclaw-manage | oc.Arcturus-Prime.com | Admin | OpenClaw skill/config/cron management. |
/api/status/ai-services | OLLAMA_API_URL | Public | Ollama status check (30s cache). |
Credential Injection
Backend services expect authentication but the browser should never see those credentials. Each proxy injects credentials server-side:
| Proxy | Credential Env Var | Injection Method |
|---|---|---|
| mm-Arcturus-Prime | MM_ARGOBOX_TOKEN | Authorization: Bearer {token} |
| Tarn-Host-adminbox | TITAN_ADMINBOX_TOKEN | Authorization: Bearer {token} |
| swarm-admin | SWARM_ADMIN_KEY | X-Admin-Key: {key} |
| swarm (mutations) | SWARM_CONTROL_KEY | X-Control-Key: {key} |
| jobs | AUTOAPPLY_API_KEY | X-API-Key: {key} |
| openclaw | OPENCLAW_API_TOKEN | Authorization: Bearer {token} |
Caching Strategy
Read-only proxy routes use KV-backed stale-while-revalidate caching in production:
/api/gatewayand/api/proxycache GET responses in Cloudflare KV- Cache keys include the full request path
- Fresh TTL: 5 minutes for most endpoints
- Stale responses served while revalidating in the background
?force=truequery parameter bypasses cache (admin use)
Timeouts
| Proxy | Timeout | Reason |
|---|---|---|
| Most proxies | 10s | Standard API response time |
| Playground switch | 50s | Node switching involves VM operations |
| Playground health | 4s | Fast-poll for status |
| OpenClaw health | 15s | LLM inference may be slow |