Remote Access¶
Running codex-lb on a server and connecting from other machines involves three pieces: the one-time dashboard bootstrap token, API keys for clients, and (usually) a reverse proxy.
First login¶
Setting the initial dashboard password remotely requires a one-time bootstrap token printed to the server logs — see Getting Started.
Client access¶
Remote clients hit the protected proxy routes, which reject non-local requests until proxy authentication is configured. Enable API key auth and give each client a key from the dashboard.
Reverse proxy¶
When codex-lb sits behind a reverse proxy (nginx, Traefik, Caddy, Authelia, ...):
- Forward WebSocket upgrades. Codex streaming uses WebSockets on
/backend-api/codex/responses; a proxy that only forwards plain HTTP silently degrades to POST fallback. See verify WebSocket transport. - Declare the proxy as trusted so codex-lb sees real client IPs from
X-Forwarded-For:
CODEX_LB_FIREWALL_TRUST_PROXY_HEADERS=true
CODEX_LB_FIREWALL_TRUSTED_PROXY_CIDRS=172.18.0.0/16
Only sources inside the trusted CIDRs may set forwarded headers; everything else is treated as the direct peer address.
- Optionally delegate dashboard auth to the proxy with
trusted_headermode — see Authentication.
Specs: deployment-networking · api-firewall