Elemm
Star on GitHub

Production & VPS Security

Expose and secure your Elemm Gateway on a public cloud server.

Production & VPS Network Security

By default, launching the Elemm Gateway CLI via --transport sse starts a web server listening on all interfaces (0.0.0.0) without built-in authentication. When hosting the gateway on a public Virtual Private Server (VPS), you must secure the network perimeter to prevent unauthorized execution of your tools.

Reverse Proxy with Bearer Token Auth (Nginx / Caddy)

Do not expose the elemm-gateway port directly to the internet. Instead, bind it only to localhost:

bash
elemm-gateway --transport sse --host 127.0.0.1 --port 8000

Deploy Nginx or Caddy in front of it to handle HTTPS encryption. You can configure Nginx to verify incoming Authorization headers before proxying requests to the gateway:

nginx
server {
    listen 443 ssl;
    server_name api.my-elemm-gateway.com;

    ssl_certificate /etc/letsencrypt/live/api.my-elemm-gateway.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.my-elemm-gateway.com/privkey.pem;

    location / {
        # Check authorization header
        if ($http_authorization != "Bearer YOUR_SECRET_GATEWAY_TOKEN") {
            return 401 '{"status": "error", "message": "Unauthorized"}';
        }

        # SSE-specific settings to prevent connection drops and buffering
        proxy_http_version 1.1;
        proxy_set_header Connection '';
        proxy_buffering off;
        proxy_cache off;
        chunked_transfer_encoding off;

        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

When connecting your AI client, configure it to include the HTTP header:

Authorization: Bearer YOUR_SECRET_GATEWAY_TOKEN

Private Mesh Networks (Tailscale / WireGuard)

For private developer/operator environments, bind the gateway only to your private network interface IP (e.g. your Tailscale IP):

bash
elemm-gateway --transport sse --host 100.110.120.130 --port 8000

Only devices authenticated inside your private network (such as your local laptop running Claude Desktop) will be able to access the gateway. No public ports or firewalls need to be opened.

Cloudflare Tunnels (Zero-Trust)

Run the gateway on localhost and run cloudflared to expose the /sse route. You can configure Cloudflare Access policies in your Cloudflare Dashboard to require Service Tokens or validate client certificates before any traffic is routed to your VPS.