Routes & Proxy
Requests are routed to an upstream by path prefix; anything unmatched falls through to the API.
| Route | Upstream | Purpose |
|---|---|---|
/health | — | Liveness (?detailed=true for config + cache stats) |
/install-client.sh | — | Client installer with ${GATEWAY_SERVER} substitution |
/rfdm/* | repo | RFDM package downloads |
/models/* | repo | Model weights |
/scripts/* | repo | Setup scripts |
/v2/* | repo | Docker registry API (image pulls) |
/proxy?url=… | allowlist | URL-based proxy with SSRF protection |
/_cache/* | — | Cache management API |
/_logs/status | — | Log-export sink status |
/* | api | Catch-all API proxy |
The /proxy route & SSRF protection
/proxy?url=… fetches an arbitrary URL on the client's behalf — used to reach dedicated inference deployments. It is guarded: only HTTPS targets are allowed, the host must be on the allowlist, and any address that resolves to loopback or a private range is rejected. Redirect hops are re-validated so an upstream can't bounce you off the allowlist.
The built-in allowlist is api.roboflow.com, repo.roboflow.com, detect.roboflow.com, detection.roboflow.com, storage.googleapis.com, and any *.roboflow.cloud host. Add more with EXTRA_PROXY_HOSTS (exact hostnames, comma-separated):
# Reach a dedicated deployment through the gateway
curl "https://gateway/proxy?url=https://acme.roboflow.cloud/infer/workflows/..."
# Allow an extra storage host
-e EXTRA_PROXY_HOSTS=cdn.example.com,assets.example.com