Forem: HorusGod The latest articles on Forem by HorusGod (@horusgod007). https://forem.com/horusgod007 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3809576%2F28291694-f4ba-49fe-8e33-4b398946aeec.png Forem: HorusGod https://forem.com/horusgod007 en How I bridged codex-tui's WebSocket /v1/responses through Cloudflare, nginx, and FastAPI HorusGod Sat, 02 May 2026 20:59:19 +0000 https://forem.com/horusgod007/how-i-bridged-codex-tuis-websocket-v1responses-through-cloudflare-nginx-and-fastapi-49a3 https://forem.com/horusgod007/how-i-bridged-codex-tuis-websocket-v1responses-through-cloudflare-nginx-and-fastapi-49a3 <p>OpenAI's Codex CLI (<code>codex-tui</code>) shipped a new feature in version 0.128 that broke every third-party AI gateway I tested with it: streaming responses now go over <strong>WebSocket on <code>/v1/responses</code></strong> instead of HTTP+SSE. If your gateway only registers a <code>POST /v1/responses</code> handler, every Codex session fails with a confusing storm of <code>405 Method Not Allowed</code> errors interleaved with the occasional successful POST.</p> <p>I run a hosted AI gateway at <a href="https://g0i.ai" rel="noopener noreferrer">g0i.ai</a> — the same problem hit me. This post is the writeup of the four-layer diagnosis I did to make it work, with the exact config and code at each layer. If you're running your own gateway (LiteLLM, Helicone, Portkey, your own Go/Python proxy, whatever) and Codex CLI users are hitting your endpoint, this is the path I'd hand you.</p> <h2> The symptom </h2> <p>Every codex-tui session emitted a flood of failed requests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST /v1/responses HTTP/1.1 200 254552 bytes opencode/1.14.32 ✓ GET /v1/responses HTTP/1.1 405 31 bytes codex-tui/0.128.0 ✗ GET /v1/responses HTTP/1.1 405 31 bytes codex-tui/0.128.0 ✗ GET /v1/responses HTTP/1.1 405 31 bytes codex-tui/0.128.0 ✗ </code></pre> </div> <p>Four hundred-and-five with <code>Allow: POST</code> is the smoking gun: the client is sending GET, the server has only POST registered, hence rejection. But why GET? Codex 0.128's user-agent is sending a <strong>WebSocket upgrade handshake</strong>, which on the wire is <code>GET /v1/responses HTTP/1.1</code> with <code>Upgrade: websocket</code> and <code>Connection: Upgrade</code>.</p> <p>The fix sounds easy: register a WebSocket route at the same path. But the actual request has to traverse four layers, three of which strip the upgrade headers by default.</p> <h2> The path the upgrade has to survive </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>client (codex-tui) ↓ wss://api.your-gateway.com/v1/responses [1] Cloudflare Worker (or whatever edge you're using) ↓ [2] Cloudflare Tunnel / your VPN to origin ↓ [3] nginx reverse proxy (terminating TLS, multiplexing services) ↓ [4] FastAPI / Express / your application backend </code></pre> </div> <p>Three of these strip the upgrade by default. Let me walk through each.</p> <h2> Layer 1 — Cloudflare Worker </h2> <p>If you're using a CF Worker for HTTP filtering, smart routing, prompt rewriting, or whatever, you're almost certainly maintaining a header sanitizer. Mine looks like this — copied from a hundred Worker examples online:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">HOP_BY_HOP</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([</span> <span class="dl">'</span><span class="s1">connection</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">keep-alive</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">proxy-authenticate</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">proxy-authorization</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">te</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">trailer</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">transfer-encoding</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">upgrade</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ... CF-specific headers</span> <span class="p">]);</span> <span class="kd">function</span> <span class="nf">cleanHeaders</span><span class="p">(</span><span class="nx">input</span><span class="p">:</span> <span class="nx">Headers</span><span class="p">):</span> <span class="nx">Headers</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">out</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Headers</span><span class="p">();</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="p">[</span><span class="nx">k</span><span class="p">,</span> <span class="nx">v</span><span class="p">]</span> <span class="k">of</span> <span class="nx">input</span><span class="p">.</span><span class="nf">entries</span><span class="p">())</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">HOP_BY_HOP</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">k</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">()))</span> <span class="k">continue</span><span class="p">;</span> <span class="nx">out</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nx">k</span><span class="p">,</span> <span class="nx">v</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">out</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This is technically correct per RFC 7230 — <code>Upgrade</code> and <code>Connection</code> are hop-by-hop headers and shouldn't be forwarded by a true proxy. But CF Workers implementing fetch passthrough need to <em>preserve</em> them when the goal is letting the WebSocket upgrade reach origin.</p> <p>The fix is a one-liner at the top of the fetch handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">default</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">fetch</span><span class="p">(</span><span class="na">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="nx">Env</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Response</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="c1">// WS passthrough — skip the regular HTTP pipeline. Cloudflare Workers</span> <span class="c1">// forward WebSocket upgrades natively when we don't strip the headers.</span> <span class="k">if </span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">Upgrade</span><span class="dl">'</span><span class="p">)?.</span><span class="nf">toLowerCase</span><span class="p">()</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">websocket</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">originUrl</span> <span class="o">=</span> <span class="nf">buildOriginRequest</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="nx">env</span><span class="p">);</span> <span class="k">return</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">originUrl</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">method</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">,</span> <span class="c1">// pass original — don't sanitize</span> <span class="na">body</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// ... existing HTTP flow with cleanHeaders, JSON parsing, etc.</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <p>That's it. CF Workers' <code>fetch()</code> knows how to forward WebSocket upgrades to origin as long as the headers are intact. The <code>Upgrade: websocket</code> and <code>Connection: Upgrade</code> headers reach origin verbatim.</p> <h2> Layer 2 — Cloudflare Tunnel (or your VPN) </h2> <p>If you're using <code>cloudflared</code>, the tunnel itself supports WebSocket out of the box for HTTP services. The config in <code>~/.cloudflared/config.yml</code> doesn't need any special directive — <code>service: http://localhost:8085</code> forwards both HTTP/1.1 traffic and WS upgrades correctly. Same for <code>wireguard</code>, <code>tailscale</code>, etc.</p> <p>If you're using something more aggressive (a custom nginx-stream forwarder, a Lambda@Edge function), check that your transport handles upgrades.</p> <h2> Layer 3 — nginx </h2> <p>The standard reverse-proxy block in every nginx-on-rails tutorial is <strong>broken for WebSockets</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">location</span> <span class="n">/v1/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://my_backend</span><span class="p">;</span> <span class="kn">proxy_http_version</span> <span class="mf">1.1</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Connection</span> <span class="s">""</span><span class="p">;</span> <span class="c1"># ← strips Upgrade</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><code>proxy_set_header Connection ""</code> is the conventional way to enable upstream keepalive pooling, because nginx's <code>Connection: keep-alive</code> from the client should NOT be forwarded to upstream. But it also wipes out <code>Connection: Upgrade</code> in WebSocket handshakes.</p> <p>The fix uses the standard nginx <code>map</code> directive to set <code>Connection</code> based on whether the client requested an upgrade. Add this once at the <code>http {}</code> level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">map</span> <span class="nv">$http_upgrade</span> <span class="nv">$connection_upgrade</span> <span class="p">{</span> <span class="kn">default</span> <span class="s">upgrade</span><span class="p">;</span> <span class="kn">''</span> <span class="s">close</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Then for the specific endpoint that handles WebSockets, add a dedicated <code>location</code> block ABOVE your generic <code>/v1/</code> block:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">location</span> <span class="p">=</span> <span class="n">/v1/responses</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://my_backend</span><span class="p">;</span> <span class="kn">proxy_http_version</span> <span class="mf">1.1</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Upgrade</span> <span class="nv">$http_upgrade</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Connection</span> <span class="nv">$connection_upgrade</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="nv">$scheme</span><span class="p">;</span> <span class="kn">proxy_read_timeout</span> <span class="s">3600s</span><span class="p">;</span> <span class="kn">proxy_send_timeout</span> <span class="s">3600s</span><span class="p">;</span> <span class="kn">proxy_buffering</span> <span class="no">off</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The <code>=</code> makes it an exact-match block — POST and GET to <code>/v1/responses</code> both go here, and the upgrade headers get forwarded properly only when the client sends them. Other <code>/v1/*</code> paths fall through to the keepalive-friendly block.</p> <p><code>proxy_buffering off</code> is critical for any streaming endpoint — buffered nginx hangs on to the response body until it has the whole thing, which defeats the entire point of streaming.</p> <h2> Layer 4 — FastAPI (or your backend) </h2> <p>The actual WebSocket handler. FastAPI makes this nicely concise:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">asyncio</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">httpx</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">APIRouter</span><span class="p">,</span> <span class="n">WebSocket</span><span class="p">,</span> <span class="n">WebSocketDisconnect</span> <span class="n">router</span> <span class="o">=</span> <span class="nc">APIRouter</span><span class="p">()</span> <span class="nd">@router.websocket</span><span class="p">(</span><span class="sh">"</span><span class="s">/v1/responses</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">responses_ws</span><span class="p">(</span><span class="n">ws</span><span class="p">:</span> <span class="n">WebSocket</span><span class="p">):</span> <span class="c1"># Auth via Bearer header on the WS upgrade request </span> <span class="n">auth</span> <span class="o">=</span> <span class="n">ws</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">authorization</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">auth</span><span class="p">.</span><span class="nf">lower</span><span class="p">().</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">bearer </span><span class="sh">"</span><span class="p">):</span> <span class="k">await</span> <span class="n">ws</span><span class="p">.</span><span class="nf">close</span><span class="p">(</span><span class="n">code</span><span class="o">=</span><span class="mi">4401</span><span class="p">,</span> <span class="n">reason</span><span class="o">=</span><span class="sh">"</span><span class="s">Unauthorized</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">token</span> <span class="o">=</span> <span class="n">auth</span><span class="p">[</span><span class="mi">7</span><span class="p">:].</span><span class="nf">strip</span><span class="p">()</span> <span class="n">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">validate_token</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">:</span> <span class="k">await</span> <span class="n">ws</span><span class="p">.</span><span class="nf">close</span><span class="p">(</span><span class="n">code</span><span class="o">=</span><span class="mi">4401</span><span class="p">,</span> <span class="n">reason</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid token</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="k">await</span> <span class="n">ws</span><span class="p">.</span><span class="nf">accept</span><span class="p">()</span> <span class="c1"># First frame: the request body as a single JSON message </span> <span class="k">try</span><span class="p">:</span> <span class="n">first</span> <span class="o">=</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">wait_for</span><span class="p">(</span><span class="n">ws</span><span class="p">.</span><span class="nf">receive_text</span><span class="p">(),</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">60</span><span class="p">)</span> <span class="k">except</span> <span class="n">asyncio</span><span class="p">.</span><span class="nb">TimeoutError</span><span class="p">:</span> <span class="k">await</span> <span class="n">ws</span><span class="p">.</span><span class="nf">close</span><span class="p">(</span><span class="n">code</span><span class="o">=</span><span class="mi">4408</span><span class="p">,</span> <span class="n">reason</span><span class="o">=</span><span class="sh">"</span><span class="s">No request received</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">first</span><span class="p">)</span> <span class="n">body</span><span class="p">[</span><span class="sh">"</span><span class="s">stream</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="bp">True</span> <span class="c1"># always stream over the bridge </span> <span class="n">upstream_url</span> <span class="o">=</span> <span class="nf">resolve_upstream</span><span class="p">(</span><span class="n">body</span><span class="p">[</span><span class="sh">"</span><span class="s">model</span><span class="sh">"</span><span class="p">])</span> <span class="o">+</span> <span class="sh">"</span><span class="s">/v1/responses</span><span class="sh">"</span> <span class="k">async</span> <span class="k">with</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">(</span><span class="n">timeout</span><span class="o">=</span><span class="n">httpx</span><span class="p">.</span><span class="nc">Timeout</span><span class="p">(</span><span class="n">read</span><span class="o">=</span><span class="mf">600.0</span><span class="p">))</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="p">.</span><span class="nf">stream</span><span class="p">(</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">,</span> <span class="n">upstream_url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">body</span><span class="p">)</span> <span class="k">as</span> <span class="n">r</span><span class="p">:</span> <span class="k">if</span> <span class="n">r</span><span class="p">.</span><span class="n">status_code</span> <span class="o">!=</span> <span class="mi">200</span><span class="p">:</span> <span class="n">err</span> <span class="o">=</span> <span class="k">await</span> <span class="n">r</span><span class="p">.</span><span class="nf">aread</span><span class="p">()</span> <span class="k">await</span> <span class="n">ws</span><span class="p">.</span><span class="nf">send_text</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="n">err</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">errors</span><span class="o">=</span><span class="sh">"</span><span class="s">ignore</span><span class="sh">"</span><span class="p">)[:</span><span class="mi">500</span><span class="p">]}</span> <span class="p">}))</span> <span class="k">await</span> <span class="n">ws</span><span class="p">.</span><span class="nf">close</span><span class="p">(</span><span class="n">code</span><span class="o">=</span><span class="mi">4502</span><span class="p">)</span> <span class="k">return</span> <span class="c1"># Forward each SSE event as a WS text frame </span> <span class="k">async</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">r</span><span class="p">.</span><span class="nf">aiter_lines</span><span class="p">():</span> <span class="k">if</span> <span class="n">line</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">data: </span><span class="sh">"</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">line</span><span class="p">[</span><span class="mi">6</span><span class="p">:]</span> <span class="k">if</span> <span class="n">payload</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="o">==</span> <span class="sh">"</span><span class="s">[DONE]</span><span class="sh">"</span><span class="p">:</span> <span class="k">break</span> <span class="k">try</span><span class="p">:</span> <span class="k">await</span> <span class="n">ws</span><span class="p">.</span><span class="nf">send_text</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">except</span> <span class="n">WebSocketDisconnect</span><span class="p">:</span> <span class="k">return</span> <span class="c1"># client gone </span> <span class="k">await</span> <span class="n">ws</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <p>A few non-obvious things in here:</p> <p><strong>1. Auth is on the upgrade request itself.</strong> The client sends <code>Authorization: Bearer sk-...</code> as a regular HTTP header during the <code>GET /v1/responses</code> upgrade. FastAPI's <code>WebSocket.headers</code> exposes them. You authenticate BEFORE calling <code>await ws.accept()</code> — if auth fails, <code>ws.close(code=4401)</code> rejects the upgrade cleanly with a custom close code.</p> <p><strong>2. Don't reuse a request-scoped DB session inside the WebSocket handler.</strong> I learned this the hard way — passing the route's <code>db: AsyncSession</code> into an asyncio task that outlives the route return causes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>asyncpg.exceptions._base.InterfaceError: cannot perform operation: another operation is in progress </code></pre> </div> <p>The framework cleans up the request-scoped session as soon as the route returns, but the WS handler keeps running. Use a fresh session via <code>async_session_factory()</code> inside the WS handler.</p> <p><strong>3. The <code>stream=True</code> upstream call uses <code>httpx.stream()</code>, not <code>httpx.AsyncClient.post()</code>.</strong> This is the difference between "wait for the entire response, then forward" (broken — defeats streaming) and "iterate over the SSE lines as they arrive" (correct).</p> <p><strong>4. Upstream's SSE has <code>data:</code> prefix lines and possibly <code>event:</code> prefix lines.</strong> The OpenAI Responses API embeds the event type INSIDE the JSON payload (the <code>"type": "response.output_text.delta"</code> field), so we forward only the <code>data:</code> content. If your upstream uses <code>event:</code>-typed SSE, you may need to multiplex differently.</p> <h2> Verification </h2> <p>Once all four layers are wired, test with <code>wscat</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>wscat <span class="nt">-c</span> <span class="s2">"wss://api.your-gateway.com/v1/responses"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer sk-..."</span> Connected <span class="o">(</span>press CTRL+C to quit<span class="o">)</span> <span class="o">&gt;</span> <span class="o">{</span><span class="s2">"model"</span>:<span class="s2">"gpt-5.5"</span>,<span class="s2">"input"</span>:<span class="s2">"reply with the word BANANA"</span>,<span class="s2">"stream"</span>:true<span class="o">}</span> &lt; <span class="o">{</span><span class="s2">"type"</span>:<span class="s2">"response.created"</span>,<span class="s2">"response"</span>:<span class="o">{</span><span class="s2">"id"</span>:<span class="s2">"resp_..."</span>...<span class="o">}}</span> &lt; <span class="o">{</span><span class="s2">"type"</span>:<span class="s2">"response.in_progress"</span>,<span class="s2">"response"</span>:<span class="o">{</span>...<span class="o">}}</span> &lt; <span class="o">{</span><span class="s2">"type"</span>:<span class="s2">"response.output_item.added"</span>,<span class="s2">"item"</span>:<span class="o">{</span>...<span class="o">}}</span> &lt; <span class="o">{</span><span class="s2">"type"</span>:<span class="s2">"response.output_text.delta"</span>,<span class="s2">"delta"</span>:<span class="s2">"BAN"</span>,<span class="s2">"item_id"</span>:<span class="s2">"..."</span><span class="o">}</span> &lt; <span class="o">{</span><span class="s2">"type"</span>:<span class="s2">"response.output_text.delta"</span>,<span class="s2">"delta"</span>:<span class="s2">"ANA"</span>,<span class="s2">"item_id"</span>:<span class="s2">"..."</span><span class="o">}</span> &lt; <span class="o">{</span><span class="s2">"type"</span>:<span class="s2">"response.output_text.done"</span>,<span class="s2">"text"</span>:<span class="s2">"BANANA"</span>,...<span class="o">}</span> &lt; <span class="o">{</span><span class="s2">"type"</span>:<span class="s2">"response.completed"</span>,<span class="s2">"response"</span>:<span class="o">{</span><span class="s2">"status"</span>:<span class="s2">"completed"</span>,...<span class="o">}}</span> Disconnected <span class="o">(</span>code: 1000, reason: <span class="s2">""</span><span class="o">)</span> </code></pre> </div> <p>That's the protocol codex-tui expects. With this in place, point your codex-tui config at your gateway:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">OPENAI_BASE_URL</span><span class="o">=</span>https://api.your-gateway.com/v1 <span class="nb">export </span><span class="nv">OPENAI_API_KEY</span><span class="o">=</span>sk-... codex </code></pre> </div> <p>And the WebSocket handshake succeeds, the stream flows, and Codex's UI updates token-by-token like it should.</p> <h2> CDN-specific notes </h2> <p>A few CDNs I tested:</p> <ul> <li> <strong>Cloudflare</strong> — supports WS through Workers (with the passthrough above) and through plain proxied zones. No extra config needed if you're not using a Worker.</li> <li> <strong>Bunny.net</strong> — supports WS upgrade verbatim. The <code>CDN-RequestPullCode: 101</code> response header confirms the edge pulled "101 Switching Protocols" from origin and forwarded it. No special configuration needed beyond pointing the pull zone at your origin.</li> <li> <strong>Fastly</strong> — needs explicit WS service config; their default HTTP service doesn't pass upgrades.</li> <li> <strong>AWS CloudFront</strong> — supports WebSockets but only on certain origin types; check their docs.</li> </ul> <p>If you're on a CDN that doesn't pass WS upgrades AT ALL, the fallback is to bypass the CDN entirely for the <code>/v1/responses</code> path — DNS-only point a <code>wsapi.your-domain.com</code> directly at origin, and have clients hit that for WebSocket sessions. Less elegant but works.</p> <h2> What I'd watch for next </h2> <p>OpenAI's Responses API is still in flux — they've been adding fields, changing how reasoning blocks are encoded, and the WebSocket variant of /v1/responses is undocumented as of this writing (Jan 2026). If you're shipping a gateway that supports Codex, expect to chase a moving target.</p> <p>The other two integration points worth watching are MCP servers (codex 0.128 added native MCP support, also over WebSocket in some configurations) and the realtime audio API (<code>/v1/realtime</code>, fully WebSocket, has been stable longer).</p> <p>If this saved you some time, drop a comment — happy to compare notes on what other agents (Cline, Cursor, Aider, Continue) actually need on the wire. I run <a href="https://g0i.ai" rel="noopener noreferrer">g0i</a> which has integration guides for each of those, and the lessons from this codex-tui chase generalized to all of them.</p> <p><em>If you're a gateway operator and want to compare notes on edge-case clients, my DMs are open.</em></p> ai webdev programming productivity I Built CloudDesktop — Turn Any Linux VPS Into a Browser-Based Desktop (Free & Open Source) HorusGod Fri, 06 Mar 2026 09:46:58 +0000 https://forem.com/horusgod007/i-built-clouddesktop-turn-any-linux-vps-into-a-browser-based-desktop-free-open-source-2o3n https://forem.com/horusgod007/i-built-clouddesktop-turn-any-linux-vps-into-a-browser-based-desktop-free-open-source-2o3n <p>Ever wanted a full Linux desktop in your browser?</p> <p>No SSH. No PuTTY. No setup headaches.<br> Just open a tab — and you're in. 👇</p> <h2> 🧠 The Problem </h2> <p>I wanted a persistent Linux environment I could reach from anywhere — my phone on the go, a tablet, even a friend's laptop.</p> <p>Every solution I found was either:</p> <ul> <li>💸 Expensive (cloud desktops cost $$$)</li> <li>🔧 Painful to set up (VNC configs, firewalls, SSL hell)</li> <li>📵 Desktop-only (forget using it on mobile)</li> </ul> <p>So I spent weeks and built CloudDesktop from scratch.</p> <h2> 🖥️ What it looks like </h2> <p>Here's the login screen:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyspo78c0bdhy1pt6s94h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyspo78c0bdhy1pt6s94h.png" alt="Login Screen" width="800" height="500"></a></p> <p>And once you're in — a full XFCE desktop, in your browser:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1spbctrcrm7mj95nywbb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1spbctrcrm7mj95nywbb.png" alt="Desktop" width="800" height="500"></a></p> <h2> ⚡ One command to rule them all </h2> <p>sudo bash install.sh</p> <p>That's it. The installer auto-configures:</p> <p>✅ XFCE desktop + TigerVNC<br> ✅ WebSocket bridge (noVNC)<br> ✅ Node.js + Express backend<br> ✅ Nginx reverse proxy + SSL<br> ✅ Firewall (UFW) + Fail2ban<br> ✅ Systemd services (auto-start on boot)</p> <h2> 📱 Works on EVERY device </h2> <p>This was the hardest part to get right.</p> <p>CloudDesktop is mobile-first:</p> <ul> <li>Virtual trackpad cursor (like Microsoft RD Client)</li> <li>Pinch to zoom + scroll</li> <li>On-screen keyboard</li> <li>Auto-resolution on orientation change</li> <li>Fullscreen PWA mode — no browser chrome</li> </ul> <p>Install it as a native app on iOS, Android, Windows, macOS — all from your browser.</p> <h2> 🔄 One live session, all devices </h2> <p>All your devices connect to the same live desktop.</p> <p>Start coding on your PC → pick up exactly where you left off on your phone.<br> No sync. No cloud storage. Just your desktop, everywhere.</p> <h2> ⚙️ Settings &amp; customization </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fejusrc5raqh4wr0igy73.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fejusrc5raqh4wr0igy73.png" alt="Settings Panel" width="800" height="500"></a></p> <p>Adjust resolution, manage sessions, toggle features — all from a clean settings panel inside the browser.</p> <h2> 🤖 Claude Code built right in </h2> <p>This is my favorite part.</p> <p>CloudDesktop has first-class Claude Code support with dedicated dock icons:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvajrvjek9ao053j19bbp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvajrvjek9ao053j19bbp.png" alt="Claude Code in Dock" width="800" height="500"></a></p> <ul> <li>Claude Code — launch CLI in a terminal from the dock</li> <li>Claude Fast — one-click sandbox mode for quick tasks</li> <li>Directory Picker — choose your working folder before launching</li> </ul> <h2> 🔒 Security? Covered. </h2> <p>This runs on the open internet, so security was non-negotiable:</p> <ul> <li>🔐 Bcrypt password hashing</li> <li>🎟️ JWT session tokens (httpOnly cookies)</li> <li>📲 TOTP two-factor authentication</li> <li>🚫 Rate limiting on auth endpoints</li> <li>🛡️ Fail2ban + UFW firewall</li> <li>🔒 HTTPS enforced (Let's Encrypt or self-signed)</li> </ul> <h2> 🏗️ How it works under the hood </h2> <p>Browser ──HTTPS──▸ Nginx ──▸ Express API (auth, files, resolution)<br> └──▸ WebSocket ──▸ websockify ──▸ VNC (TigerVNC/XFCE)</p> <p>Simple, battle-tested stack. No magic, no vendor lock-in.</p> <h2> 💚 100% Free &amp; Open Source </h2> <p>No hidden fees.<br> No premium tiers.<br> No telemetry.<br> No nonsense.</p> <p>Fork it. Break it. Make it yours.</p> <p>👉 GitHub — <a href="https://github.com/HorusGod007/CloudDesktop" rel="noopener noreferrer">https://github.com/HorusGod007/CloudDesktop</a></p> <p>If this helped you or looks useful — a ⭐ on GitHub means the world and helps others discover it. Drop your questions below, I read every comment! 🙏</p> opensource linux selfhosted webdev