From c20b5381175af0a715b9b30e6674579f3b32006d Mon Sep 17 00:00:00 2001
From: waleed <walif6@gmail.com>
Date: Mon, 15 Jun 2026 17:13:57 -0700
Subject: [PATCH] fix(providers): allow HTTP for self-hosted vLLM endpoints

Pass allowHttp to validateUrlWithDNS so plain-HTTP self-hosted vLLM
endpoints are permitted. This only relaxes the protocol check; the
private/reserved-IP blocklist and blocked-port checks still apply, so
SSRF protection is unchanged.
---
 apps/sim/providers/vllm/index.test.ts | 3 ++-
 apps/sim/providers/vllm/index.ts      | 8 +++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/apps/sim/providers/vllm/index.test.ts b/apps/sim/providers/vllm/index.test.ts
index d81e696dae..c95f5297f1 100644
--- a/apps/sim/providers/vllm/index.test.ts
+++ b/apps/sim/providers/vllm/index.test.ts
@@ -155,7 +155,8 @@ describe('vllmProvider', () => {
 
       expect(mockValidateUrlWithDNS).toHaveBeenCalledWith(
         'https://my-vllm.example.com',
-        'vLLM endpoint'
+        'vLLM endpoint',
+        { allowHttp: true }
       )
       expect(mockCreatePinnedFetch).toHaveBeenCalledWith('203.0.113.10')
       expect(openAIArgs[0].baseURL).toBe('https://my-vllm.example.com/v1')
diff --git a/apps/sim/providers/vllm/index.ts b/apps/sim/providers/vllm/index.ts
index 90f6c7c0a3..572b5df51c 100644
--- a/apps/sim/providers/vllm/index.ts
+++ b/apps/sim/providers/vllm/index.ts
@@ -108,10 +108,16 @@ export const vllmProvider: ProviderConfig = {
      * central SSRF guard and pin the connection to the resolved IP to defeat DNS
      * rebinding. The operator-configured `VLLM_BASE_URL` is trusted and left
      * unvalidated, mirroring the Azure providers.
+     *
+     * `allowHttp` is enabled because self-hosted vLLM is frequently served over
+     * plain HTTP; this only relaxes the protocol requirement — the private/reserved
+     * IP blocklist and blocked-port checks still apply, so SSRF protection is intact.
      */
     let pinnedFetch: typeof fetch | undefined
     if (userProvidedEndpoint) {
-      const validation = await validateUrlWithDNS(userProvidedEndpoint, 'vLLM endpoint')
+      const validation = await validateUrlWithDNS(userProvidedEndpoint, 'vLLM endpoint', {
+        allowHttp: true,
+      })
       if (!validation.isValid) {
         logger.warn('Blocked SSRF attempt via vLLM endpoint', {
           endpoint: userProvidedEndpoint,