🪨 feat: Add PROXY support for AWS Bedrock endpoints (#8871)

* feat: added PROXY support for AWS Bedrock endpoint * chore: explicit install of new packages required for bedrock proxy --------- Co-authored-by: Danny Avila <danny@librechat.ai>
2025-12-16 16:30:15 +01:00 · 2025-12-01 12:23:46 -05:00 · 2025-12-01 12:23:46 -05:00 · 69200623c2
commit 69200623c2
parent 9df4d272e1
3 changed files with 2015 additions and 28 deletions
--- a/api/package.json
+++ b/api/package.json
@ -34,6 +34,7 @@
  },
  "homepage": "https://librechat.ai",
  "dependencies": {
+    "@aws-sdk/client-bedrock-runtime": "^3.941.0",
    "@aws-sdk/client-s3": "^3.758.0",
    "@aws-sdk/s3-request-presigner": "^3.758.0",
    "@azure/identity": "^4.7.0",
@ -48,6 +49,7 @@
    "@microsoft/microsoft-graph-client": "^3.0.7",
    "@modelcontextprotocol/sdk": "^1.21.0",
    "@node-saml/passport-saml": "^5.1.0",
+    "@smithy/node-http-handler": "^4.4.5",
    "axios": "^1.12.1",
    "bcryptjs": "^2.4.3",
    "compression": "^1.8.1",
--- a/api/server/services/Endpoints/bedrock/options.js
+++ b/api/server/services/Endpoints/bedrock/options.js
@ -1,4 +1,35 @@
+/**
+ * Bedrock endpoint options configuration
+ *
+ * This module handles configuration for AWS Bedrock endpoints, including support for
+ * HTTP/HTTPS proxies and reverse proxies.
+ *
+ * Proxy Support:
+ * - When the PROXY environment variable is set, creates a custom BedrockRuntimeClient
+ *   with an HttpsProxyAgent to route all Bedrock API calls through the specified proxy
+ * - The custom client is fully configured with credentials, region, and endpoint,
+ *   and is passed directly to ChatBedrockConverse via the 'client' parameter
+ *
+ * Reverse Proxy Support:
+ * - When BEDROCK_REVERSE_PROXY is set, routes Bedrock API calls through a custom endpoint
+ * - Works with or without the PROXY setting
+ *
+ * Without Proxy:
+ * - Credentials and endpoint configuration are passed separately to ChatBedrockConverse,
+ *   which creates its own BedrockRuntimeClient internally
+ *
+ * Environment Variables:
+ * - PROXY: HTTP/HTTPS proxy URL (e.g., http://proxy.example.com:8080)
+ * - BEDROCK_REVERSE_PROXY: Custom Bedrock API endpoint host
+ * - BEDROCK_AWS_DEFAULT_REGION: AWS region for Bedrock service
+ * - BEDROCK_AWS_ACCESS_KEY_ID: AWS access key (or set to 'user_provided')
+ * - BEDROCK_AWS_SECRET_ACCESS_KEY: AWS secret key (or set to 'user_provided')
+ * - BEDROCK_AWS_SESSION_TOKEN: Optional AWS session token
+ */
+
 const { HttpsProxyAgent } = require('https-proxy-agent');
+const { NodeHttpHandler } = require('@smithy/node-http-handler');
+const { BedrockRuntimeClient } = require('@aws-sdk/client-bedrock-runtime');
 const {
  AuthType,
  EModelEndpoint,
@ -69,10 +100,6 @@ const getOptions = async ({ req, overrideModel, endpointOption }) => {
  };

  const configOptions = {};
-  if (PROXY) {
-    /** NOTE: NOT SUPPORTED BY BEDROCK */
-    configOptions.httpAgent = new HttpsProxyAgent(PROXY);
-  }

  const llmConfig = bedrockOutputParser(
    bedrockInputParser.parse(
@ -80,12 +107,37 @@ const getOptions = async ({ req, overrideModel, endpointOption }) => {
    ),
  );

-  if (credentials) {
-    llmConfig.credentials = credentials;
-  }
+  if (PROXY) {
+    const proxyAgent = new HttpsProxyAgent(PROXY);

-  if (BEDROCK_REVERSE_PROXY) {
-    llmConfig.endpointHost = BEDROCK_REVERSE_PROXY;
+    // Create a custom BedrockRuntimeClient with proxy-enabled request handler.
+    // ChatBedrockConverse will use this pre-configured client directly instead of
+    // creating its own. Credentials are only set if explicitly provided; otherwise
+    // the AWS SDK's default credential provider chain is used (instance profiles,
+    // AWS profiles, environment variables, etc.)
+    const customClient = new BedrockRuntimeClient({
+      region: llmConfig.region ?? BEDROCK_AWS_DEFAULT_REGION,
+      ...(credentials && { credentials }),
+      requestHandler: new NodeHttpHandler({
+        httpAgent: proxyAgent,
+        httpsAgent: proxyAgent,
+      }),
+      ...(BEDROCK_REVERSE_PROXY && {
+        endpoint: `https://${BEDROCK_REVERSE_PROXY}`,
+      }),
+    });
+
+    llmConfig.client = customClient;
+  } else {
+    // When not using a proxy, let ChatBedrockConverse create its own client
+    // by providing credentials and endpoint separately
+    if (credentials) {
+      llmConfig.credentials = credentials;
+    }
+
+    if (BEDROCK_REVERSE_PROXY) {
+      llmConfig.endpointHost = BEDROCK_REVERSE_PROXY;
+    }
  }

  return {
--- a/package-lock.json
+++ b/package-lock.json