fix(providers): allow HTTP for self-hosted vLLM endpoints (#5078)

Pass allowHttp to validateUrlWithDNS so plain-HTTP self-hosted vLLM
endpoints are permitted. This only relaxes the protocol check; the
private/reserved-IP blocklist and blocked-port checks still apply, so
SSRF protection is unchanged.

Author: waleedlatif1

apps/sim/providers/vllm/index.test.ts

@@ -155,7 +155,8 @@ describe('vllmProvider', () => {
 
       expect(mockValidateUrlWithDNS).toHaveBeenCalledWith(
         'https://my-vllm.example.com',
-        'vLLM endpoint'
+        'vLLM endpoint',
+        { allowHttp: true }
       )
       expect(mockCreatePinnedFetch).toHaveBeenCalledWith('203.0.113.10')
       expect(openAIArgs[0].baseURL).toBe('https://my-vllm.example.com/v1')

apps/sim/providers/vllm/index.ts

@@ -108,10 +108,16 @@ export const vllmProvider: ProviderConfig = {
      * central SSRF guard and pin the connection to the resolved IP to defeat DNS
      * rebinding. The operator-configured `VLLM_BASE_URL` is trusted and left
      * unvalidated, mirroring the Azure providers.
+     *
+     * `allowHttp` is enabled because self-hosted vLLM is frequently served over
+     * plain HTTP; this only relaxes the protocol requirement — the private/reserved
+     * IP blocklist and blocked-port checks still apply, so SSRF protection is intact.
      */
     let pinnedFetch: typeof fetch | undefined
     if (userProvidedEndpoint) {
-      const validation = await validateUrlWithDNS(userProvidedEndpoint, 'vLLM endpoint')
+      const validation = await validateUrlWithDNS(userProvidedEndpoint, 'vLLM endpoint', {
+        allowHttp: true,
+      })
       if (!validation.isValid) {
         logger.warn('Blocked SSRF attempt via vLLM endpoint', {
           endpoint: userProvidedEndpoint,