Skip to content

Local Ollama provider blocks HTTP to LAN/Tailscale IPs (ATS policy) #24

Description

@jparrill

Problem

When configuring the Local Ollama provider with a remote Ollama instance on the local network (e.g. http://192.168.1.x:11434 or a Tailscale IP http://100.x.x.x:11434), Agent! fails with:

Failed to fetch local models: The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.

This happens because the app's Info.plist does not include an NSAppTransportSecurity exception. macOS ATS only allows plain HTTP to localhost/127.0.0.1 by default — any other IP (including RFC 1918 private ranges and Tailscale mesh IPs) is blocked.

Expected behavior

The Local Ollama, vLLM, and LM Studio providers should work with remote instances on the local network, not just localhost. This is a common setup: a beefy server running Ollama on the LAN, accessed from a Mac laptop.

Workaround

Manually patching the Info.plist after each install:

sudo plutil -replace NSAppTransportSecurity -json '{"NSAllowsLocalNetworking": true}' "/Applications/Agent!.app/Contents/Info.plist"

This needs to be re-applied after every app update.

Suggested fix

Add NSAllowsLocalNetworking: true to the NSAppTransportSecurity dictionary in Info.plist:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsLocalNetworking</key>
    <true/>
</dict>

This is the minimal, scoped fix — it only allows HTTP on local network, not arbitrary internet hosts.

Environment

  • macOS 26.5.1
  • Agent! installed from GitHub Releases
  • Ollama running on a remote Fedora server, accessed via LAN IP and Tailscale

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions