initial commit
This commit is contained in:
@@ -0,0 +1,58 @@
|
||||
# Nginx Config Construction with API Keys (Secrets Filter Safety)
|
||||
|
||||
## Problem
|
||||
|
||||
When reading an existing nginx config that contains API keys, the Hermes secrets filter
|
||||
truncates the key in the displayed output. If you then `tee` or `cp` that truncated
|
||||
output into a new config file, the API key becomes corrupted — resulting in
|
||||
`Authentication Fails, Your api key is invalid` on all proxied API calls.
|
||||
|
||||
## Safe Pattern
|
||||
|
||||
Build the nginx config inline using environment variable values instead of copying
|
||||
from a truncated config file:
|
||||
|
||||
```python
|
||||
# Safe: construct config with env var key, write directly
|
||||
import os
|
||||
key = os.environ.get('AUXILIARY_APPROVAL_API_KEY', '')
|
||||
config = f'''
|
||||
location /deepseek/ {{
|
||||
proxy_pass https://api.deepseek.com/;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name api.deepseek.com;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host api.deepseek.com;
|
||||
proxy_set_header Authorization "Bearer {key}";
|
||||
proxy_set_header Content-Type "application/json";
|
||||
proxy_buffering off;
|
||||
proxy_read_timeout 120s;
|
||||
proxy_connect_timeout 10s;
|
||||
}}
|
||||
'''
|
||||
with open('/tmp/nginx-spq.conf', 'w') as f:
|
||||
f.write(config)
|
||||
```
|
||||
|
||||
Then deploy: `sudo cp /tmp/nginx-spq.conf /etc/nginx/sites-enabled/shopproquote`
|
||||
|
||||
## Verifying the Key
|
||||
|
||||
After deploying, test the endpoint. A working key returns a chat completion.
|
||||
An invalid/corrupted key returns `{"error":{"message":"Authentication Fails..."}}`.
|
||||
|
||||
```bash
|
||||
curl -s -X POST https://site/deepseek/v1/chat/completions \
|
||||
-H 'Content-Type: application/json' \
|
||||
-d '{"model":"deepseek-v4-flash","messages":[{"role":"user","content":"hi"}],"temperature":0,"max_tokens":20}'
|
||||
```
|
||||
|
||||
## Env Var Locations
|
||||
|
||||
DeepSeek API keys are typically set as:
|
||||
- `DEEPSEEK_API_KEY` — used by Hermes config via `${DEEPSEEK_API_KEY}`
|
||||
- `AUXILIARY_APPROVAL_API_KEY` — set by Hermes secret store
|
||||
- `AUXILIARY_VISION_API_KEY` — set by Hermes secret store
|
||||
- `AUXILIARY_WEB_EXTRACT_API_KEY` — set by Hermes secret store
|
||||
|
||||
Check with: `python3 -c "import os; print(len(os.environ.get('AUXILIARY_APPROVAL_API_KEY','')))"`
|
||||
Reference in New Issue
Block a user