# Nginx Config Construction with API Keys (Secrets Filter Safety) ## Problem When reading an existing nginx config that contains API keys, the Hermes secrets filter truncates the key in the displayed output. If you then `tee` or `cp` that truncated output into a new config file, the API key becomes corrupted — resulting in `Authentication Fails, Your api key is invalid` on all proxied API calls. ## Safe Pattern Build the nginx config inline using environment variable values instead of copying from a truncated config file: ```python # Safe: construct config with env var key, write directly import os key = os.environ.get('AUXILIARY_APPROVAL_API_KEY', '') config = f''' location /deepseek/ {{ proxy_pass https://api.deepseek.com/; proxy_ssl_server_name on; proxy_ssl_name api.deepseek.com; proxy_http_version 1.1; proxy_set_header Host api.deepseek.com; proxy_set_header Authorization "Bearer {key}"; proxy_set_header Content-Type "application/json"; proxy_buffering off; proxy_read_timeout 120s; proxy_connect_timeout 10s; }} ''' with open('/tmp/nginx-spq.conf', 'w') as f: f.write(config) ``` Then deploy: `sudo cp /tmp/nginx-spq.conf /etc/nginx/sites-enabled/shopproquote` ## Verifying the Key After deploying, test the endpoint. A working key returns a chat completion. An invalid/corrupted key returns `{"error":{"message":"Authentication Fails..."}}`. ```bash curl -s -X POST https://site/deepseek/v1/chat/completions \ -H 'Content-Type: application/json' \ -d '{"model":"deepseek-v4-flash","messages":[{"role":"user","content":"hi"}],"temperature":0,"max_tokens":20}' ``` ## Env Var Locations DeepSeek API keys are typically set as: - `DEEPSEEK_API_KEY` — used by Hermes config via `${DEEPSEEK_API_KEY}` - `AUXILIARY_APPROVAL_API_KEY` — set by Hermes secret store - `AUXILIARY_VISION_API_KEY` — set by Hermes secret store - `AUXILIARY_WEB_EXTRACT_API_KEY` — set by Hermes secret store Check with: `python3 -c "import os; print(len(os.environ.get('AUXILIARY_APPROVAL_API_KEY','')))"`