Files
2026-07-12 10:17:17 -04:00

59 lines
2.0 KiB
Markdown

# Nginx Config Construction with API Keys (Secrets Filter Safety)
## Problem
When reading an existing nginx config that contains API keys, the Hermes secrets filter
truncates the key in the displayed output. If you then `tee` or `cp` that truncated
output into a new config file, the API key becomes corrupted — resulting in
`Authentication Fails, Your api key is invalid` on all proxied API calls.
## Safe Pattern
Build the nginx config inline using environment variable values instead of copying
from a truncated config file:
```python
# Safe: construct config with env var key, write directly
import os
key = os.environ.get('AUXILIARY_APPROVAL_API_KEY', '')
config = f'''
location /deepseek/ {{
proxy_pass https://api.deepseek.com/;
proxy_ssl_server_name on;
proxy_ssl_name api.deepseek.com;
proxy_http_version 1.1;
proxy_set_header Host api.deepseek.com;
proxy_set_header Authorization "Bearer {key}";
proxy_set_header Content-Type "application/json";
proxy_buffering off;
proxy_read_timeout 120s;
proxy_connect_timeout 10s;
}}
'''
with open('/tmp/nginx-spq.conf', 'w') as f:
f.write(config)
```
Then deploy: `sudo cp /tmp/nginx-spq.conf /etc/nginx/sites-enabled/shopproquote`
## Verifying the Key
After deploying, test the endpoint. A working key returns a chat completion.
An invalid/corrupted key returns `{"error":{"message":"Authentication Fails..."}}`.
```bash
curl -s -X POST https://site/deepseek/v1/chat/completions \
-H 'Content-Type: application/json' \
-d '{"model":"deepseek-v4-flash","messages":[{"role":"user","content":"hi"}],"temperature":0,"max_tokens":20}'
```
## Env Var Locations
DeepSeek API keys are typically set as:
- `DEEPSEEK_API_KEY` — used by Hermes config via `${DEEPSEEK_API_KEY}`
- `AUXILIARY_APPROVAL_API_KEY` — set by Hermes secret store
- `AUXILIARY_VISION_API_KEY` — set by Hermes secret store
- `AUXILIARY_WEB_EXTRACT_API_KEY` — set by Hermes secret store
Check with: `python3 -c "import os; print(len(os.environ.get('AUXILIARY_APPROVAL_API_KEY','')))"`