initial commit

This commit is contained in:
ray
2026-07-12 10:15:51 -04:00
commit 29aad9079e
46 changed files with 1369 additions and 0 deletions
+1
View File
@@ -0,0 +1 @@
set $deepseek_key "sk-4e7a3351dd7e4929b34988877a4336d8";
+13
View File
@@ -0,0 +1,13 @@
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
+5
View File
@@ -0,0 +1,5 @@
# Self signed certificates generated by the ssl-cert package
# Don't use them in a production server!
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+32
View File
@@ -0,0 +1,32 @@
location /deepseek/ {
limit_req zone=spq_ai burst=5 nodelay;
# 1) Validate the PB token. 401 → block; 200 → continue.
auth_request /_spq_validate;
auth_request_set $spq_auth_status $upstream_status;
# 2) Strip the client's Authorization header.
proxy_set_header Authorization "";
# 3) Inject the DeepSeek key.
include /etc/nginx/snippets/deepseek-key.conf;
proxy_set_header Authorization "Bearer $deepseek_key";
# 4) Rewrite path: /deepseek/v1/chat/completions → /v1/chat/completions
rewrite ^/deepseek/(.*)$ /$1 break;
proxy_pass https://api.deepseek.com;
proxy_ssl_server_name on;
proxy_set_header Host api.deepseek.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering off; # streaming responses
}
location = /_spq_validate {
internal;
proxy_pass http://127.0.0.1:8092/;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Authorization $http_authorization;
}
+6
View File
@@ -0,0 +1,6 @@
# SPQ frontend security headers. Include inside the server { } block.
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "no-referrer" always;
add_header Permissions-Policy "microphone=(), geolocation=(), interest-cohort=()" always;