From 0637f9e76b856656b40174da5d65164e8f6f7169 Mon Sep 17 00:00:00 2001 From: Nicolas Cantu Date: Mon, 23 Mar 2026 01:23:15 +0100 Subject: [PATCH] Nginx ia.enso: map_hash_bucket_size, legacy http2 listen MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **Motivations:** - Deploy failed on proxy: long Bearer token map_hash; unknown http2 directive. **Root causes:** - openssl rand -hex 32 exceeds default map_hash_bucket_size. - Proxy nginx older than http2 on; listen 443 ssl http2 is portable. **Correctifs:** - Prepend map_hash_bucket_size 256 to generated maps and bearer example. - Replace http2 on with listen 443 ssl http2. - README troubleshooting for map_hash. **Evolutions:** - N/A. **Pages affectées:** - deploy/nginx/deploy-ia-enso-to-proxy.sh - deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example - deploy/nginx/sites/ia.enso.4nkweb.com.conf - deploy/nginx/README-ia-enso.md --- deploy/nginx/README-ia-enso.md | 1 + deploy/nginx/deploy-ia-enso-to-proxy.sh | 4 ++++ deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example | 4 ++++ deploy/nginx/sites/ia.enso.4nkweb.com.conf | 3 +-- 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/deploy/nginx/README-ia-enso.md b/deploy/nginx/README-ia-enso.md index 5574707..eea7f0c 100644 --- a/deploy/nginx/README-ia-enso.md +++ b/deploy/nginx/README-ia-enso.md @@ -140,6 +140,7 @@ Sur **`192.168.1.164`**, n’autoriser **11434** et **3001** TCP que depuis **19 | Symptôme | Piste | |----------|--------| | `nginx -t` erreur sur `connection_upgrade` | Doublon de `map $http_upgrade $connection_upgrade` : retirer l’un des blocs ou n’installer que le `map` Bearer. | +| `could not build map_hash` / `map_hash_bucket_size` | Secret Bearer trop long pour la valeur par défaut ; le fichier `ia-enso-http-maps.conf` du script inclut `map_hash_bucket_size 256;` — mettre à jour le déploiement ou ajouter cette directive dans `http { }`. | | `401` sur `/ollama/` | Secret différent entre client et `map` ; en-tête `Authorization` absent ou mal formé (`Bearer ` + secret exact). | | `502` / timeout | Ollama ou AnythingLLM arrêtés sur `.164` ; pare-feu ; mauvais IP/upstream dans le fichier site. | | Erreur SSL | Certificat absent ou chemins `ssl_certificate` incorrects pour `ia.enso.4nkweb.com`. | diff --git a/deploy/nginx/deploy-ia-enso-to-proxy.sh b/deploy/nginx/deploy-ia-enso-to-proxy.sh index fcfaf92..cd4ebf1 100755 --- a/deploy/nginx/deploy-ia-enso-to-proxy.sh +++ b/deploy/nginx/deploy-ia-enso-to-proxy.sh @@ -54,6 +54,10 @@ write_maps_file() { local path="$1" local with_websocket="$2" { + cat <<'HASHOF' +# Long Bearer keys (e.g. openssl rand -hex 32) exceed default map_hash buckets. +map_hash_bucket_size 256; +HASHOF if [[ "$with_websocket" == "1" ]]; then cat <<'MAPEOF' map $http_upgrade $connection_upgrade { diff --git a/deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example b/deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example index ab3f034..44c5c0a 100644 --- a/deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example +++ b/deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example @@ -3,6 +3,10 @@ # # Copy this file without the .example suffix, set a long random Bearer secret (ASCII, no double quotes). # Cursor / OpenAI-compatible clients: Base URL .../ollama/v1 and API Key = same secret (no "Bearer " prefix). +# +# Required for long Bearer strings (e.g. hex tokens); omit only if nginx already sets this in http {}. + +map_hash_bucket_size 256; map $http_authorization $ia_enso_ollama_authorized { default 0; diff --git a/deploy/nginx/sites/ia.enso.4nkweb.com.conf b/deploy/nginx/sites/ia.enso.4nkweb.com.conf index ba33b79..e0c06fa 100644 --- a/deploy/nginx/sites/ia.enso.4nkweb.com.conf +++ b/deploy/nginx/sites/ia.enso.4nkweb.com.conf @@ -30,8 +30,7 @@ server { } server { - listen 443 ssl; - http2 on; + listen 443 ssl http2; server_name ia.enso.4nkweb.com; ssl_certificate /etc/letsencrypt/live/ia.enso.4nkweb.com/fullchain.pem;