4nk/smart_ide
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Nginx ia.enso: map_hash_bucket_size, legacy http2 listen

Browse Source 
**Motivations:**
- Deploy failed on proxy: long Bearer token map_hash; unknown http2 directive.

**Root causes:**
- openssl rand -hex 32 exceeds default map_hash_bucket_size.
- Proxy nginx older than http2 on; listen 443 ssl http2 is portable.

**Correctifs:**
- Prepend map_hash_bucket_size 256 to generated maps and bearer example.
- Replace http2 on with listen 443 ssl http2.
- README troubleshooting for map_hash.

**Evolutions:**
- N/A.

**Pages affectées:**
- deploy/nginx/deploy-ia-enso-to-proxy.sh
- deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example
- deploy/nginx/sites/ia.enso.4nkweb.com.conf
- deploy/nginx/README-ia-enso.md
This commit is contained in:
Nicolas Cantu 2026-03-23 01:23:15 +01:00
parent b5d5d74bbd
commit 0637f9e76b
4 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
deploy/nginx/README-ia-enso.md
View File

@ -140,6 +140,7 @@ Sur **`192.168.1.164`**, nautoriser **11434** et **3001** TCP que depuis **19
| Symptôme | Piste | | Symptôme | Piste |
|----------|--------| |----------|--------|
| `nginx -t` erreur sur `connection_upgrade` | Doublon de `map $http_upgrade $connection_upgrade` : retirer lun des blocs ou ninstaller que le `map` Bearer. | | `nginx -t` erreur sur `connection_upgrade` | Doublon de `map $http_upgrade $connection_upgrade` : retirer lun des blocs ou ninstaller que le `map` Bearer. |
| `could not build map_hash` / `map_hash_bucket_size` | Secret Bearer trop long pour la valeur par défaut ; le fichier `ia-enso-http-maps.conf` du script inclut `map_hash_bucket_size 256;` — mettre à jour le déploiement ou ajouter cette directive dans `http { }`. |
| `401` sur `/ollama/` | Secret différent entre client et `map` ; en-tête `Authorization` absent ou mal formé (`Bearer ` + secret exact). | | `401` sur `/ollama/` | Secret différent entre client et `map` ; en-tête `Authorization` absent ou mal formé (`Bearer ` + secret exact). |
| `502` / timeout | Ollama ou AnythingLLM arrêtés sur `.164` ; pare-feu ; mauvais IP/upstream dans le fichier site. | | `502` / timeout | Ollama ou AnythingLLM arrêtés sur `.164` ; pare-feu ; mauvais IP/upstream dans le fichier site. |
| Erreur SSL | Certificat absent ou chemins `ssl_certificate` incorrects pour `ia.enso.4nkweb.com`. | | Erreur SSL | Certificat absent ou chemins `ssl_certificate` incorrects pour `ia.enso.4nkweb.com`. |

4
deploy/nginx/deploy-ia-enso-to-proxy.sh
View File

@ -54,6 +54,10 @@ write_maps_file() {
local path="$1" local path="$1"
local with_websocket="$2" local with_websocket="$2"
{ {
cat <<'HASHOF'
# Long Bearer keys (e.g. openssl rand -hex 32) exceed default map_hash buckets.
map_hash_bucket_size 256;
HASHOF
if [[ "$with_websocket" == "1" ]]; then if [[ "$with_websocket" == "1" ]]; then
cat <<'MAPEOF' cat <<'MAPEOF'
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {

4
deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example
View File

@ -3,6 +3,10 @@
# #
# Copy this file without the .example suffix, set a long random Bearer secret (ASCII, no double quotes). # Copy this file without the .example suffix, set a long random Bearer secret (ASCII, no double quotes).
# Cursor / OpenAI-compatible clients: Base URL .../ollama/v1 and API Key = same secret (no "Bearer " prefix). # Cursor / OpenAI-compatible clients: Base URL .../ollama/v1 and API Key = same secret (no "Bearer " prefix).
#
# Required for long Bearer strings (e.g. hex tokens); omit only if nginx already sets this in http {}.
map_hash_bucket_size 256;
map $http_authorization $ia_enso_ollama_authorized { map $http_authorization $ia_enso_ollama_authorized {
default 0; default 0;

3
deploy/nginx/sites/ia.enso.4nkweb.com.conf
View File

@ -30,8 +30,7 @@ server {
} }
server { server {
listen 443 ssl; listen 443 ssl http2;
http2 on;
server_name ia.enso.4nkweb.com; server_name ia.enso.4nkweb.com;
ssl_certificate /etc/letsencrypt/live/ia.enso.4nkweb.com/fullchain.pem; ssl_certificate /etc/letsencrypt/live/ia.enso.4nkweb.com/fullchain.pem;