ia.enso nginx: templated backend IP for deploy (default .164)

**Motivations:**
- Proxy still targeted wrong host; explicit backend IP at deploy time.

**Root causes:**
- Stale or manually edited site on proxy; repo had literal IP only.

**Correctifs:**
- Upstreams use __IA_ENSO_BACKEND_IP__; deploy script substitutes IA_ENSO_BACKEND_IP (default 192.168.1.164).

**Evolutions:**
- README manual sed path; troubleshooting 502; feature doc table.

**Pages affectées:**
- deploy/nginx/sites/ia.enso.4nkweb.com.conf
- deploy/nginx/deploy-ia-enso-to-proxy.sh
- deploy/nginx/README-ia-enso.md
- docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md

deploy/nginx/README-ia-enso.md

@@ -52,6 +52,7 @@ Si `nginx -t` échoue à cause d’un **doublon** `map $http_upgrade $connection
 | `IA_ENSO_PROXY_HOST` | `192.168.1.100` | Cible SSH (IP ou hostname LAN) |
 | `DEPLOY_SSH_PROXY_HOST` | `4nk.myftp.biz` | Bastion ProxyJump ; vide = SSH direct |
 | `DEPLOY_SSH_PROXY_USER` | idem proxy | Utilisateur sur le bastion |
+| `IA_ENSO_BACKEND_IP` | `192.168.1.164` | Hôte Ollama + AnythingLLM (IPv4) |
 
 Bibliothèque utilisée : `ia_dev/deploy/_lib/ssh.sh` (`BatchMode=yes`).
 
@@ -89,8 +90,15 @@ Ne pas commiter un fichier contenant le secret réel.
 
 ### 3. Fichier `server`
 
+Le fichier dans le dépôt contient le marqueur `__IA_ENSO_BACKEND_IP__`. Remplacer par l’IPv4 du backend (ex. `192.168.1.164`) avant copie, ou utiliser :
+
+```bash
+sed "s/__IA_ENSO_BACKEND_IP__/192.168.1.164/g" deploy/nginx/sites/ia.enso.4nkweb.com.conf | sudo tee /etc/nginx/sites-available/ia.enso.4nkweb.com.conf >/dev/null
+```
+
+Sans `sed` : éditer le fichier sur le proxy pour remplacer `__IA_ENSO_BACKEND_IP__` par l’IPv4 réelle, puis :
+
 ```bash
-sudo cp deploy/nginx/sites/ia.enso.4nkweb.com.conf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf
 sudo ln -sf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf /etc/nginx/sites-enabled/
 sudo nginx -t && sudo systemctl reload nginx
 ```
@@ -142,6 +150,6 @@ Sur **`192.168.1.164`**, n’autoriser **11434** et **3001** TCP que depuis **19
 | `nginx -t` erreur sur `connection_upgrade` | Doublon de `map $http_upgrade $connection_upgrade` : retirer l’un des blocs ou n’installer que le `map` Bearer. |
 | `could not build map_hash` / `map_hash_bucket_size` | Secret Bearer trop long pour la valeur par défaut ; le fichier `ia-enso-http-maps.conf` du script inclut `map_hash_bucket_size 256;` — mettre à jour le déploiement ou ajouter cette directive dans `http { }`. |
 | `401` sur `/ollama/` | Secret différent entre client et `map` ; en-tête `Authorization` absent ou mal formé (`Bearer ` + secret exact). |
-| `502` / timeout | Ollama ou AnythingLLM arrêtés sur `.164` ; pare-feu ; mauvais IP/upstream dans le fichier site. |
+| `502` / timeout | Ollama ou AnythingLLM arrêtés sur le backend ; pare-feu ; mauvaise IP dans `upstream` (vérifier `grep server /etc/nginx/sites-available/ia.enso.4nkweb.com.conf` sur le proxy ; redéployer avec `IA_ENSO_BACKEND_IP=192.168.1.164`). |
 | Erreur SSL / `cannot load certificate` | Certificat absent : exécuter certbot sur le proxy pour `ia.enso.4nkweb.com`, ou adapter les chemins `ssl_certificate` dans le fichier site. |
 | Cursor `ssrf_blocked` | L’hôte utilisé résout encore vers une IP privée côté infrastructure Cursor ; vérifier DNS public / NAT. |

deploy/nginx/deploy-ia-enso-to-proxy.sh

@@ -8,6 +8,7 @@
 #   IA_ENSO_SSH_KEY               SSH private key (default: ~/.ssh/id_ed25519).
 #   IA_ENSO_PROXY_USER            SSH user on proxy (default: ncantu).
 #   IA_ENSO_PROXY_HOST            Proxy IP or hostname (default: 192.168.1.100).
+#   IA_ENSO_BACKEND_IP            Ollama + AnythingLLM host IPv4 (default: 192.168.1.164).
 #   DEPLOY_SSH_PROXY_HOST         Jump host (default: 4nk.myftp.biz); empty = direct SSH to proxy.
 #   DEPLOY_SSH_PROXY_USER         Jump user (default: same as IA_ENSO_PROXY_USER).
 #
@@ -28,6 +29,7 @@ source "$SSH_LIB"
 IA_ENSO_SSH_KEY="${IA_ENSO_SSH_KEY:-${HOME}/.ssh/id_ed25519}"
 IA_ENSO_PROXY_USER="${IA_ENSO_PROXY_USER:-ncantu}"
 IA_ENSO_PROXY_HOST="${IA_ENSO_PROXY_HOST:-192.168.1.100}"
+IA_ENSO_BACKEND_IP="${IA_ENSO_BACKEND_IP:-192.168.1.164}"
 DEPLOY_SSH_PROXY_USER="${DEPLOY_SSH_PROXY_USER:-$IA_ENSO_PROXY_USER}"
 # ${VAR:-default} treats empty VAR as unset, so DEPLOY_SSH_PROXY_HOST= would wrongly become the bastion.
 if [[ ! -v DEPLOY_SSH_PROXY_HOST ]]; then
@@ -50,6 +52,11 @@ if [[ "$TOKEN" == *'"'* ]] || [[ "$TOKEN" == *'\'* ]]; then
 	exit 1
 fi
 
+if [[ ! "$IA_ENSO_BACKEND_IP" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+	echo "IA_ENSO_BACKEND_IP must be an IPv4 address (got: ${IA_ENSO_BACKEND_IP})" >&2
+	exit 1
+fi
+
 write_maps_file() {
 	local path="$1"
 	local with_websocket="$2"
@@ -84,8 +91,9 @@ trap cleanup EXIT
 try_install() {
 	local with_ws="$1"
 	write_maps_file "${TMP_DIR}/ia-enso-http-maps.conf" "$with_ws"
+	sed "s/__IA_ENSO_BACKEND_IP__/${IA_ENSO_BACKEND_IP}/g" "${SCRIPT_DIR}/sites/ia.enso.4nkweb.com.conf" >"${TMP_DIR}/ia.enso.4nkweb.com.conf"
 	scp_copy "$IA_ENSO_SSH_KEY" "${TMP_DIR}/ia-enso-http-maps.conf" "$IA_ENSO_PROXY_USER" "$IA_ENSO_PROXY_HOST" "/tmp/ia-enso-http-maps.conf"
-	scp_copy "$IA_ENSO_SSH_KEY" "${SCRIPT_DIR}/sites/ia.enso.4nkweb.com.conf" "$IA_ENSO_PROXY_USER" "$IA_ENSO_PROXY_HOST" "/tmp/ia.enso.4nkweb.com.conf"
+	scp_copy "$IA_ENSO_SSH_KEY" "${TMP_DIR}/ia.enso.4nkweb.com.conf" "$IA_ENSO_PROXY_USER" "$IA_ENSO_PROXY_HOST" "/tmp/ia.enso.4nkweb.com.conf"
 	ssh_run "$IA_ENSO_SSH_KEY" "$IA_ENSO_PROXY_USER" "$IA_ENSO_PROXY_HOST" bash <<'REMOTE'
 set -euo pipefail
 sudo install -d -m 0755 /etc/nginx/conf.d
@@ -104,6 +112,8 @@ echo "nginx reload OK"
 REMOTE
 }
 
+echo "Deploying ia.enso upstreams to ${IA_ENSO_BACKEND_IP} (Ollama :11434, AnythingLLM :3001)."
+
 if ! try_install 1; then
 	echo "Retrying with Bearer map only (websocket map likely already defined on proxy)..."
 	if ! try_install 0; then

deploy/nginx/sites/ia.enso.4nkweb.com.conf

@@ -4,15 +4,15 @@
 # - TLS certificate for ia.enso.4nkweb.com (e.g. certbot).
 # - In the main nginx `http { }` block, include the Bearer map (see http-maps/ia-enso-ollama-bearer.map.conf.example).
 #
-# Upstream: adjust IA_ENSO_BACKEND_IP if the AI host IP changes.
+# Upstream backend: replaced at deploy time (default 192.168.1.164). Manual install: replace __IA_ENSO_BACKEND_IP__.
 
 upstream ia_enso_ollama {
-    server 192.168.1.164:11434;
+    server __IA_ENSO_BACKEND_IP__:11434;
     keepalive 8;
 }
 
 upstream ia_enso_anythingllm {
-    server 192.168.1.164:3001;
+    server __IA_ENSO_BACKEND_IP__:3001;
     keepalive 8;
 }
 

docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md

@@ -16,7 +16,7 @@ Expose Ollama and AnythingLLM on the public proxy hostname with HTTPS, path pref
 
 | Path | Purpose |
 |------|---------|
-| `deploy/nginx/sites/ia.enso.4nkweb.com.conf` | `server` blocks, upstreams to `192.168.1.164` (edit if host IP changes) |
+| `deploy/nginx/sites/ia.enso.4nkweb.com.conf` | `server` blocks ; upstreams use `__IA_ENSO_BACKEND_IP__` (default `192.168.1.164` substituted by `deploy-ia-enso-to-proxy.sh` or manual `sed`) |
 | `deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example` | Example Bearer `map` (manual install) |
 | `deploy/nginx/http-maps/websocket-connection.map.conf.example` | Example WebSocket `map` (manual install) |
 | `deploy/nginx/deploy-ia-enso-to-proxy.sh` | SSH deploy: maps + site, `nginx -t`, reload; Bearer-only retry if websocket `map` already exists |