nginx reverse proxy folder 403 error - nginx

I am running nginx as reverse proxy directly installed on the server. To access different webapps I am using sub folders. Two webapps are running in docker containers (pydio and cops).
For pydio this location commands are working; same one for cops is not working.
location ^~ /pydio {
client_max_body_size 20G;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:82;
proxy_redirect off;
}
I tried different settings found by searching - none worked.
This is the latest version which results in a 403 error:
location ^~ /ebooks(.*)$ {
client_max_body_size 1G;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
rewrite ^/ebooks(/.*)$ $1 break;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://192.168.100.67:83$1/;
proxy_redirect off;
autoindex on;
}
And this entry in my error.log:
[error] 29235#29235: *1 directory index of "/var/www/ebooks/" is forbidden, client: 87.174.111.111, server: myadress.de, request: "GET /ebooks/ HTTP/1.1", host: "myadress.de"
When I hit 192.168.100.67:83 directly in my browser everything is working fine.
The folder /var/www/ebooks has www-data:www-data and 750 rights and it is linked with the container by the running command:
docker run ... -v /var/www/ebooks:/config ... according to this https://hub.docker.com/r/lsioarmhf/cops/
Hope I made my problem clear and you will help me. Thanks
good an bad news.
After testing a little more I found setting passing the command to docker correctly.
location ^~ /ebooks {
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
rewrite ^/ebooks(/.*)$ $1 break;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:83$1;
proxy_redirect off;
}
But cops page is only displayed in a basic way (background color changes but matrix not shown)
This is error log entry:
an upstream response is buffered to a temporary file /var/lib/nginx/proxy/1/00/0000000001 while reading upstream, client: 11.114.211.38, server: myadress.de, request:: "GET /ebooks/resources/jQuery/jquery-1.11.1..js?v=1.0.1 HTTP/1.1", upstream: "http://127.0.0.1:83/resources/jQuery/jquery-1.11.1.min.js", host: "myadress.de", referrer: "https://myadress/ebooks/"
To give you a complete picture. This is nginx config of cops container.
server {
listen 80 default_server;
# listen 443 ssl;
server_name _;
# ssl_certificate /config/keys/cert.crt;
# ssl_certificate_key /config/keys/cert.key;
access_log /config/log/nginx/access_cops.log;
error_log /config/log/nginx/error_cops.log;
root /var/www/localhost/cops;
index index.php;
#Useful only for Kobo reader
location /cops/ {
rewrite ^/download/(\d+)/(\d+)/.*\.(.*)$ /fetch.php?data=$1&db=$2&type=$3 last;
rewrite ^/download/(\d+)/.*\.(.*)$ /fetch.php?data=$1&type=$2 last;
break;
}
#Can break loading the images - if you don't see anything, comment
location ~ ^/images.*\.(gif|png|ico|jpg)$ {
expires 31d;
}
#Can also break loading the images, comment if it happens
location ~ .(js|css|eot|svg|woff|ttf)$ {
expires 31d;
}
#Not necessarily correct, it depends on distro.
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
location /books {
root /;
internal;
}
}
Any ideas if I am missing something?

Related

uwsgi uwsgi flask app and nginx gives 404 not found

I got stuck. I want to deploy python dash app on my vps. I started with flask app following this tutorial:
https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-uswgi-and-nginx-on-ubuntu-18-04
So I created service myproject. Checking status seems to be ok:
My nginx configuration:
server {
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name www.mysite.com mysite.com;
root /var/www/wordpress;
index index.php;
access_log /var/log/nginx/wordpress.log;
error_log /var/log/nginx/wordpress_error.log error;
ssl_certificate_key /etc/nginx/ssl/www.XXX.key;
ssl_certificate /etc/nginx/ssl/www.XXX.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security max-age=31536000;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
location /shiny/ {
rewrite ^/shiny/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:3838;
proxy_redirect http://127.0.0.1:3838 $scheme://$host/shiny/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_temp_file_write_size 64k;
proxy_connect_timeout 10080s;
proxy_send_timeout 10080;
proxy_read_timeout 10080;
proxy_buffer_size 64k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 64k;
proxy_redirect off;
proxy_request_buffering off;
proxy_buffering off;
}
location /rstudio/ {
rewrite ^/rstudio/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:8787;
proxy_redirect http://127.0.0.1:8787 $scheme://$host/rstudio/;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
#proxy_redirect off;
proxy_buffering off;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
location /myproject/ {
uwsgi_pass unix:/home/XXX/XXX/python_dash/myproject/myproject.sock;
include uwsgi_params;
}
}
But when i go to mysite.com/myproject/ I get:
However it's diffrent than regular nginx (appearing in response to misspelling):
So something is going on. Its also visible on myproject service status. Every time when I try to access it it shows a line at the bottom:
[pid: 1696|app: 0|req: 1/1] 213.134.X.XX () {58 vars in 1334 bytes} [Fri Dec 3 13:22:08 2021] GET /myproject/ => generated 232 bytes in 40 msecs (HTTP/2.0 404) 2 headers in 87 bytes (2 switches on core 0)
my myproject.ini:
[uwsgi]
module = wsgi:app
master = true
processes = 5
socket = myproject.sock
chmod-socket = 666
vacuum = true
die-on-term = true
Can you give me a hint? I got stuck on that and cant solve it...
Best regards
Tomasz
Finally found it!
#app.route must match with location in nginx config
so in my case when:
location /myproject/
app route must be:
#app.route("/myproject/")
Remember about trailing "/" because if you don't add it it will return not found if you type trailing "/" in address bar (like https://website.com/myproject/ will not work, only https://website.com/myproject)
Similar thing is with python dash, but this time #app.route (or #server.route) doesn't work. You need to add routes_pathname_prefix="/myproject/" in dash.Dash(...).
I don't understand why it works that way, but it works.

Rewrite nginx url

I am facing problem with rewriting url in nginx.
The issue is if the url contains domain/.well-known/acme-challenge/ it should be replaced by domain/folder/.well-known/acme-challenge.
How can I rewrite nginx for this so that it points to proper location.
The request for the nginx configuration works with this url:
domain/folder/.well-known/acme-challenge
but I want it to redirect when it finds something like
domain/.well-known/acme-challenge/
Here is my nginx conf:-
#upstream jboss {
# server domain:8080;
#}
server {
listen ip:80;
server_name domain;
access_log /var/log/nginx/domian_access.log;
error_log /var/log/nginx/domain_error.log warn;
# location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
# expires 365d;
#}
location /folder/ {
# ModSecurityEnabled on;
# ModSecurityConfig modsecurity.conf;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
proxy_pass http://ip:8080/folder/;
proxy_connect_timeout 6000;
proxy_send_timeout 6000;
proxy_read_timeout 6000;
send_timeout 6000;
index Main.jsp index.html;
}
#index index.html ;
# try_files $uri $uri/ =404;
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root html;
#}
I don't think you need to rewrite the url, but to send the url to the correct folder.
.well-known/acme-challenge is known to be a challenge for ssl certificates that are made automatically (lets'encrypt), so simply set the alias to the folder where your bot writes the "challenge" and you are good to go.
location /.well-known/acme-challenge {
auth_basic off;
alias /directory/to/challenge;
default_type text/plain;
}
That way it will "accept" and respond the challenge correctly
Even if you keep wanting to rewrite it, set a redirec to to domain/folder/$request_uri line:
location /.well-known/acme-challenge {
return 301 http://$host/folder/$request_uri;
}

nginx serve static files and run server on same host

Almost have this working how I want - basically I'm trying to serve static files on host/static (including directory listings), and serve to another backend for any non-file request (including the default site). The config below seems to do this, but the ONE problem remaining is that I can't get to the root static dir with host/static - a trailing slash is required! Any ideas?
My config:
location / {
try_files /static/$uri /static/$uri/ #myserver;
}
location /static/ {
alias /var/www/static_files/;
autoindex on;
disable_symlinks off;
}
location #myserver {
proxy_pass http://localhost:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
proxy_buffers 4 32k;
client_max_body_size 8m;
client_body_buffer_size 128k;
}
As #RichardSmith said - to get this behavior, just remove the trailing slash from the location and alias statements.

How to use Nginx proxy with multi sites and two servers?

I've installed nginx proxy in a VPS (Ubuntu 12.04 + Nginx 1.1.19) in order to send requests:
A- from (site1.com, site2.com and site3.com) to SERVER_A
B- from (site4.com, site5.com and site6.com) to SERVER_B
I used /etc/nginx/proxy.confg file with content:
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
also in /etc/nginx/sites-enabled I created first file configuration with:
server {
listen 80;
server_name site1.com site2.com site3.com;
access_log /var/log/nginx/access.log;
location / {
proxy_pass http://IP_of_SERVER_A/;
include /etc/nginx/proxy.conf;
}
}
It works fine till here. The problem comes when I try to add second file configuration with:
server {
listen 80;
server_name site4.com site5.com site6.com;
access_log /var/log/nginx/access.log;
location / {
proxy_pass http://IP_of_SERVER_B/;
include /etc/nginx/proxy.conf;
}
}
Now:
sites in second file doesn't works and all requests from (site4.com, site5.com site6.com) goes to server_A too.
Any help to add missing parts?

Setting Up Uberjar with Nginx on Digital Ocean VPS

I used the instructions on the following link:
"Hosting Clojure Web Apps in 7 Easy Steps"
I know the uberjar works because i tested it both on my dev machine and the VPS.
It's just that Nginx doesn't seem to be able to find it.
I suspect that it has something to do with this site code:
# Web sockets
location /chsk {
proxy_pass http://backend/chsk;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
...but I don't know how to correct it...thanks for the help!
One other thing: on the "upstream backend" in the site file i tried both 127.0.0.1:3000 AND 0.0.0.0:3000 with no success.
Here's the default site config:
server {
# Replace this port with the right one for your requirements
listen [::]:80 ipv6only=off;
# Multiple hostnames separated by spaces. Replace these as well.
server_name clmitchell.net www.clmitchell.net main.clmitchell.net
books.clmitchell.net dna.clmitchell.net help.clmitchell.net
history.clmitchell.net svcs.clmitchell.net;
server_name_in_redirect off;
root /data/nginx/www/$host;
error_page 401 /error/401.shtml;
error_page 402 /error/402.shtml;
error_page 403 /error/403.shtml;
error_page 404 /error/404.shtml;
error_page 500 501 502 503 504 /error/500.shtml;
location ^~ /error/ {
internal;
root /data/nginx/www/www.clmitchell.net;
}
access_log /var/log/nginx/$host-access.log;
error_log /var/log/nginx/error.log;
index index.php index.html index.htm default.html default.htm;
# Support Clean (aka Search Engine Friendly) URLs
location / {
try_files $uri $uri/ /index.php?$args;
}
# serve static files directly
location ~* \.(jpg|jpeg|gif|css|png|js|ico)$ {
access_log off;
expires max;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ \.scm$ {
include fastcgi_params;
fastcgi_intercept_errors on;
# By all means use a different server for the fcgi processes if you need to
fastcgi_pass 127.0.0.1:9981;
}
location ~ /\.ht {
deny all;
}
}
I removed history.clmitchell.net from the list of server names.
Here's the current history site config:
upstream backend {
server 104.131.29.212:3000 fail_timeout=0;
}
server{
listen [::]:80 ipv6only=off;
server_name localhost history.clmitchell.net;
access_log /var/log/hist_access.log;
error_log /var/log/hist_error.log;
root /var//resources/public;
# Web sockets
location /chsk {
proxy_pass http://backend/chsk;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Static assets
location / {
try_files $uri #backend;
}
# The backend server
location #backend {
proxy_pass http://backend;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
}
there was a duplicate "listen" directive on the history site config, which i removed...but for some reason I'm still getting the error: '
sudo nginx -t
nginx: [emerg] duplicate listen options for [::]:80 in /etc/nginx/sites-enabled/hist:6
nginx: configuration file /etc/nginx/nginx.conf test failed
Please try
proxy_pass http://backend;
And make sure you can access http://127.0.0.1:3000/chsk if your upstream is defined as below
upstream backend {
server 127.0.0.1:3000;
}
Or if we has only one backend server we can just use proxy_pass without upstream backend defined. e.g.
proxy_pass http://127.0.0.1:3000;
I learned a new lesson today: no two sites on a Nginx web server can have the same listen port!
I moved the new site to a new port and updated all the links...PROBLEM SOLVED!

Resources