-
Problem/isssueNGINX is throwing a 403 Forbidden error when I try navigating to /app. I am trying to run a static website (under /app) along with my containerized applications. All are under the same domain in this environment. I have NGINX redirecting traffic from /app to /root/gotti/volumes/html/tcgsniper-app which contains my static site files. I am doing this with an NGINX config on my domain (tcgsniper.com - see below). Right now, its a basic hello world in an index.html file. Permissions of /root/gotti/volumes/html/tcgsniper-apptotal 12
drwxr-xr-x 3 root root 4096 Dec 17 17:21 .
drwxr-xr-x 10 root root 4096 Jan 27 2023 ..
drwxr-xr-x 2 root root 4096 Dec 17 17:30 tcgsniper-appPermissions of /root/gotti/volumes/html/tcgsniper-apptotal 12
drwxr-xr-x 2 root root 4096 Dec 17 17:30 .
drwxr-xr-x 3 root root 4096 Dec 17 17:21 ..
-rwxr-xr-x 1 root root 13 Dec 17 17:30 index.html
nginx-proxy-compose.yamlCompose file responsible for the NGINX proxy and the SSL companion container version: "2"
services:
nginx-proxy:
restart: always
image: jwilder/nginx-proxy
ports:
- "80:80"
- "443:443"
volumes:
- "~/gotti/volumes/nginx-configs:/etc/nginx/vhost.d"
- "~/gotti/volumes/html:/usr/share/nginx/html"
- "/var/run/docker.sock:/tmp/docker.sock:ro"
- "~/gotti/volumes/certs:/etc/nginx/certs"
letsencrypt-nginx-proxy-companion:
restart: always
image: jrcs/letsencrypt-nginx-proxy-companion
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "~/gotti/volumes/acme:/etc/acme.sh"
volumes_from:
- "nginx-proxy"
environment:
- DEFAULT_EMAIL=help@tcgsniper.com
version: "2"
services:
nginx-proxy:
restart: alwaystcgsniper-web-compose.yamlMy containerized application compose file. #com.tcgsniper.web:latest will be provided by the pipeline via SSH
#go-web-app is simple GO app that should run if everything is healthy
version: "2"
services:
com.tcgsniper.web:
restart: always
image: com.tcgsniper.web:latest
environment:
- VIRTUAL_HOST=tcgsniper.com
- LETSENCRYPT_HOST=tcgsniper.com
go-web-app:
restart: always
build:
dockerfile: Dockerfile
context: .
environment:
- VIRTUAL_HOST=go.tcgsniper.com
- LETSENCRYPT_HOST=go.tcgsniper.comnginx config for tcgsniper.com## Start of configuration add by letsencrypt container
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
## End of configuration add by letsencrypt container
# reverse proxy for ghost
location /help {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://ghost:2368;
proxy_redirect off;
}
# reverse proxy for app
location /app {
alias /root/gotti/volumes/html/tcgsniper-app;
autoindex on;
}
NGINX -Tnginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 10240;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
daemon off;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/default.conf:
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
return 503;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}
# go.tcgsniper.com
upstream go.tcgsniper.com-upstream {
## Can be connected with "gotti_default" network
# gotti_go-web-app_1
server 172.18.0.2:80;
}
server {
server_name go.tcgsniper.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name go.tcgsniper.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/go.tcgsniper.com.crt;
ssl_certificate_key /etc/nginx/certs/go.tcgsniper.com.key;
ssl_dhparam /etc/nginx/certs/go.tcgsniper.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/go.tcgsniper.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://go.tcgsniper.com-upstream;
}
}
# tcgsniper.com
upstream tcgsniper.com-upstream {
## Can be connected with "gotti_default" network
# gotti_com.tcgsniper.web_1
server 172.18.0.6:80;
}
server {
server_name tcgsniper.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name tcgsniper.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/tcgsniper.com.crt;
ssl_certificate_key /etc/nginx/certs/tcgsniper.com.key;
ssl_dhparam /etc/nginx/certs/tcgsniper.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/tcgsniper.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/tcgsniper.com;
location / {
proxy_pass http://tcgsniper.com-upstream;
}
}
# configuration file /etc/nginx/vhost.d/default:
## Start of configuration add by letsencrypt container
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
## End of configuration add by letsencrypt container
# configuration file /etc/nginx/vhost.d/tcgsniper.com:
## Start of configuration add by letsencrypt container
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
## End of configuration add by letsencrypt container
# reverse proxy for ghost
location /help {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://ghost:2368;
proxy_redirect off;
}
# reverse proxy for app
location /app {
alias /root/gotti/volumes/html/tcgsniper-app;
autoindex on;
}
NGINX proxy versionNot sure... but docker ps says it was created 10 months ago... Happy to provide with a little more guidance. |
Beta Was this translation helpful? Give feedback.
Answered by
jhosein
Dec 20, 2023
Replies: 2 comments
-
|
Hi. Serving static site from the Docker host's filesystem is not an advertised feature of nginx-proxy, so I'm converting this to a discussion. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
I found a fix. I needed to change the alias path for /app from the volume folder on the host to the path the volume is mapped to inside the NGINX container. nginx config for tcgsniper.comFrom Obviously, Docker Volumes placed the file in the Docker container, I just had to specify its path.
It looks like NGNIX/Docker needs 755 to read static HTML files. |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
jhosein
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I found a fix. I needed to change the alias path for /app from the volume folder on the host to the path the volume is mapped to inside the NGINX container.
nginx config for tcgsniper.com
From
/root/gotti/volumes/html/tcgsniper-app;To
/usr/share/nginx/html/tcgsniper-app;Obviously, Docker Volumes placed the file in the Docker container, I just had to specify its path.
Because I was getting an HTTP 403 error, I gaveChmod 777permissions to this folder for debugging purposes. Now, I need to figure out what permissions are appropriate.It looks like NGNIX/Docker needs 755 to read static HTML files.
chmod -R 755 html/