NGINX 403 Forbidden - CentOS - Certbot

nickev · January 25, 2020, 12:59am

Hello,

I have been trying to figure this out for hours on end now, and can’t figure out what is happening.

I followed this tutorial: https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-centos-7/

My server is running CentOS7 of course with NGINX. After following the entire thing and debugging what is going on for hours I am stuck!

I am now getting a 403 Forbidden when visiting the subdomain we installed the Cert on. Below are my nginx.conf file and my sites conf file from /etc/nginx/conf.d

Any help would be much appreciated! I can’t access my site because we force redirection to HTTPS of course and getting the 403. /var/www/pterodactyl/public is the root of my website.

NGINX.CONF:
//

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
‘"$http_user_agent" “$http_x_forwarded_for”’;

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 2048;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  _;
    root        /var/www/pterodactyl/public;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}

Settings for a TLS enabled server.

server {

listen 443 ssl http2 default_server;

listen [::]:443 ssl http2 default_server;

server_name _;

root /var/www/pterodactyl/public;

ssl_certificate “/etc/pki/nginx/server.crt”;

ssl_certificate_key “/etc/pki/nginx/private/server.key”;

ssl_session_cache shared:SSL:1m;

ssl_session_timeout 10m;

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on;

# Load configuration files for the default server block.

include /etc/nginx/default.d/*.conf;

location / {

}

error_page 404 /404.html;

location = /40x.html {

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

}

//

and then my sites config

//

server {
listen 80;
server_name www.panel.example.com panel.example.com;

include snippets/letsencrypt.conf;
return 301 https://$host$request_uri;

}

server {
listen 443 ssl http2;
server_name www.panel.example.com;

ssl_certificate /etc/letsencrypt/live/panel.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/panel.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/panel.example.com/fullchainchain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;

return 301 https://panel.example.com$request_uri;

}

server {
listen 443 ssl http2;
server_name panel.example.com;

ssl_certificate /etc/letsencrypt/live/panel.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/panel.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/panel.example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;



location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt  { access_log off; log_not_found off; }

access_log off;
error_log  /var/log/nginx/pterodactyl.app-error.log error;

# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;

sendfile off;

location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php-fpm/pterodactyl.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param HTTP_PROXY "";
    fastcgi_intercept_errors off;
    fastcgi_buffer_size 16k;
    fastcgi_buffers 4 16k;
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
}

location ~ /\.ht {
    deny all;
}

}

//

My letsencrypt file and ssl file match that tutorial. Of course example.com is replaced with my domain!

Thank you forany help!!

adrianTNT · January 25, 2020, 3:01am

Maybe the error logs have more info about the forbidden error ?

/var/log/nginx/error.log
/var/log/nginx/pterodactyl.app-error.log

rg305 · January 25, 2020, 4:17am

I don’t see where you define the root for panel.example.com.
Nor even a localtion /
Perhaps it is included in some other file…
Maybe a review of the full config dump would show more: nginx -T

nickev · January 25, 2020, 5:29am

Tried that not really seeing much!

in the pterodactyl.app-error.log just getting:

2020/01/24 23:13:56 [error] 8133#0: *193 directory index of "/usr/share/nginx/html/" is forbidden, client:     
xx.x.xx.xxx, server: panel.example.com, request: "GET / HTTP/2.0", host: "panel.example.com"

rg305 · January 25, 2020, 5:48am

Those really should get fixed before proceeding.

rg305 · January 26, 2020, 7:25pm

Does nginx -T still show any errors?

Osiris · January 26, 2020, 7:38pm

@rg305 I think it’s better to continu this thread in the second thread about the same thing @nickev has started today…

rg305 · January 26, 2020, 7:40pm

Sounds good

system · February 25, 2020, 7:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.