Dtikoli
November 4, 2023, 10:43am
1
My domain is: https://clinicbase.tech/home
I ran this command: https://clinicbase.tech/static/images/Logo.png
It produced this output: 403 Forbidden
My web server is (include version):nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 22.04 (LTS) x64
My hosting provider, if applicable, is: Dot Tech
I can login to a root shell on my machine (yes or no, or I don't know): No, it's disabled
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0
Dtikoli
November 4, 2023, 10:46am
2
Nginx is denied permission to serve the static content to browers, though I can access the locally using curl.
Below are the static file permissions:dtikoli@ubuntu-89:~/ClinicBase/dashboards/static$ lsimages scripts stylesdtikoli@ubuntu-89:~/ClinicBase/dashboards/static$ ls -l *
images:
total 100
-rw-r--r-- 1 www-data www-data 0 Nov 3 13:51 doctor.jpg
-rw-r--r-- 1 www-data www-data 98428 Nov 3 01:41 Logo.png
scripts:
total 8
-rw-r--r-- 1 www-data www-data 603 Nov 3 20:50 admin.js
-rw-r--r-- 1 www-data www-data 892 Nov 4 06:17 main.js
styles:
total 16
-rw-r--r-- 1 www-data www-data 1179 Nov 3 01:41 base.css
-rw-r--r-- 1 www-data www-data 1165 Nov 3 01:41 login.css
-rw-r--r-- 1 www-data www-data 1092 Nov 3 10:35 main.css
-rw-r--r-- 1 www-data www-data 800 Nov 3 10:36 tab-links.css
Dtikoli
November 4, 2023, 10:47am
3
Below is the nginx cofiguration file for my application:
# Nginx configuration
server {
root /home/dtikoli/ClinicBase/dashboards;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.clinicbase.tech clinicbase.tech; # managed by Certbot
location / {
include proxy_params;
proxy_pass http://127.0.0.1:8000;
}
location /static/ {
alias /home/dtikoli/ClinicBase/dashboards/static/;
}
error_page 404 /custom_404.html;
location = /custom_404.html {
root /usr/share/nginx/html;
internal;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/clinicbase.tech/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/clinicbase.tech/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.clinicbase.tech) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = clinicbase.tech) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name www.clinicbase.tech clinicbase.tech;
return 404; # managed by Certbot
}
rg305
November 4, 2023, 10:55am
4
Hi @Dtikoli , and welcome to the LE community forum
Please show the complete nginx config:
nginx -TAlso, this file is empty:
2 Likes
Dtikoli
November 4, 2023, 11:16am
5
Thanks for the feedback. I am not using that particlar image, but thanks for pointing it out. The, images, CSS and javascripts are not being served by nginx to browsers. For instance, "https://clinicbase.tech/static/images/Logo.png " produces 403 forbidden error in the browser, though the exact same content is served locally with curl.
The nginx -T command ran successfully. It didnt' output any errors. I don't know if there's something you think I should do with the output.
1 Like
rg305
November 4, 2023, 11:31am
6
Please ensure it is a capital "T" not a lower case "t"nging -tnginx -T
2 Likes
Dtikoli
November 4, 2023, 11:51am
7
Please I did use the capital there. It displayed the contents of all related configuration files on the terminal: See below.
dtikoli@ubuntu-89:~/ClinicBase/dashboards/templates$ sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default:
# Nginx configuration
server {
root /home/dtikoli/ClinicBase/dashboards;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.clinicbase.tech clinicbase.tech; # managed by Certbot
location / {
include proxy_params;
proxy_pass http://127.0.0.1:8000;
}
location /static {
alias /home/dtikoli/ClinicBase/dashboards/static;
}
error_page 404 /custom_404.html;
location = /custom_404.html {
root /usr/share/nginx/html;
internal;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/clinicbase.tech/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/clinicbase.tech/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.clinicbase.tech) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = clinicbase.tech) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name www.clinicbase.tech clinicbase.tech;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/proxy_params:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
The static contents of the application are served to browsers after I removed the below from the server block within the nginx configuration file. I however wished I could let nginx serve static content directly without involving gunicon.
location /static/ {
Your certificate is not affecting that. You might want to visit a gunicorn or nginx forum for help on that.
Or, try just using root instead of alias like the nginx docs suggest for that specific situation.
http://nginx.org/en/docs/http/ngx_http_core_module.html#alias
3 Likes
Osiris
November 4, 2023, 5:09pm
11
I don't know if anything has changed with the nginx configuration, but I can receive Logo.png without any issue currently.
1 Like
Dtikoli
November 4, 2023, 6:38pm
12
Sure. I will try the nginx or gunicorn forum.
Sing the root didn't help either.
Dtikoli
November 4, 2023, 6:39pm
13
Yeah, something has changed. I took away the below from the server block, so gunicorn is doing all the work.
location /static/ {
MikeMcQ
November 4, 2023, 6:52pm
14
That isn't exactly the same as you showed in the nginx -T (shown below). Did you change the right place?
3 Likes
Dtikoli
November 4, 2023, 6:54pm
15
Sure. I tried both at a point, but they're the same. I took that part of completely
1 Like
Osiris
November 4, 2023, 7:12pm
16
Hm, but that location directive would NOT have been affected by adding/removing the certificate.
I'm not really that familiar with nginx, but Apache would provide an actual reason for the 403. Maybe you should look in the nginx logs what nginx provides as the reason for the 403. And if there isn't anything present about that. maybe nginx logging needs to be set to more verbose logging (temporarily).
2 Likes
Dtikoli
November 4, 2023, 7:17pm
17
It might not be due to the certificate as you rightly said. But I used sudo certbot --nginx to reconfigure the nginx server block after installing the cerbot, so I thought, maybe, it could be a possible reason.
The nginx error logs doesn't say much. It's say nginx doesn't have permission to the static content. It appears everything has to be routed through gunicorn.
Osiris
November 4, 2023, 7:19pm
18
Dtikoli:
It might not be due to the certificate as you rightly said. But I used sudo certbot --nginx to reconfigure the nginx server block after installing the cerbot, so I thought, maybe, it could be a possible reason.
It could certainly be. It wouldn't be the first time the Certbot nginx (or Apache) configuration logic somehow messes up the HTTP to HTTPS migration of the directives. But I'm doubting very much such a simple location directive would be among those and looking at the directive in your current situation, it doesn't look incorrect.
Does nginx also use things like the <Directory> directive of Apache?
rg305
November 5, 2023, 7:24am
20
I would try using:
location /static {
# to avoid being proxied
# do nothing (special) at all
}
2 Likes
