403 Forbidden (NGINX) several apps effected

Support
, , ,
1

What type of hardware are you using: Old laptop or computer
What YunoHost version are you running: 11.1.4 testing
How are you able to access your server: SSH

Describe your issue

Hi there wizzards;)
I cant acces several apps and i dont know when that started. All I get is a white page with 403 Forbidden (nginx).
There are a few topics like this on the forum but none of these solutions worked for me.
Is that a problem with the beta version or is there another reason?

Thanks for any help!!

greetings

Share relevant logs or error messages

nginx log: hastebin
app log (fittrakee): hastebin

2

What are the other apps? Could you provide logs of those? What steps have you already taken (I need an account from you, not a maybe forum thread. / knowing which solutions didn’t work is pretty important.)?

It looks like the error fittrakee is giving means that a different application is already using the port that fittrakee is trying to use. Because fittrakee can not use that port, it’s throwing its hands in the air and giving up.

Possible solutions:

Have you tried restarting your machine?
What apps have you installed since last seeing fittrakee work? Try uninstalling them?
bind fittrakee to a different port than 5000 (not sure how exactly you would do that)

3

Hi Guy4092,
thanks for replying!

  • I tried that: [quote=“metyun, post:7, topic:30741”]
    VĂ©rifie que ta clĂ© est toujours valide avec apt-key list et mets la Ă  jour si ce n’est pas le cas avec apt install debsuryorg-archive-keyring
    [/quote]

  • also to uninstall/reinstall eg. Kanboard (also effected)

  • restore from app backups

  • restarting the machine (like a good IT noob that was the first attempt :slightly_smiling_face: )

all not fixing the problem.

As i said i dont know when it started becaus i try many apps sometimes. I just started the server and test some applications if they fit my needs.

Logs from not working apps (a selection):

Apps that work (maybe that helpes?!) :

The Log from nginx: hastebin

and i just saw that nftables is failing. in my understanding, wich is not deep, that has nothing to do with the frontend of the apps?! but here is the log: hastebin
It also says “failing for more than 55 years”

The diagnosis for the ports looks fine, and i couldnt find an port conflict.

Sorry for the pile of logs but yunohost says i should not reinstall. Its better to resaerch the coming problems^^ so here we are <3

thanks again for investigating!!!

4

Thank you for the information!

Sorry for taking so long to reply, and sorry in advanced for being unhelpful. If anyone else knows the answer, please take this over. I’m not sure I’m going to be qualified enough to help.

Can I first ask if these apps have worked for you in the past?

Secondly, are the apps that give you a 403 all hosted on the same m00s.domain.tld?
I have no idea why you’re getting 403s, but the above domain is the only place I could see them in your nginx log. 403 is a permissions error. Do you remember ever sudo chmod -R 700-ing a folder?

There could be a few causes of this issue, but I’m far too barbaric to think of a proper & safe way to fix it. My solution: don’t use that domain, and continue using subdomains like pool.m00s.domain.tld

That’s the important stuff, everything below is on an app-to-app basis, and doesn’t matter if the above advice was good enough.

Scrutiny looks fine in that log? P.S. the maintainer (ewilly) is an absolute god.

Geoquest says that you need to use --host to expose it to the network
 Otherwise it should only be accessible from the host machine itself. Did it come configured like that? That’s really strange. Is NGINX supposed to be a workaround for that? Personally, I’ve never been able to get around exposing those. Literally adding --host to a line somewhere would fix this, but I have never used geoquest. I see that this app is on its first ever yunohost package with no revisions; has it ever worked? Let me spin up a VM to test my hypothesis.

Glances is also having issues with ports, or it’s having issues with the ports plugin. again, not a lot of info provided.
sudo journalctl -xeu glances.service

The opencloud log looks perfectly fine, what it’s reporting isn’t a problem as long as you don’t notice a problem. EOF is End Of File, which just means it’s done reading the data.

NGINX logs: I see a lot of OSCP errors, which is expected since OSCP is dead.
Not sure if this could cause an issue. If your SSL certificates aren’t renewing, this could be a cause.
I’m looking at my NGINX logs to compare to yours, and I have no OSCP warnings (I do have a guy trying to brute force me 154.83.103.115).
Is your issue connecting ever something like “This server uses HSTS, you can not connect”?

NFTables: unlikely the issue; it is a firewall, but it shouldn’t be filling the ports, just blocking them. Failing for more than 55 years is fine. That brings us to 1970, the unix epoch. Forgive me if you know this, but 1970 is when the unix clock starts, so this just means the date is corrupted/missing so it was reset to 0. The logs here also did not give me a lot to work with. sudo journalctl -xeu nftables.service

Honestly, all of these logs seemed to include journalCTL anyways, so I’m grasping at straws. Hoping that the -x changes the output really. Since the SSH commands are not censored like yunopastes are, if the outputs look largely the same, just let me know instead of sending them.

And I 100% agree that solving these issues is better than reinstalling. We get experience, knowledge, and satisfaction from working on these ourself
 Even if it’s a ‘little’ contrarian to yunohost’s goal of becoming user-friendly. Maybe the real solutions are the friends you make along the way?

5

Hi,
It’s quite hard to find meaningful info.
Let’s try for geoquest app:
Is there any non running service in webadmin–>Tools–>Services
Could you paste systemctl status geoquest, sudo lsof -i :4173, nginx geoquest conf file and error log for :
play.m00s.nohost.me

Does this subdomain not have an SSL certificate?

6

Hi guy4092 and otm33

Sorry for taking some time to answer, my 2nd child was born :slight_smile: I had other priorities.

  1. All apps had worked in the past
  2. yes all my apps are on a subdomain of m00s.nohost domain. I boght alreaddy a domain but im running in some trubbles to set that up propperly (but that is another storry for another day^^). My router (Fritzbox) and yunohost combination killed somehow the bonjur protocoll for app.local domains, but i suggest that this is also another topic.
  3. I’m sure that i never used sudo chmod -R 700

to avoid the m00s.nohost domain would safe me maybe for some time but maybe the problem strikes again for another domain?! I really don’t want to buy two domains a year to use yunohost :smiley:

  • Scrutiny don’t work ether.
  • Geoquest worked fine initialy and i didn’t manipulated anything, so I would say it came like it is.

I am really to much of a noob in linux things so I am just use the admin web pannel as long as nothing is broken. I looked for solves and tryied them in the CLI but me on my own do not tinkering on that system.

→ The result of sudo journalctl -xeu glances.service:

grafik
grafik1715×313 20.7 KB

  • [quote=“guy4092, post:4, topic:36431”]
    Is your issue connecting ever something like “This server uses HSTS, you can not connect”?
    [/quote]
    I never saw that.

→ The result of sudo journalctl -xeu nftables.service

grafik
grafik917×375 15.9 KB

Now to the suggestion of otm33

  • after the resstart of nftables everything is running. Diagnostic says all good.
    → result of systemctl status geoquest
    grafik
    grafik1505×432 25.4 KB

→ result of sudo lsof -i :4173
grafik

→ Log of the conf

grafik
grafik923×855 15.7 KB

grafik
grafik1167×847 19.7 KB

grafik
grafik787×122 3.3 KB

the domain has a letsencrypt certificate. After ur question i renewed it to check if it helps. it doesnt


I hope that helps :wink:
its by the way really just the frontend, the app part of Paperless workes fine.

greeting and thnanks for looking into it <3

7

Hi barep,
First of all, congratulations on the birth of your child.

By “nginx geoquest conf file” I meant geoquest.conf in folder etc/nginx/conf.d/play
d/geoquest.conf with the proxy_pass params.

1 Like
8

thanks for the congrats :slight_smile:

I see that conf file is alot shorter^^

grafik
grafik662×412 7.85 KB

9

Everything seems normal afaik

I’m having trouble understanding why accessing your yunoHost main domain doesn’t show the SSO login page as expected — instead, I get a 403 Forbidden error. Did you modify SSO settings ?

Could you share the output of the following command : sudo yunohost tools regen-conf nginx --dry-run --with-diff ?

11

It took a minute but no output and nothing changes.

but with dryrun it should change anything^^ should i try without?
I have backups and that system is like it is not usable anyways


12

Any change ever made in /etc/ssowat/conf.json ? You could run yunohost app ssowatconf to regenerate the SSOwat configuration.

13

exactly that command? or with regen-conf? Without it doesn’t solves the 403 problem.
I’ve never changed anything in the cli.

14

Congratulations! (you responded plenty quickly)

I really thought I was onto something there. It seems that this is beyond my know-how, so I’ll have to bow out and let otm33 take over.

Thank you for providing me with the output of those commands, even though they were just about exactly what you had already provided.

Well, I wish you the best of luck!

1 Like
15

exactly this command, without regen-conf.
What issues are reported by the webadmin’s diagnostic tool?

16

nice profile pic^^ and exactly what it was yesterday for me :smiley:

Diagnostics:

  • Base system: warning because beta branch

  • internet connectivity: all good

  • DNS records: warnings because my not propper set up for a bought domain. And a problem with “.local” (Domain go.local is based on a special-use top-level domain (TLD) such as .local or .test and is therefore not expected to have actual DNS records.)

  • ports exposure: some ports are not reachable from outsite (ports: 22, 25, 587, 993). Thats since the beginning and has not changed

  • Web: all good

  • Email: Nothing is setup so alot of red x’es

  • Services status check: After every restart nftables stopped working

  • System resources: all good

  • Sys conf: all good

  • Apps: all good

I have another problem (guess it has nothing to do with 403): I cant update crystal (installed 1.15.0-1+1.2, pending update is 1.16.0-1+1.1).
Paperless also refuses to update.

I now try to build a yunohost instance in KVM on my Openmediavault server to have at leased a running one^^ so i dont need to reinstall the defected machine. Maybe someone finds a fix :wink: