当前位置: 文江博客 话题详情

NGINX代理服务器到数字海洋应用程序平台应用程序正在获得403访问权限-CloudFlare错误

发布于 2025-02-12 14:34:30 字数 1603 浏览 1 评论 0 原文

我正在遇到一个问题,试图将服务器从我的Digital Ocean App Platform应用程序中委托请求。

我有一个.NET 6应用程序在Digital Ocean App Platform上的Docker容器中运行。这很好。我可以使用App Platform给我的应用程序给出的域,成功地从REST客户端点击我的API。

我现在要做的是将运行NGINX的服务器添加到从我的域上的代理请求到App Platform上的应用程序。

这是我的初始nginx配置。

server {
    listen              443 ssl;
    server_name         ~^(?<subdomain>[\w-]+)\.mydomain\.com$ mydomain.com;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location /api {
        proxy_pass              https://my-app-platform-app.ondigitalocean.app;
        proxy_http_version      1.1;
    }
}

此初始配置工作正常,我的API收到了请求,但是我的Docker容器中该请求的主机标头是Digital Ocean App Platform分配的域(my-app-platform-app.ondigitalocean.app),但希望我的域中的域服务器(mydomain.com)作为主机标头。因此,我所做的是在我的nginx配置中使用 host 标题, proxy_set_header 如下所示。

server {
    listen              443 ssl;
    server_name         ~^(?<subdomain>[\w-]+)\.mydomain\.com$ mydomain.com;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location /api {
        proxy_set_header        Host $host;
        proxy_pass              https://my-app-platform-app.ondigitalocean.app;
        proxy_http_version      1.1;
    }
}

现在,当我尝试从 mydomain.com/api 访问我的API时,我会拒绝403权限 - CloudFlare错误。我相信这来自数字海洋应用程序平台,而不是我的代理服务器,但不确定如何找到根本原因。

有没有人使用数字海洋应用程序平台遇到这个问题,或者知道我在做什么错?

谢谢。

原文

I’m having an issue trying to proxy request from my server to my Digital Ocean App Platform application.

I have a .NET 6 app running in a Docker container on Digital Ocean App Platform. This is running fine. I can successfully hit my API from my REST client using the domain given to my app by App Platform.

What I’m trying to do now is add an entry to my server running Nginx to proxy requests from my domain to the application on App Platform.

This is my initial Nginx configuration.

server {
    listen              443 ssl;
    server_name         ~^(?<subdomain>[\w-]+)\.mydomain\.com$ mydomain.com;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location /api {
        proxy_pass              https://my-app-platform-app.ondigitalocean.app;
        proxy_http_version      1.1;
    }
}

This initial config works fine, my api receives the request but the Host header of the request in my docker container is the Digital Ocean App Platform assigned domain (my-app-platform-app.ondigitalocean.app) but want my domain from my proxy server (mydomain.com) as the Host header. So what I did was set the Host header with proxy_set_header in my Nginx config like below.

server {
    listen              443 ssl;
    server_name         ~^(?<subdomain>[\w-]+)\.mydomain\.com$ mydomain.com;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location /api {
        proxy_set_header        Host $host;
        proxy_pass              https://my-app-platform-app.ondigitalocean.app;
        proxy_http_version      1.1;
    }
}

Now when I try to access my API from mydomain.com/api I get a 403 Permission Denied - Cloudflare error. I believe this is coming from the Digital Ocean App Platform and not my proxy server but not sure how to find the root cause.

Has anyone encountered this issue with Digital Ocean App Platform, or know what I’m doing wrong?

Thank you.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

痴情换悲伤 2025-02-19 14:34:30

更新

我无法找到原始错误的解决方案,而403权限拒绝了Cloudflare错误。我在数字海洋社区委员会上发布了,但那里也没有任何运气。关于CloudFlare为什么要返回403的详细信息(返回一个空白的白页,带有403错误,没有详细信息),我在数字海洋中也无法找到任何东西。我确实在数字海洋社区董事会上找到了一个问题,但也没有任何解决方案。

我认为我会发布一个临时解决方案,该解决方案将作为解决方法,直到可以进一步解决此问题为止。而不是设置 host 标题我只是添加了一个新的自定义标题 x-host ,然后将其设置为 $ $ host 。这将正确传递给我在Docker容器中运行的API。

在我的.NET 6应用中,我首先检查 X-host 标题,以查看是否设置并使用 host 标题作为后备,如果不是。

我的Nginx配置现在看起来像这样...

server {
    listen              443 ssl;
    server_name         ~^(?<subdomain>[\w-]+)\.mydomain\.com$ mydomain.com;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location /api {
        proxy_set_header        X-Host $host;
        proxy_pass              https://my-app-platform-app.ondigitalocean.app;
        proxy_http_version      1.1;
    }
}

如果这是CORS请求,则可能必须在数字海洋中设置CORS策略。您可以按照下面的指南进行设置。

数字海洋社区问题

https://www.digitalocean.com/community/questions/nginx-proxy-server-server-to-plat--platform-pplot-is-is-petting-a-getting-a-403-access-access-denied-cloudflare-error

Update

I was unable to find a solutions to the original error with the 403 Permission Denied Cloudflare error. I posted on the Digital Ocean Community board but didn't have any luck there either. There isn't much details as to why Cloudflare is returning the 403 (returns a blank white page with 403 error, no details) nor could I find anything in Digital Ocean. I did find one questions on the Digital Ocean Community board with the same error but there wasn't any solution for it either.

I figured I'd post a temporary solution that I'm using as a workaround until I can troubleshoot this further. Instead of setting the Host header I simply just added a new custom header X-Host and set it to $host. This gets passed properly to my API running in a docker container.

In my .NET 6 app I check for the X-Host header first to see if it's set and use the Host header as a fallback if it isn't.

My Nginx config looks like this now...

server {
    listen              443 ssl;
    server_name         ~^(?<subdomain>[\w-]+)\.mydomain\.com$ mydomain.com;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location /api {
        proxy_set_header        X-Host $host;
        proxy_pass              https://my-app-platform-app.ondigitalocean.app;
        proxy_http_version      1.1;
    }
}

If this is a CORS request you might have to setup a CORS policy in Digital Ocean. You can follow their guide below for setting that up.

https://docs.digitalocean.com/products/app-platform/how-to/configure-cors-policies/

Digital Ocean Community Question

https://www.digitalocean.com/community/questions/nginx-proxy-server-to-app-platform-app-is-getting-a-403-access-denied-cloudflare-error

回复 原文
原谅我要高飞 2025-02-19 14:34:30

我不是使用Nginx,而是使用Haproxy,而是看到了同样的行为。我完成的工作方式是首先将 x-forwarded-for 标题设置为主机标题值。然后,我将主机标题值设置为数字海洋应用平台主机。

这使我的申请按预期做出了回应。

I wasn’t using nginx but rather haproxy, but saw this same behavior. The way I got it working was to first set the X-Forwarded-For header to the Host header value. I then set the Host header value to the digital ocean app platform host.

This got my application to respond as expected.

回复 原文
仅此而已 2025-02-19 14:34:30

最近,我们通过调整App Platform Path代理的NGINX配置来解决NGINX反向代理(在数字海洋液滴上运行)上的类似问题(错误503)。具体来说,我们必须在位置块中添加 proxy_ssl_server_name 才能解决错误。

location /conference {
    proxy_ssl_server_name on;
    proxy_pass https://icf-conference-2024-99rlp.ondigitalocean.app;
    proxy_set_header Host icf-conference-2024-99rlp.ondigitalocean.app;
}

We recently resolved a similar issue (error 503) on our nginx reverse proxy (running on a Digital Ocean Droplet) by tweaking the nginx config for the App Platform path proxying. Specifically, we had to add proxy_ssl_server_name in the location block to resolved the error.

location /conference {
    proxy_ssl_server_name on;
    proxy_pass https://icf-conference-2024-99rlp.ondigitalocean.app;
    proxy_set_header Host icf-conference-2024-99rlp.ondigitalocean.app;
}
回复 原文
~没有更多了~

关于作者

眼趣

暂无简介

文章
评论
28 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

alipaysp_snBf0MSZIv

文章 0 评论 0

梦断已成空

文章 0 评论 0

瞎闹

文章 0 评论 0

凯凯我们等你回来

文章 0 评论 0

寄意

文章 0 评论 0

似梦非梦

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文