Home > Enterprise >  Nginx proxy server to Digital Ocean App Platform app is getting a 403 Access Denied - Cloudflare err
Nginx proxy server to Digital Ocean App Platform app is getting a 403 Access Denied - Cloudflare err

Time:07-07

I’m having an issue trying to proxy request from my server to my Digital Ocean App Platform application.

I have a .NET 6 app running in a Docker container on Digital Ocean App Platform. This is running fine. I can successfully hit my API from my REST client using the domain given to my app by App Platform.

What I’m trying to do now is add an entry to my server running Nginx to proxy requests from my domain to the application on App Platform.

This is my initial Nginx configuration.

server {
    listen              443 ssl;
    server_name         ~^(?<subdomain>[\w-] )\.mydomain\.com$ mydomain.com;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location /api {
        proxy_pass              https://my-app-platform-app.ondigitalocean.app;
        proxy_http_version      1.1;
    }
}

This initial config works fine, my api receives the request but the Host header of the request in my docker container is the Digital Ocean App Platform assigned domain (my-app-platform-app.ondigitalocean.app) but want my domain from my proxy server (mydomain.com) as the Host header. So what I did was set the Host header with proxy_set_header in my Nginx config like below.

server {
    listen              443 ssl;
    server_name         ~^(?<subdomain>[\w-] )\.mydomain\.com$ mydomain.com;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location /api {
        proxy_set_header        Host $host;
        proxy_pass              https://my-app-platform-app.ondigitalocean.app;
        proxy_http_version      1.1;
    }
}

Now when I try to access my API from mydomain.com/api I get a 403 Permission Denied - Cloudflare error. I believe this is coming from the Digital Ocean App Platform and not my proxy server but not sure how to find the root cause.

Has anyone encountered this issue with Digital Ocean App Platform, or know what I’m doing wrong?

Thank you.

CodePudding user response:

Update

I was unable to find a solutions to the original error with the 403 Permission Denied Cloudflare error. I posted on the Digital Ocean Community board but didn't have any luck there either. There isn't much details as to why Cloudflare is returning the 403 (returns a blank white page with 403 error, no details) nor could I find anything in Digital Ocean. I did find one questions on the Digital Ocean Community board with the same error but there wasn't any solution for it either.

I figured I'd post a temporary solution that I'm using as a workaround until I can troubleshoot this further. Instead of setting the Host header I simply just added a new custom header X-Host and set it to $host. This gets passed properly to my API running in a docker container.

In my .NET 6 app I check for the X-Host header first to see if it's set and use the Host header as a fallback if it isn't.

My Nginx config looks like this now...

server {
    listen              443 ssl;
    server_name         ~^(?<subdomain>[\w-] )\.mydomain\.com$ mydomain.com;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location /api {
        proxy_set_header        X-Host $host;
        proxy_pass              https://my-app-platform-app.ondigitalocean.app;
        proxy_http_version      1.1;
    }
}

If this is a CORS request you might have to setup a CORS policy in Digital Ocean. You can follow their guide below for setting that up.

https://docs.digitalocean.com/products/app-platform/how-to/configure-cors-policies/

Digital Ocean Community Question

https://www.digitalocean.com/community/questions/nginx-proxy-server-to-app-platform-app-is-getting-a-403-access-denied-cloudflare-error

  • Related