RESOLVED: redis wasn't running: Existing reverse proxy, Mastodon tries to get the directory listing of /home/mastodon/live/public


#1

Like another topic created last year Nginx reverse proxy on another server I have an existing reverse proxy I use to multiplex multiple web apps running on multiple VMs behind my firewall. Here’s the stanza in that existing reverse proxy to send all traffic for http://mymastodoninstance.tld to the VM running the Mastodon app:

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name mymastodoninstance.tld;

  ssl_protocols TLSv1.2;
  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
    ssl_certificate /etc/letsencrypt/live/mymastodoninstance.tld/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mymastodoninstance.tld/privkey.pem; # managed by Certbot

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 30m;

  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  add_header Strict-Transport-Security "max-age=31536000";

  location / {
      proxy_pass http://192.168.9.91;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
  }
}

Here’s the nginx config on the Mastodon VM:

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
  listen 80;
  listen [::]:80;
  server_name mymastodoninstance.tld;
  root /home/mastodon/live/public;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name mymastodoninstance.tld;

  ssl_protocols TLSv1.2;
  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;

  ssl_certificate     /etc/ssl/certs/ssl-cert-snakeoil.pem;
  ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 8m;

  root /home/mastodon/live/public;

  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  add_header Strict-Transport-Security "max-age=31536000";

  location / {
    try_files $uri @proxy;
  }

  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
    add_header Cache-Control "public, max-age=31536000, immutable";
    try_files $uri @proxy;
  }
  
  location /sw.js {
    add_header Cache-Control "public, max-age=0";
    try_files $uri @proxy;
  }

  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass_header Server;

    proxy_pass http://127.0.0.1:3000;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";

    proxy_pass http://127.0.0.1:4000;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  error_page 500 501 502 503 504 /500.html;
}

This does not work, and I can’t figure out why. If I make proxy_pass http in the “border proxy” stanza, I get a 403 Forbidden error, and if you look in the nginx log for the Mastodon instance, it says it’s forbidden from doing directory listing in /home/mastodon/live/public. It’s true that there’s no index.html in that directory, but the location / directive goes to the @proxy directive, which is supposed to GET / from Puma, not just from files located in the /home/mastodon/live/public directory. So it’s behaving as if it doesn’t know about its @proxy directive, I guess. If I make proxy_pass https in the “border proxy” stanza, I just get a 500 error with the elephant banging the keyboard, and if there is an error log that explains what those 500 errors are from, I cannot find it.

Help?