Error 404 when attempting to access Friendica behind Nginx Proxy Manager #293
Description
I'm trying to set up Friendica from scratch as a Docker container behind Nginx Proxy Manager as my reverse proxy, and I'm having a bit of trouble.
Right now, attempting to go to motley.club (my Friendica URL) gives me an error 404. I'll post my configuration below.
Configuration
Docker-Compose File
services:
db:
container_name: friendica_db
image: mariadb
restart: always
volumes:
- ./db:/var/lib/mysql
environment:
- MYSQL_USER=friendica
- MYSQL_PASSWORD=<SENSITIVE VALUE OMITTED>
- MYSQL_DATABASE=friendica
- MYSQL_RANDOM_ROOT_PASSWORD=yes
app:
container_name: friendica
image: friendica:fpm
restart: always
volumes:
- ./friendica:/var/www/html
environment:
- MYSQL_HOST=db
- MYSQL_USER=friendica
- MYSQL_PASSWORD=<SENSITIVE VALUE OMITTED>
- MYSQL_DATABASE=friendica
- FRIENDICA_ADMIN_MAIL=<SENSITIVE VALUE OMITTED>
- FRIENDICA_URL=https://motley.club/
- FRIENDICA_SITENAME=Motley
networks:
- proxy-tier
- default
web:
container_name: friendica_nginx
image: nginx
#ports: #disabled because I don't want to expose them on the host machine directly but proxy through NPM
# - 8080:80
links:
- app
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
restart: always
networks:
- npm-nw
- proxy-tier
networks:
npm-nw: # this is the network that my existing Nginx Proxy Manager, in another container, uses
external: true
proxy-tier:
nginx.conf file
This is placed in the same directory as the Motley.yml Docker Compose file.
##
# Friendica Nginx configuration
# by Olaf Conradi, modified by Philipp Holzer
#
worker_processes 4;
events {
worker_connections 1024;
}
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
http {
charset utf-8;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Real-IP;
upstream php-handler {
server app:9000;
}
server {
listen 80;
server_name motley.club; # I changed this from friendica.local; does it need to be changed back?
index index.php;
root /var/www/html;
#Uncomment the following line to include a standard configuration file
#Note that the most specific rule wins and your standard configuration
#will therefore *add* to this file, but not override it.
#include standard.conf
# allow uploads up to 20MB in size
client_max_body_size 20m;
client_body_buffer_size 128k;
# rewrite to front controller as default rule
location / {
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?pagename=$1;
}
}
# make sure webfinger and other well known services aren't blocked
# by denying dot files and rewrite request to the front controller
location ^~ /.well-known/ {
allow all;
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?pagename=$1;
}
}
# statically serve these file types when possible
# otherwise fall back to front controller
# allow browser to cache them
# added .htm for advanced source code editor library
#location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {
# expires 30d;
# try_files $uri /index.php?pagename=$uri&$args;
#}
include mime.types;
# block these file types
location ~* \.(tpl|md|tgz|log|out)$ {
deny all;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
# or a unix socket
location ~* \.php$ {
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
# Won't work properly (404 error) if the file is not stored on this
# server, which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
# another machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass php-handler;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# deny access to all dot files
location ~ /\. {
deny all;
}
}
}
Friendica's local.config.php
<?php
// Local configuration
/* If automatic system installation fails:
*
* Copy this file to local.config.php
*
* Why local.config.php? Because it contains sensitive information which could
* give somebody complete control of your database. Apache's default
* configuration will interpret any .php file as a script and won't show the values
*
* Then set the following for your MySQL installation
*
* If you're unsure about what any of the config keys below do, please check the static/defaults.config.php file for
* detailed documentation of their data type and behavior.
*/
return [
'database' => [
'hostname' => 'localhost',
'username' => 'friendica',
'password' => <SENSITIVE VALUE OMITTED>,
'database' => 'friendica',
'charset' => 'utf8mb4',
],
// ****************************************************************
// The configuration below will be overruled by the admin panel.
// Changes made below will only have an effect if the database does
// not contain any configuration for the friendica system.
// ****************************************************************
'config' => [
'admin_email' => 'southwest23@gmail.com',
'sitename' => 'Motley',
'register_policy' => \Friendica\Module\Register::OPEN,
'register_text' => '',
],
'system' => [
'default_timezone' => 'America/Los_angeles',
'language' => 'en',
'url' => 'https://motley.club/',
],
];
Nginx conf file for Friendica
This was generated by Nginx Proxy Manager:
# ------------------------------------------------------------
# motley.club
# ------------------------------------------------------------
map $scheme $hsts_header {
https "max-age=63072000; preload";
}
server {
set $forward_scheme http;
set $server "friendica_nginx";
set $port 80;
listen 80;
#listen [::]:80;
listen 443 ssl;
#listen [::]:443;
server_name motley.club;
http2 off;
# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-cache.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/npm-10/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/npm-10/privkey.pem;
# Block Exploits
include conf.d/include/block-exploits.conf;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
access_log /data/logs/proxy-host-7_access.log proxy;
error_log /data/logs/proxy-host-7_error.log warn;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
# Proxy!
include conf.d/include/proxy.conf;
}
# Custom
include /data/nginx/custom/server_proxy[.]conf;
}
Encountered behavior
When navigating to https://motley.club, I am given an error 404.
Further explanation
I have already set up Nginx Proxy Manager on my server, listening on ports 443 and 80. It is successfully proxying other services on the host machine. I want to use that same reverse proxy for Friendica, because why duplicate work?
I was unclear from the guide here whether the web container defined in the example file was supposed to be used in addition to a public-facing reverse proxy, or if it was supposed to itself be the public-facing reverse proxy.
In Nginx Proxy Manager, I'm preferring to direct traffic to services using their container names, which is why you see set $server "friendica_nginx";. As the comment in my Friendica Docker-Compose file indicates, I am trying to avoid exposing ports on my host server unnecessarily, which is why I commented out the ports: line.
Questions
- If I already have a container running Nginx Reverse Proxy, is the
webcontainer in the Docker Compose file superfluous? - What changes do I need to make to my configuration so I can access my Friendica installation at motley.club?
Thanks in advance for the help. I'm hoping to get this properly stood up so I can restore my database backup from a previous installation and get reconnected!