Could not create paste - permissions error?

[bgigurtsis]

Hi there,

I've read through all the other relevant issues and have been trying to troubleshoot this for the past few hours. The error I'm getting on the web app is Could not create paste: server error or not responding.

I'm on a fresh installation of Ubuntu 22.04 on an EC2 instance being served via CloudFront. I'm using the latest docker image. My docker/linux skills are not that great.

docker run -d --restart="always" --read-only -p 80:8080 -v $PWD/conf.php:/srv/cfg/conf.php:ro -v $PWD/privatebin-data:/srv/data privatebin/nginx-fpm-alpine is the command I run, with the only the expiry time being changed in the config.

Originally I was receiving mkdir(): Permission denied in /srv/lib/Data/Filesystem.php in the docker logs. My privatebin-data folder did not have any files in it after I sent the POST requests.

I then ran `sudo chown 65534:82 privatebin-data' (not sure if this was correct). After doing so I stopped receiving the error above and my POST request returned 200, with my privatebin-data folder now receiving files.

This is before and after I ran the chown:

And a copy of all of the relevant permissions:

Any help would be much appreciated - thank you.

[elrido]

As your logs and screenshots show, you have resolved the permission problems and got 4 pastes (POST requests in your log) successfully created without errors. If you still see errors in your browser, it may have cached something - the logs also mention AWS CloudFront, so you may have to look into the logs of that reverse proxy service - maybe it caches some error response? From the container image side of things, you seem to have successfully resolved your permission issue.

[bgigurtsis]

Thanks for your quick reply. My guess would be that it is a CloudFront problem but i'm at a loss as to how to diagnose it further, apart from trying to setup something on the EC2 instance to connect directly and isolate it that way. It's weird because I'm seeing 200 in the CloudFront logs as well as docker logs, although the MIME type seems to be html, and maybe privatebin is expecting json as per the error.

CloudFront Log

2023-06-28  09:07:36    LHR50-P2    5632    123.12.123.123  POST    abcdefabc.cloudfront.net    /   200 -   Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010_15_7)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/114.0.0.0%20Safari/537.36   -   -   Miss    abcdefgaghawt== abcdefabc.cloudfront.net    https   231 0.008   -   TLSv1.3 TLS_AES_128_GCM_SHA256  Miss    HTTP/2.0    -   -   54851   0.008   Miss    text/html;%20charset=UTF-8  -   -   -

Error with the developer tools console showing

I've tried making a completely new CloudFront distribution and still getting the same issue. Caching is/should be disabled, as is compression of any objects. Below is my cloudfront behaviour:

[bgigurtsis]

Some slight progress, after enabling legacy cache the root URL works for sending the paste to the server and provides me with the URL of the paste e.g. paste.example.com/?abcdefge123456. However, trying to access the paste gives me Could not get paste data: server error or not responding.

New CloudFront settings

CloudFront log for the GET request on the paste data:

2023-06-28  16:19:54    LHR50-P2    623 123.12.123.12   GET 123abc.cloudfront.net   /   200 -   Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010_15_7)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/114.0.0.0%20Safari/537.36   pasteid=e7777ae25c35ef36    -   Miss    -p9ZkWP0sc-abc123-a-abc123==    paste.example.com   https   452 0.004   -   TLSv1.3 TLS_AES_128_GCM_SHA256  Miss    HTTP/3.0    -   -   42786   0.004   Miss    application/json;%20charset=utf-8   -   -   -

Developer console with the parsing error:

Totally appreciate this is a CloudFront issue and not a PrivateBin issue, feel free to close this if you like. I'm mostly just familiar with CloudFront but looks like I'll have to try something else to host PrivateBin.

[bgigurtsis]

I've managed to setup a PrivateBin instance using an application load balancer instead (target group port 80, listener port 443). For anyone reading this, that's definitely the easier way vs. cloudfront!