Permission errors when activate http auth on app

[javierav]

Steps to Reproduce

$ dokku http-auth:enable APP_NAME user password

Actual Results

Error 500 when trying to access to app. Inspecting the nginx error logs I get the following message:

... *15 open() "/home/dokku/APP_NAME/htpasswd" failed (13: Permission denied)

Expected Results

HTTP Auth enabled on site.

How to resolve

After investigating the issue, I found that the folder /home/dokku has rwxr-x--- permissions instead of rwxr-x--x. If I change the permissions and then enable or create the http auth, its works as expected.

Environment Information

dokku report APP_NAME output

-----> uname: Linux XXXXX 5.15.0-40-generic #43-Ubuntu SMP Wed Jun 15 12:54:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
-----> memory: 
                      total        used        free      shared  buff/cache   available
       Mem:            7761        2888        1519           4        3353        4567
       Swap:              0           0           0
-----> docker version: 
       Client: Docker Engine - Community
        Version:           20.10.17
        API version:       1.41
        Go version:        go1.17.11
        Git commit:        100c701
        Built:             Mon Jun  6 23:02:46 2022
        OS/Arch:           linux/amd64
        Context:           default
        Experimental:      true

       Server: Docker Engine - Community
        Engine:
         Version:          20.10.17
         API version:      1.41 (minimum version 1.12)
         Go version:       go1.17.11
         Git commit:       a89b842
         Built:            Mon Jun  6 23:00:51 2022
         OS/Arch:          linux/amd64
         Experimental:     false
        containerd:
         Version:          1.6.6
         GitCommit:        10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
        runc:
         Version:          1.1.2
         GitCommit:        v1.1.2-0-ga916309
        docker-init:
         Version:          0.19.0
         GitCommit:        de40ad0
-----> docker daemon info: 
       Client:
        Context:    default
        Debug Mode: true
        Plugins:
         app: Docker App (Docker Inc., v0.9.1-beta3)
         buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
         compose: Docker Compose (Docker Inc., v2.6.0)
         scan: Docker Scan (Docker Inc., v0.17.0)

       Server:
        Containers: 8
         Running: 8
         Paused: 0
         Stopped: 0
        Images: 68
        Server Version: 20.10.17
        Storage Driver: overlay2
         Backing Filesystem: extfs
         Supports d_type: true
         Native Overlay Diff: true
         userxattr: false
        Logging Driver: json-file
        Cgroup Driver: systemd
        Cgroup Version: 2
        Plugins:
         Volume: local
         Network: bridge host ipvlan macvlan null overlay
         Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
        Swarm: inactive
        Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
        Default Runtime: runc
        Init Binary: docker-init
        containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
        runc version: v1.1.2-0-ga916309
        init version: de40ad0
        Security Options:
         apparmor
         seccomp
          Profile: default
         cgroupns
        Kernel Version: 5.15.0-40-generic
        Operating System: Ubuntu 22.04 LTS
        OSType: linux
        Architecture: x86_64
        CPUs: 4
        Total Memory: 7.579GiB
        Name: XXXX
        ID: P6NH:MIYE:3JV6:YTYK:MLVG:UCP2:ID6B:6PW2:IMUK:EBPX:7URP:BAIC
        Docker Root Dir: /var/lib/docker
        Debug Mode: false
        Registry: https://index.docker.io/v1/
        Labels:
        Experimental: false
        Insecure Registries:
         127.0.0.0/8
        Live Restore Enabled: false

-----> git version: git version 2.34.1
-----> sigil version: 0.9.0build+bc921b7
-----> herokuish version: 
       herokuish: 0.5.36
       buildpacks:
         heroku-buildpack-multi     v1.2.0
         heroku-buildpack-ruby      v240
         heroku-buildpack-nodejs    v196
         heroku-buildpack-clojure   v87
         heroku-buildpack-python    v211
         heroku-buildpack-java      v70
         heroku-buildpack-gradle    v36
         heroku-buildpack-scala     v92
         heroku-buildpack-play      v26
         heroku-buildpack-php       v218
         heroku-buildpack-go        v162
         heroku-buildpack-nginx     v16
         buildpack-null             v3
-----> dokku version: dokku version 0.27.6
-----> plugn version: plugn: 0.12.0build+3a27594
-----> dokku plugins: 
         00_dokku-standard    0.27.6 enabled    dokku core standard plugin
         20_events            0.27.6 enabled    dokku core events logging plugin
         app-json             0.27.6 enabled    dokku core app-json plugin
         apps                 0.27.6 enabled    dokku core apps plugin
         builder              0.27.6 enabled    dokku core builder plugin
         builder-dockerfile   0.27.6 enabled    dokku core builder-dockerfile plugin
         builder-herokuish    0.27.6 enabled    dokku core builder-herokuish plugin
         builder-null         0.27.6 enabled    dokku core builder-null plugin
         builder-pack         0.27.6 enabled    dokku core builder-pack plugin
         buildpacks           0.27.6 enabled    dokku core buildpacks plugin
         certs                0.27.6 enabled    dokku core certificate management plugin
         checks               0.27.6 enabled    dokku core checks plugin
         common               0.27.6 enabled    dokku core common plugin
         config               0.27.6 enabled    dokku core config plugin
         cron                 0.27.6 enabled    dokku core cron plugin
         docker-options       0.27.6 enabled    dokku core docker-options plugin
         domains              0.27.6 enabled    dokku core domains plugin
         elasticsearch        1.20.3 enabled    dokku elasticsearch service plugin
         enter                0.27.6 enabled    dokku core enter plugin
         git                  0.27.6 enabled    dokku core git plugin
         http-auth            0.10.0 enabled    HTTP authentication for apps
         letsencrypt          0.16.3 enabled    Automated installation of let's encrypt TLS certificates
         logs                 0.27.6 enabled    dokku core logs plugin
         mysql                1.19.5 enabled    dokku mysql service plugin
         network              0.27.6 enabled    dokku core network plugin
         nginx-vhosts         0.27.6 enabled    dokku core nginx-vhosts plugin
         plugin               0.27.6 enabled    dokku core plugin plugin
         proxy                0.27.6 enabled    dokku core proxy plugin
         ps                   0.27.6 enabled    dokku core ps plugin
         redis                1.20.0 enabled    dokku redis service plugin
         registry             0.27.6 enabled    dokku core registry plugin
         repo                 0.27.6 enabled    dokku core repo plugin
         resource             0.27.6 enabled    dokku core resource plugin
         run                  0.27.6 enabled    dokku core run plugin
         scheduler            0.27.6 enabled    dokku core scheduler plugin
         scheduler-docker-local 0.27.6 enabled    dokku core scheduler-docker-local plugin
         scheduler-null       0.27.6 enabled    dokku core scheduler-null plugin
         shell                0.27.6 enabled    dokku core shell plugin
         ssh-keys             0.27.6 enabled    dokku core ssh-keys plugin
         storage              0.27.6 enabled    dokku core storage plugin
         trace                0.27.6 enabled    dokku core trace plugin
=====> sidekiq app-json information
       App json computed selected:    app.json
       App json global selected:      app.json
       App json selected:             
=====> sidekiq app information
       App created at:                1656499876
       App deploy source:             sidekiq
       App deploy source metadata:    sidekiq
       App dir:                       /home/dokku/sidekiq
       App locked:                    false
=====> sidekiq builder information
       Builder build dir:             
       Builder computed build dir:    
       Builder computed selected:     
       Builder global build dir:      
       Builder global selected:       
       Builder selected:              
=====> sidekiq builder-dockerfile information
       Builder dockerfile computed dockerfile path: Dockerfile               
       Builder dockerfile global dockerfile path: Dockerfile               
       Builder dockerfile dockerfile path:                          
=====> sidekiq builder-pack information
       Builder pack computed projecttoml path: project.toml             
       Builder pack global projecttoml path: project.toml             
       Builder pack projecttoml path:                          
=====> sidekiq buildpacks information
       Buildpacks computed stack:     gliderlabs/herokuish:latest-20
       Buildpacks global stack:       
       Buildpacks list:               
       Buildpacks stack:              
=====> sidekiq ssl information
       Ssl dir:                       /home/dokku/sidekiq/tls  
       Ssl enabled:                   true                     
       Ssl hostnames:                 XXXXXX       
       Ssl expires at:                Sep 27 07:46:45 2022 GMT 
       Ssl issuer:                    C = US, O = Let's Encrypt, CN = R3
       Ssl starts at:                 Jun 29 07:46:46 2022 GMT 
       Ssl subject:                   subject=CN = XXXXXX
       Ssl verified:                  self signed              
=====> sidekiq checks information
       Checks disabled list:          none                     
       Checks skipped list:           none                     
=====> sidekiq cron information
       Cron task count:               0
=====> sidekiq docker options information
       Docker options build:          --link dokku.redis.redis:dokku-redis-redis 
       Docker options deploy:         --link dokku.redis.redis:dokku-redis-redis --restart=on-failure:10 
       Docker options run:            --link dokku.redis.redis:dokku-redis-redis 
=====> sidekiq domains information
       Domains app enabled:           true                     
       Domains app vhosts:            XXXXXXX       
       Domains global enabled:        true                     
       Domains global vhosts:         XXXXXX               
=====> sidekiq git information
       Git deploy branch:             master                   
       Git global deploy branch:      master                   
       Git keep git dir:              false                    
       Git rev env var:               GIT_REV                  
       Git sha:                       6cc14d9                  
       Git last updated at:           1656492376               
=====> sidekiq http-auth information
       Http auth enabled:             true                     
       Http auth allowed ips:                                  
       Http auth users:               sidekiq                  
=====> sidekiq letsencrypt information
       Letsencrypt active:            true                     
       Letsencrypt autorenew:         false                    
       Letsencrypt email:             XXXXXXXX            
       Letsencrypt expiration:        1664264805               
=====> sidekiq logs information
       Logs computed max size:        10m
       Logs global max size:          10m
       Logs global vector sink:       
       Logs max size:                 
       Logs vector sink:              
=====> sidekiq network information
       Network attach post create:           
       Network attach post deploy:           
       Network bind all interfaces:          false
       Network computed attach post create:  
       Network computed attach post deploy:  
       Network computed bind all interfaces: false
       Network computed initial network:     
       Network computed tld:                 
       Network global attach post create:    
       Network global attach post deploy:    
       Network global bind all interfaces:   false
       Network global initial network:       
       Network global tld:                   
       Network initial network:              
       Network static web listener:          
       Network tld:                          
       Network web listeners:                172.17.0.5:5000
=====> sidekiq nginx information
       Nginx access log format:                                
       Nginx access log path:         /var/log/nginx/sidekiq-access.log
       Nginx bind address ipv4:                                
       Nginx bind address ipv6:       ::                       
       Nginx client max body size:                             
       Nginx disable custom config:   false                    
       Nginx error log path:          /var/log/nginx/sidekiq-error.log
       Nginx global hsts:             true                     
       Nginx computed hsts:           true                     
       Nginx hsts:                                             
       Nginx hsts include subdomains: true                     
       Nginx hsts max age:            15724800                 
       Nginx hsts preload:            false                    
       Nginx proxy buffer size:       4096                     
       Nginx proxy buffering:         on                       
       Nginx proxy buffers:           8 4096                   
       Nginx proxy busy buffers size: 8192                     
       Nginx proxy read timeout:      60s                      
       Nginx last visited at:         1656624315               
       Nginx x forwarded for value:   $remote_addr             
       Nginx x forwarded port value:  $server_port             
       Nginx x forwarded proto value: $scheme                  
       Nginx x forwarded ssl:                                  
=====> sidekiq proxy information
       Proxy enabled:                 true
       Proxy port map:                http:80:5000 https:443:5000
       Proxy type:                    nginx
=====> sidekiq ps information
       Deployed:                      true
       Processes:                     1
       Ps can scale:                  true
       Ps computed procfile path:     Procfile
       Ps global procfile path:       Procfile
       Ps procfile path:              
       Ps restart policy:             on-failure:10
       Restore:                       true
       Running:                       true
       Status web 1:                  running (CID: c9bf6b0d84f)
=====> sidekiq registry information
       Registry computed image repo:      dokku/sidekiq
       Registry computed push on release: false
       Registry computed server:          
       Registry global push on release:   
       Registry global server:            
       Registry image repo:               
       Registry push on release:          
       Registry server:                   
       Registry tag version:              
=====> sidekiq resource information
=====> sidekiq scheduler information
       Scheduler computed selected:   docker-local
       Scheduler global selected:     docker-local
       Scheduler selected:            
=====> sidekiq scheduler-docker-local information
       Scheduler docker local disable chown:                          
       Scheduler docker local parallel schedule count:                          
=====> sidekiq storage information
       Storage build mounts:                                   
       Storage deploy mounts:                                  
       Storage run mounts:

How (deb/make/rpm) and where (AWS, VirtualBox, physical, etc.) was Dokku installed?:

Dokku version 0.27.6 installed using bootstrap.sh on a fresh installation of Ubuntu 22.04 LTS on physical server.

Additional information

The nginx configuration (if applicable) via dokku nginx:show-config APP_NAME

server {
  listen      [::]:80;
  listen      80;
  server_name XXXXX; 
  access_log  /var/log/nginx/sidekiq-access.log;
  error_log   /var/log/nginx/sidekiq-error.log;

  include /home/dokku/sidekiq/nginx.conf.d/*.conf;
  location / {
    return 301 https://$host:443$request_uri;
  }

}

server {
  listen      [::]:443 ssl http2;
  listen      443 ssl http2;

  server_name XXXXX; 
  access_log  /var/log/nginx/sidekiq-access.log;
  error_log   /var/log/nginx/sidekiq-error.log;

  ssl_certificate           /home/dokku/sidekiq/tls/server.crt;
  ssl_certificate_key       /home/dokku/sidekiq/tls/server.key;
  ssl_protocols             TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;

  keepalive_timeout   70;

  location    / {

    gzip on;
    gzip_min_length  1100;
    gzip_buffers  4 32k;
    gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
    gzip_vary on;
    gzip_comp_level  6;

    proxy_pass  http://sidekiq-5000;
    http2_push_preload on; 
    proxy_http_version 1.1;
    proxy_read_timeout 60s;
    proxy_buffer_size 4096;
    proxy_buffering on;
    proxy_buffers 8 4096;
    proxy_busy_buffers_size 8192;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Request-Start $msec;

  }

  include /home/dokku/sidekiq/nginx.conf.d/*.conf;

  error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
  location /400-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 404 /404-error.html;
  location /404-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 500 501 503 504 505 506 507 508 509 510 511 /500-error.html;
  location /500-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 502 /502-error.html;
  location /502-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }
}

upstream sidekiq-5000 {

  server 172.17.0.5:5000;
}

Content of /home/dokku/sidekiq/nginx.conf.d/http-auth.conf

auth_basic           "Restricted";
auth_basic_user_file /home/dokku/sidekiq/htpasswd;

[josegonzalez]

Do you have SELinux or similar enabled?

[javierav]

Not that I know!

For example, in DigitalOcean droplet with Ubuntu 22.04 LTS

$ apt update
$ apt upgrade
$ wget https://raw.githubusercontent.com/dokku/dokku/v0.27.6/bootstrap.sh
$ DOKKU_TAG=v0.27.6 bash bootstrap.sh
$ ls -la /home/
total 12
drwxr-xr-x  3 root  root  4096 Jul  1 13:54 .
drwxr-xr-x 19 root  root  4096 Jul  1 13:46 ..
drwxr-x---  5 dokku dokku 4096 Jul  1 13:55 dokku

As you can see, dokku directory has rwxr-x--- permissions instead of rwxr-x--x.

For debug, some printed data generated during dokku install process:

Setting up dokku user
Adding user `dokku' ...
Adding new group `dokku' (1000) ...
Adding new user `dokku' (1000) with group `dokku' ...
Creating home directory `/home/dokku' ...
Copying files from `/etc/skel' ...
docker:x:999:

However, the same procedure in Ubuntu 20.04.4 LTS:

ls -la /home/
total 12
drwxr-xr-x  3 root  root  4096 Jul  1 14:13 .
drwxr-xr-x 19 root  root  4096 Jul  1 14:06 ..
drwxr-xr-x  4 dokku dokku 4096 Jul  1 14:13 dokku

[trival]

had the same issue on Ubuntu 22.04 LTS. some chmod +x dokku in the home directory made this plugin work again. thanks @javierav for investigating and pointing to the right direction.

[javierav]

Since Ubuntu 21.04 the home folder for new created users has 750 as default permissions: https://ubuntu.com/blog/private-home-directories-for-ubuntu-21-04

I think this is something that should be checked by dokku during installation and user creation @josegonzalez

[josegonzalez]

Ugh this makes me think we need to actively migrate all the nginx config over to /etc/nginx somewhere instead of keeping it in the app repo. I'll start working on that, but it's definitely a BC break and a large one for Dokku. Blah.

[stevo-knievo]

I ran into the same issue on Ubuntu 22.04.1 LTS.

chmod +x dokku worked for me as well.

Thanks!

[bayukp]

I ran on the same problem. and chmod +x dokku on home folder do the tricks

[patoroco]

same issue, and solved doing cd /home/; chmod +x dokku as you mentioned above.

Thanks for sharing, and hopefully it will be solved soon :)