403 on maintenance page

[boazpoolman]

Description of problem

When I enable the maintenance mode for an app I get a 403 page.

How reproducible

I'm unsure if this is intended behavior, or that it's an issue with my implementation.

I can confirm that all different apps on my Dokku host have the same problem.

Setting a custom page does change the behavior.

Steps to Reproduce

1. Enable maintenance: dokku maintenance:enable myapp
2. Visit the apps domain in the browser
3. See the 403

Actual Results

A 403 nginx page

Expected Results

The maintenance page.

Environment Information

dokku report APP_NAME output

-----> uname: Linux vps-447207c9 5.15.0-101-generic #111-Ubuntu SMP Tue Mar 5 20:16:58 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
-----> memory:
                      total        used        free      shared  buff/cache   available
       Mem:            1916         463          90          21        1361        1238
       Swap:              0           0           0
-----> disk utilization:
       Filesystem      Size  Used Avail Use% Mounted on
       /dev/sda1        20G   12G  8.2G  58% /
       /dev/sda15      105M  6.1M   99M   6% /boot/efi
-----> disk inode utilization:
       Filesystem     Inodes IUsed IFree IUse% Mounted on
       /dev/sda1        2.5M  298K  2.2M   12% /
       /dev/sda15          0     0     0     - /boot/efi
-----> docker version:
       Client: Docker Engine - Community
        Version:           26.1.1
        API version:       1.45
        Go version:        go1.21.9
        Git commit:        4cf5afa
        Built:             Tue Apr 30 11:47:53 2024
        OS/Arch:           linux/amd64
        Context:           default

       Server: Docker Engine - Community
        Engine:
         Version:          26.1.1
         API version:      1.45 (minimum version 1.24)
         Go version:       go1.21.9
         Git commit:       ac2de55
         Built:            Tue Apr 30 11:47:53 2024
         OS/Arch:          linux/amd64
         Experimental:     false
        containerd:
         Version:          1.6.31
         GitCommit:        e377cd56a71523140ca6ae87e30244719194a521
        runc:
         Version:          1.1.12
         GitCommit:        v1.1.12-0-g51d5e94
        docker-init:
         Version:          0.19.0
         GitCommit:        de40ad0
-----> docker daemon info:
       Client: Docker Engine - Community
        Version:    26.1.1
        Context:    default
        Debug Mode: true
        Plugins:
         buildx: Docker Buildx (Docker Inc.)
           Version:  v0.14.0
           Path:     /usr/libexec/docker/cli-plugins/docker-buildx
         compose: Docker Compose (Docker Inc.)
           Version:  v2.27.0
           Path:     /usr/libexec/docker/cli-plugins/docker-compose

       Server:
        Containers: 4
         Running: 4
         Paused: 0
         Stopped: 0
        Images: 5
        Server Version: 26.1.1
        Storage Driver: overlay2
         Backing Filesystem: extfs
         Supports d_type: true
         Using metacopy: false
         Native Overlay Diff: true
         userxattr: false
        Logging Driver: json-file
        Cgroup Driver: systemd
        Cgroup Version: 2
        Plugins:
         Volume: local
         Network: bridge host ipvlan macvlan null overlay
         Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
        Swarm: inactive
        Runtimes: io.containerd.runc.v2 runc
        Default Runtime: runc
        Init Binary: docker-init
        containerd version: e377cd56a71523140ca6ae87e30244719194a521
        runc version: v1.1.12-0-g51d5e94
        init version: de40ad0
        Security Options:
         apparmor
         seccomp
          Profile: builtin
         cgroupns
        Kernel Version: 5.15.0-101-generic
        Operating System: Ubuntu 22.04.4 LTS
        OSType: linux
        Architecture: x86_64
        CPUs: 1
        Total Memory: 1.871GiB
        Name: vps-447207c9
        ID: 4763accc-1c09-4650-9a9b-ad89a7ab7879
        Docker Root Dir: /var/lib/docker
        Debug Mode: false
         File Descriptors: 48
         Goroutines: 60
         System Time: 2024-05-02T17:20:30.053328604Z
         EventsListeners: 0
        Experimental: false
        Insecure Registries:
         127.0.0.0/8
        Live Restore Enabled: false

-----> herokuish version:
 !     Herokuish image gliderlabs/herokuish:latest-22 is not available
-----> dokku version: dokku version 0.34.4
-----> dokku-event-listener version: 0.15.0build+5268732
-----> dokku-update version: dokku-update 0.8.0
-----> docker-container-healthchecker version: 0.9.0
-----> docker-image-labeler version: 0.6.1build+c6e15a9
-----> git version: git version 2.34.1
-----> lambda-builder version:        0.6.0
-----> netrc version: 0.8.0build+0751c1b
 !     pack binary is not available
-----> plugn version: plugn: 0.13.0build+fd5297a
-----> sigil version: 0.10.1build+e443be0
-----> sshcommand version: sshcommand 0.17.1
-----> dokku plugins:
         00_dokku-standard    0.34.4 enabled    dokku core standard plugin
         20_events            0.34.4 enabled    dokku core events logging plugin
         app-json             0.34.4 enabled    dokku core app-json plugin
         apps                 0.34.4 enabled    dokku core apps plugin
         builder              0.34.4 enabled    dokku core builder plugin
         builder-dockerfile   0.34.4 enabled    dokku core builder-dockerfile plugin
         builder-herokuish    0.34.4 enabled    dokku core builder-herokuish plugin
         builder-lambda       0.34.4 enabled    dokku core builder-lambda plugin
         builder-nixpacks     0.34.4 enabled    dokku core builder-nixpacks plugin
         builder-null         0.34.4 enabled    dokku core builder-null plugin
         builder-pack         0.34.4 enabled    dokku core builder-pack plugin
         buildpacks           0.34.4 enabled    dokku core buildpacks plugin
         caddy-vhosts         0.34.4 enabled    dokku core caddy-vhosts plugin
         certs                0.34.4 enabled    dokku core certificate management plugin
         checks               0.34.4 enabled    dokku core checks plugin
         common               0.34.4 enabled    dokku core common plugin
         config               0.34.4 enabled    dokku core config plugin
         cron                 0.34.4 enabled    dokku core cron plugin
         docker-options       0.34.4 enabled    dokku core docker-options plugin
         domains              0.34.4 enabled    dokku core domains plugin
         enter                0.34.4 enabled    dokku core enter plugin
         git                  0.34.4 enabled    dokku core git plugin
         haproxy-vhosts       0.34.4 enabled    dokku core haproxy-vhosts plugin
         letsencrypt          0.20.4 enabled    Automated installation of let's encrypt TLS certificates
         logs                 0.34.4 enabled    dokku core logs plugin
         maintenance          0.8.0 enabled    Maintenance mode for apps
         network              0.34.4 enabled    dokku core network plugin
         nginx-vhosts         0.34.4 enabled    dokku core nginx-vhosts plugin
         openresty-vhosts     0.34.4 enabled    dokku core openresty-vhosts plugin
         plugin               0.34.4 enabled    dokku core plugin plugin
         ports                0.34.4 enabled    dokku core ports plugin
         postgres             1.36.4 enabled    dokku postgres service plugin
         proxy                0.34.4 enabled    dokku core proxy plugin
         ps                   0.34.4 enabled    dokku core ps plugin
         registry             0.34.4 enabled    dokku core registry plugin
         repo                 0.34.4 enabled    dokku core repo plugin
         resource             0.34.4 enabled    dokku core resource plugin
         run                  0.34.4 enabled    dokku core run plugin
         scheduler            0.34.4 enabled    dokku core scheduler plugin
         scheduler-docker-local 0.34.4 enabled    dokku core scheduler-docker-local plugin
         scheduler-k3s        0.34.4 enabled    dokku core scheduler-k3s plugin
         scheduler-null       0.34.4 enabled    dokku core scheduler-null plugin
         shell                0.34.4 enabled    dokku core shell plugin
         ssh-keys             0.34.4 enabled    dokku core ssh-keys plugin
         storage              0.34.4 enabled    dokku core storage plugin
         trace                0.34.4 enabled    dokku core trace plugin
         traefik-vhosts       0.34.4 enabled    dokku core traefik-vhosts plugin
=====> nextjs app-json information
       App json computed selected:    app.json
       App json global selected:      app.json
       App json selected:
=====> nextjs app information
       App created at:                1714666680
       App deploy source:             git-sync
       App deploy source metadata:    https://github.com/heroku/node-js-getting-started.git#bf257f0c228dabe5c3ea340d4553a767a540e615
       App dir:                       /home/dokku/nextjs
       App locked:                    false
=====> nextjs builder information
       Builder build dir:
       Builder computed build dir:
       Builder computed selected:
       Builder global build dir:
       Builder global selected:
       Builder selected:
=====> nextjs builder-dockerfile information
       Builder dockerfile computed dockerfile path: Dockerfile
       Builder dockerfile global dockerfile path: Dockerfile
       Builder dockerfile dockerfile path:
=====> nextjs builder-herokuish information
       Builder herokuish computed allowed: true
       Builder herokuish global allowed: true
       Builder herokuish allowed:
=====> nextjs builder-lambda information
       Builder lambda computed lambdayml path: lambda.yml
       Builder lambda global lambdayml path: lambda.yml
       Builder lambda lambdayml path:
=====> nextjs builder-nixpacks information
       Builder nixpacks computed nixpackstoml path: nixpacks.toml
       Builder nixpacks global nixpackstoml path: nixpacks.toml
       Builder nixpacks nixpackstoml path:
       Builder nixpacks computed no cache: false
       Builder nixpacks global no cache: false
       Builder nixpacks no cache:
=====> nextjs builder-pack information
       Builder pack computed projecttoml path: project.toml
       Builder pack global projecttoml path: project.toml
       Builder pack projecttoml path:
=====> nextjs buildpacks information
       Buildpacks computed stack:     gliderlabs/herokuish:latest-22
       Buildpacks global stack:
       Buildpacks list:
       Buildpacks stack:
=====> nextjs caddy information
       Caddy image:                   lucaslorentz/caddy-docker-proxy:2.8
       Caddy letsencrypt email:
       Caddy letsencrypt server:      https://acme-v02.api.letsencrypt.org/directory
       Caddy log level:               ERROR
       Caddy polling interval:        5s
       Caddy tls internal:            false
=====> nextjs ssl information
       Ssl dir:                       /home/dokku/nextjs/tls
       Ssl enabled:                   true
       Ssl hostnames:                 database-of-life.com
       Ssl expires at:                Jul 31 16:09:59 2024 GMT
       Ssl issuer:                    C = US, O = Let's Encrypt, CN = R3
       Ssl starts at:                 May  2 16:10:00 2024 GMT
       Ssl subject:                   subject=CN = database-of-life.com
       Ssl verified:                  verified by a certificate authority
=====> nextjs checks information
       Checks disabled list:          none
       Checks skipped list:           none
       Checks computed wait to retire: 60
       Checks global wait to retire:  60
       Checks wait to retire:
=====> nextjs docker options information
       Docker options build:
       Docker options deploy:         --restart=on-failure:10
       Docker options run:
=====> nextjs domains information
       Domains app enabled:           true
       Domains app vhosts:            database-of-life.com
       Domains global enabled:        false
       Domains global vhosts:
=====> nextjs git information
       Git deploy branch:             main
       Git global deploy branch:      master
       Git keep git dir:              false
       Git rev env var:               GIT_REV
       Git sha:                       bf257f0c228dabe5c3ea340d4553a767a540e615
       Git source image:
       Git last updated at:           1714666745
=====> nextjs haproxy information
       Haproxy image:                 byjg/easy-haproxy:4.4.0
       Haproxy letsencrypt email:
       Haproxy letsencrypt server:    https://acme-v02.api.letsencrypt.org/directory
       Haproxy log level:             ERROR
=====> nextjs letsencrypt information
       Letsencrypt active:            true
       Letsencrypt autorenew:         false
       Letsencrypt computed dns provider:
       Letsencrypt global dns provider:
       Letsencrypt dns provider:
       Letsencrypt computed email:    contact@it-everywhere.nl
       Letsencrypt global email:
       Letsencrypt email:             contact@it-everywhere.nl
       Letsencrypt expiration:        1722442199
       Letsencrypt computed graceperiod: 2592000
       Letsencrypt global graceperiod:
       Letsencrypt graceperiod:
       Letsencrypt computed lego docker args:
       Letsencrypt global lego docker args:
       Letsencrypt lego docker args:
       Letsencrypt computed server:   https://acme-v02.api.letsencrypt.org/directory
       Letsencrypt global server:
       Letsencrypt server:
=====> nextjs logs information
       Logs computed max size:        10m
       Logs global max size:          10m
       Logs global vector sink:
       Logs max size:
       Logs vector global image:      timberio/vector:0.36.1-debian
       Logs vector sink:
=====> nextjs maintenance information
       Maintenance enabled:           true
=====> nextjs network information
       Network attach post create:
       Network attach post deploy:
       Network bind all interfaces:          false
       Network computed attach post create:
       Network computed attach post deploy:
       Network computed bind all interfaces: false
       Network computed initial network:
       Network computed tld:
       Network global attach post create:
       Network global attach post deploy:
       Network global bind all interfaces:   false
       Network global initial network:
       Network global tld:
       Network initial network:
       Network static web listener:
       Network tld:
       Network web listeners:                172.17.0.5:5001
=====> nextjs nginx information
       Nginx access log format:
       Nginx computed access log format:
       Nginx global access log format:
       Nginx access log path:
       Nginx computed access log path: /var/log/nginx/nextjs-access.log
       Nginx global access log path:  /var/log/nginx/nextjs-access.log
       Nginx bind address ipv4:
       Nginx computed bind address ipv4:
       Nginx global bind address ipv4:
       Nginx bind address ipv6:
       Nginx computed bind address ipv6: ::
       Nginx global bind address ipv6: ::
       Nginx client max body size:
       Nginx computed client max body size: 1m
       Nginx global client max body size: 1m
       Nginx disable custom config:
       Nginx computed disable custom config: false
       Nginx global disable custom config: false
       Nginx error log path:
       Nginx computed error log path: /var/log/nginx/nextjs-error.log
       Nginx global error log path:   /var/log/nginx/nextjs-error.log
       Nginx hsts include subdomains:
       Nginx computed hsts include subdomains: true
       Nginx global hsts include subdomains: true
       Nginx hsts max age:
       Nginx computed hsts max age:   15724800
       Nginx global hsts max age:     15724800
       Nginx hsts preload:
       Nginx computed hsts preload:   false
       Nginx global hsts preload:     false
       Nginx hsts:
       Nginx computed hsts:           true
       Nginx global hsts:             true
       Nginx last visited at:
       Nginx nginx conf sigil path:
       Nginx computed nginx conf sigil path: nginx.conf.sigil
       Nginx global nginx conf sigil path: nginx.conf.sigil
       Nginx proxy buffer size:
       Nginx computed proxy buffer size: 4k
       Nginx global proxy buffer size: 4k
       Nginx proxy buffering:
       Nginx computed proxy buffering: on
       Nginx global proxy buffering:  on
       Nginx proxy buffers:
       Nginx computed proxy buffers:  8 4k
       Nginx global proxy buffers:    8 4k
       Nginx proxy busy buffers size:
       Nginx computed proxy busy buffers size: 8k
       Nginx global proxy busy buffers size: 8k
       Nginx proxy read timeout:
       Nginx computed proxy read timeout: 60s
       Nginx global proxy read timeout: 60s
       Nginx underscore in headers:
       Nginx computed underscore in headers: off
       Nginx global underscore in headers: off
       Nginx x forwarded for value:
       Nginx computed x forwarded for value: $remote_addr
       Nginx global x forwarded for value: $remote_addr
       Nginx x forwarded port value:
       Nginx computed x forwarded port value: $server_port
       Nginx global x forwarded port value: $server_port
       Nginx x forwarded proto value:
       Nginx computed x forwarded proto value: $scheme
       Nginx global x forwarded proto value: $scheme
       Nginx x forwarded ssl:
       Nginx computed x forwarded ssl:
       Nginx global x forwarded ssl:
=====> nextjs openresty information
       Openresty access log format:
       Openresty access log path:     /var/log/nginx/nextjs-access.log
       Openresty allowed letsencrypt domains func base64: cmV0dXJuIHRydWUK
       Openresty bind address ipv4:
       Openresty bind address ipv6:   ::
       Openresty client max body size:
       Openresty error log path:      /var/log/nginx/nextjs-error.log
       Openresty global hsts:         true
       Openresty computed hsts:       true
       Openresty hsts:
       Openresty hsts include subdomains: true
       Openresty hsts max age:        15724800
       Openresty hsts preload:        false
       Openresty image:               dokku/openresty-docker-proxy:0.7.0
       Openresty letsencrypt email:
       Openresty letsencrypt server:  https://acme-v02.api.letsencrypt.org/directory
       Openresty proxy buffer size:   4k
       Openresty proxy buffering:     on
       Openresty proxy buffers:       8 4k
       Openresty proxy busy buffers size: 8k
       Openresty proxy read timeout:  60s
       Openresty underscore in headers: off
       Openresty x forwarded for value: $remote_addr
       Openresty x forwarded port value: $server_port
       Openresty x forwarded proto value: $scheme
       Openresty x forwarded ssl:
=====> nextjs ports information
       Ports map:                     http:5000:5000 http:80:5000 https:443:5000
       Ports map detected:            http:80:5000 https:443:5000
=====> nextjs proxy information
       Proxy computed type:           nginx
       Proxy enabled:                 true
       Proxy global type:             nginx
       Proxy type:
=====> nextjs ps information
       Deployed:                      true
       Processes:                     1
       Ps can scale:                  true
       Ps computed procfile path:     Procfile
       Ps global procfile path:       Procfile
       Ps procfile path:
       Ps restart policy:             on-failure:10
       Restore:                       true
       Running:                       true
       Status web 1:                  running (CID: 869c3e2863c)
=====> nextjs registry information
       Registry computed image repo:        dokku/nextjs
       Registry computed push on release:   false
       Registry computed server:
       Registry global image repo template:
       Registry global push on release:
       Registry global server:
       Registry image repo:
       Registry push extra tags:
       Registry push on release:
       Registry server:
       Registry tag version:
=====> nextjs resource information
=====> nextjs scheduler information
       Scheduler computed selected:   docker-local
       Scheduler global selected:     docker-local
       Scheduler selected:
=====> nextjs scheduler-docker-local information
       Scheduler docker local init process: true
       Scheduler docker local parallel schedule count:
=====> nextjs scheduler-k3s information
       Scheduler k3s computed deploy timeout:       300s
       Scheduler k3s computed image pull secrets:
       Scheduler k3s computed letsencrypt server:   prod
       Scheduler k3s computed namespace:            default
       Scheduler k3s computed rollback on failure:  false
       Scheduler k3s deploy timeout:
       Scheduler k3s global deploy timeout:         300s
       Scheduler k3s global image pull secrets:
       Scheduler k3s global ingress class:          nginx
       Scheduler k3s global kube context:
       Scheduler k3s global kubeconfig path:        /etc/rancher/k3s/k3s.yaml
       Scheduler k3s global letsencrypt email prod:
       Scheduler k3s global letsencrypt email stag:
       Scheduler k3s global letsencrypt server:     prod
       Scheduler k3s global namespace:              default
       Scheduler k3s global network interface:      eth0
       Scheduler k3s global rollback on failure:    false
       Scheduler k3s image pull secrets:
       Scheduler k3s letsencrypt server:
       Scheduler k3s namespace:
       Scheduler k3s rollback on failure:
=====> nextjs storage information
       Storage build mounts:
       Storage deploy mounts:
       Storage run mounts:
=====> nextjs traefik information
       Traefik api enabled:           false
       Traefik api vhost:             traefik.dokku.me
       Traefik basic auth password:
       Traefik basic auth username:
       Traefik dashboard enabled:     false
       Traefik image:                 traefik:2.11.0
       Traefik letsencrypt email:
       Traefik letsencrypt server:    https://acme-v02.api.letsencrypt.org/directory
       Traefik log level:             ERROR

How (deb/make) and where (AWS, VirtualBox, physical, etc.) was Dokku installed?:

Dokku was installed on an OVH VPS with Ubuntu 22.04. The official installation docs were used to install Dokku.

Additional information

• App container inspect output (if applicable) via dokku ps:inspect APP_NAME

  [
  {
      "AppArmorProfile": "docker-default",
      "Args": [
          "web"
      ],
      "Config": {
          "AttachStderr": true,
          "AttachStdin": false,
          "AttachStdout": true,
          "Cmd": [
              "/start",
              "web"
          ],
          "Domainname": "",
          "Entrypoint": null,
          "Env": [
              "DOKKU_APP_RESTORE=1",
              "DOKKU_PROXY_PORT=80",
              "GIT_REV=XXXXXX",
              "NO_VHOST=XXXXXX",
              "DYNO=web.1",
              "USER=herokuishuser",
              "CURL_CONNECT_TIMEOUT=XXXXXX",
              "CURL_TIMEOUT=XXXXXX",
              "DOKKU_APP_TYPE=herokuish",
              "PORT=5001",
              "CACHE_PATH=/cache",
              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
              "STACK=XXXXXX",
              "DEBIAN_FRONTEND=XXXXXX",
              "BASH_BIN=XXXXXX",
              "HEROKUISH_DISABLE_CHOWN=XXXXXX",
              "HEROKUISH_SETUIDGUID=XXXXXX"
          ],
          "Hostname": "869c3e2863ce",
          "Image": "dokku/nextjs:latest",
          "Labels": {
              "com.dokku.app-name": "nextjs",
              "com.dokku.builder-type": "herokuish",
              "com.dokku.container-type": "deploy",
              "com.dokku.dyno": "web.1",
              "com.dokku.image-stage": "release",
              "com.dokku.process-type": "web",
              "com.gliderlabs.herokuish/stack": "heroku-22",
              "dokku": "",
              "openresty.access-log-path": "/var/log/nginx/nextjs-access.log",
              "openresty.bind-address-ipv6": "::",
              "openresty.domains": "database-of-life.com",
              "openresty.error-log-path": "/var/log/nginx/nextjs-error.log",
              "openresty.hsts": "true",
              "openresty.hsts-include-subdomains": "true",
              "openresty.hsts-max-age": "15724800",
              "openresty.hsts-preload": "false",
              "openresty.https-port": "443",
              "openresty.letsencrypt": "false",
              "openresty.port-mapping": "http:5001:5001 http:80:5001 https:443:5001",
              "openresty.proxy-buffer-size": "4k",
              "openresty.proxy-buffering": "on",
              "openresty.proxy-buffers": "8 4k",
              "openresty.proxy-busy-buffer-size": "8k",
              "openresty.proxy-connect-timeout": "60s",
              "openresty.proxy-read-timeout": "60s",
              "openresty.proxy-send-timeout": "60s",
              "openresty.send-timeout": "60s",
              "openresty.underscore-in-headers": "off",
              "openresty.x-forwarded-for-value": "$remote_addr",
              "openresty.x-forwarded-port-value": "$server_port",
              "openresty.x-forwarded-proto-value": "$scheme",
              "org.label-schema.schema-version": "1.0",
              "org.label-schema.vendor": "dokku",
              "org.opencontainers.image.ref.name": "ubuntu",
              "org.opencontainers.image.version": "22.04"
          },
          "OnBuild": null,
          "OpenStdin": false,
          "StdinOnce": false,
          "Tty": false,
          "User": "herokuishuser",
          "Volumes": null,
          "WorkingDir": "/app"
      },
      "Created": "2024-05-02T16:34:51.76461384Z",
      "Driver": "overlay2",
      "ExecIDs": null,
      "GraphDriver": {
          "Data": {
              "LowerDir": "/var/lib/docker/overlay2/f632ed5fb245a2c004e4354224d911f06e013b2c6bcd940241dcafc6268997d1-init/diff:/var/lib/docker/overlay2/pq3u1cn4qy85qpzaht9u4mn87/diff:/var/lib/docker/overlay2/u4yinol8wecjj55xojjn0429j/diff:/var/lib/docker/overlay2/j91lay3ujcy4nci7g0gdg0g0s/diff:/var/lib/docker/overlay2/besfuu8kp7vqlh35hg5vbki56/diff:/var/lib/docker/overlay2/ko2zmioigpyjxryq4ild5cj5q/diff:/var/lib/docker/overlay2/g139z6iq0iq4o15j1jwjr4fxx/diff:/var/lib/docker/overlay2/fea2ba4eb0aa6bbda4258ca7ded8b0f5365b666fa00f795ca887630608b34d92/diff:/var/lib/docker/overlay2/pfw77cshe2o7vei6fi14557q3/diff:/var/lib/docker/overlay2/ii5ftagzualus1t8xm90qz8by/diff:/var/lib/docker/overlay2/lgvb0fzrlxa4pk04glqn58v04/diff:/var/lib/docker/overlay2/pa45sx0sda1n682hy9d29yksk/diff:/var/lib/docker/overlay2/3uzky65plf3idotbilsaa9y0a/diff:/var/lib/docker/overlay2/6c55984e57f1fbc1e42362dca360f6add2e7d1f6afd53a195e366d252150c8b3/diff:/var/lib/docker/overlay2/0c4b1f05a4c550173e694762412360a7341f0cad5341a011aa0d779850c9bf6d/diff:/var/lib/docker/overlay2/ba4a80c2eaa4479e9a1f5bb3587985943d2ed86f37de49717634247fb1c91da6/diff:/var/lib/docker/overlay2/4a7d79c5e9d02a0fa83bae36d85337cc7e654d72f78a3b7cac873616bce76895/diff:/var/lib/docker/overlay2/ffc1aa408a56be2a5222e6e8ac2877c6775f068b31a1ed14d6ee2251c2ad1cf3/diff:/var/lib/docker/overlay2/3412dd339e625f8d3862aaf9845ea74d6b460497b309fcdd58824eae07348c97/diff:/var/lib/docker/overlay2/920920fd253ea352377212fbea7da965feb6cb0ba77112292dc59afd997179d0/diff:/var/lib/docker/overlay2/25945dce9707286752eb9f83bc8ac20b6b6a46fa5cd337ca693121261e5a7685/diff:/var/lib/docker/overlay2/9e7b378f0bce6d7031ebe8b9366c754874c2aff70c3d544da1215d284cf89fae/diff:/var/lib/docker/overlay2/3f979d9d68b6da5a577e100218c1aacc70fe0f38b46cc37e6faa6924606b0fa9/diff",
              "MergedDir": "/var/lib/docker/overlay2/f632ed5fb245a2c004e4354224d911f06e013b2c6bcd940241dcafc6268997d1/merged",
              "UpperDir": "/var/lib/docker/overlay2/f632ed5fb245a2c004e4354224d911f06e013b2c6bcd940241dcafc6268997d1/diff",
              "WorkDir": "/var/lib/docker/overlay2/f632ed5fb245a2c004e4354224d911f06e013b2c6bcd940241dcafc6268997d1/work"
          },
          "Name": "overlay2"
      },
      "HostConfig": {
          "AutoRemove": false,
          "Binds": null,
          "BlkioDeviceReadBps": [],
          "BlkioDeviceReadIOps": [],
          "BlkioDeviceWriteBps": [],
          "BlkioDeviceWriteIOps": [],
          "BlkioWeight": 0,
          "BlkioWeightDevice": [],
          "CapAdd": null,
          "CapDrop": null,
          "Cgroup": "",
          "CgroupParent": "",
          "CgroupnsMode": "private",
          "ConsoleSize": [
              0,
              0
          ],
          "ContainerIDFile": "",
          "CpuCount": 0,
          "CpuPercent": 0,
          "CpuPeriod": 0,
          "CpuQuota": 0,
          "CpuRealtimePeriod": 0,
          "CpuRealtimeRuntime": 0,
          "CpuShares": 0,
          "CpusetCpus": "",
          "CpusetMems": "",
          "DeviceCgroupRules": null,
          "DeviceRequests": null,
          "Devices": [],
          "Dns": [],
          "DnsOptions": [],
          "DnsSearch": [],
          "ExtraHosts": null,
          "GroupAdd": null,
          "IOMaximumBandwidth": 0,
          "IOMaximumIOps": 0,
          "Init": true,
          "IpcMode": "private",
          "Isolation": "",
          "Links": null,
          "LogConfig": {
              "Config": {
                  "max-size": "10m"
              },
              "Type": "json-file"
          },
          "MaskedPaths": [
              "/proc/asound",
              "/proc/acpi",
              "/proc/kcore",
              "/proc/keys",
              "/proc/latency_stats",
              "/proc/timer_list",
              "/proc/timer_stats",
              "/proc/sched_debug",
              "/proc/scsi",
              "/sys/firmware",
              "/sys/devices/virtual/powercap"
          ],
          "Memory": 0,
          "MemoryReservation": 0,
          "MemorySwap": 0,
          "MemorySwappiness": null,
          "NanoCpus": 0,
          "NetworkMode": "bridge",
          "OomKillDisable": null,
          "OomScoreAdj": 0,
          "PidMode": "",
          "PidsLimit": null,
          "PortBindings": {},
          "Privileged": false,
          "PublishAllPorts": false,
          "ReadonlyPaths": [
              "/proc/bus",
              "/proc/fs",
              "/proc/irq",
              "/proc/sys",
              "/proc/sysrq-trigger"
          ],
          "ReadonlyRootfs": false,
          "RestartPolicy": {
              "MaximumRetryCount": 10,
              "Name": "on-failure"
          },
          "Runtime": "runc",
          "SecurityOpt": null,
          "ShmSize": 67108864,
          "UTSMode": "",
          "Ulimits": [],
          "UsernsMode": "",
          "VolumeDriver": "",
          "VolumesFrom": null
      },
      "HostnamePath": "/var/lib/docker/containers/869c3e2863ce29475b229af63bc97497a9a6acd2609b3fd251cc10ad1287bef7/hostname",
      "HostsPath": "/var/lib/docker/containers/869c3e2863ce29475b229af63bc97497a9a6acd2609b3fd251cc10ad1287bef7/hosts",
      "Id": "869c3e2863ce29475b229af63bc97497a9a6acd2609b3fd251cc10ad1287bef7",
      "Image": "sha256:9d8ac9c7469694a2d3c45078f16fe31050a6e69aebc299a2f1ecf7631ac70d51",
      "LogPath": "/var/lib/docker/containers/869c3e2863ce29475b229af63bc97497a9a6acd2609b3fd251cc10ad1287bef7/869c3e2863ce29475b229af63bc97497a9a6acd2609b3fd251cc10ad1287bef7-json.log",
      "MountLabel": "",
      "Mounts": [],
      "Name": "/nextjs.web.1",
      "NetworkSettings": {
          "Bridge": "",
          "EndpointID": "2c4cb1f8be72517db96a75048eff83dfd58cf403ba51908c1de45abababe00a2",
          "Gateway": "172.17.0.1",
          "GlobalIPv6Address": "",
          "GlobalIPv6PrefixLen": 0,
          "HairpinMode": false,
          "IPAddress": "172.17.0.5",
          "IPPrefixLen": 16,
          "IPv6Gateway": "",
          "LinkLocalIPv6Address": "",
          "LinkLocalIPv6PrefixLen": 0,
          "MacAddress": "02:42:ac:11:00:05",
          "Networks": {
              "bridge": {
                  "Aliases": null,
                  "DNSNames": [
                      "nextjs.web.1",
                      "869c3e2863ce"
                  ],
                  "DriverOpts": null,
                  "EndpointID": "2c4cb1f8be72517db96a75048eff83dfd58cf403ba51908c1de45abababe00a2",
                  "Gateway": "172.17.0.1",
                  "GlobalIPv6Address": "",
                  "GlobalIPv6PrefixLen": 0,
                  "IPAMConfig": null,
                  "IPAddress": "172.17.0.5",
                  "IPPrefixLen": 16,
                  "IPv6Gateway": "",
                  "Links": null,
                  "MacAddress": "02:42:ac:11:00:05",
                  "NetworkID": "7eeccbd5db33e816be2a545e9ccfc5b137ed5be28c31d6e51b54bfeb99b58f4d"
              }
          },
          "Ports": {},
          "SandboxID": "6b57cda1047ffb31ea717cb7ad2048ba6c4c048cedaf74d34f802bd69a305099",
          "SandboxKey": "/var/run/docker/netns/6b57cda1047f",
          "SecondaryIPAddresses": null,
          "SecondaryIPv6Addresses": null
      },
      "Path": "/start",
      "Platform": "linux",
      "ProcessLabel": "",
      "ResolvConfPath": "/var/lib/docker/containers/869c3e2863ce29475b229af63bc97497a9a6acd2609b3fd251cc10ad1287bef7/resolv.conf",
      "RestartCount": 0,
      "State": {
          "Dead": false,
          "Error": "",
          "ExitCode": 0,
          "FinishedAt": "0001-01-01T00:00:00Z",
          "OOMKilled": false,
          "Paused": false,
          "Pid": 608774,
          "Restarting": false,
          "Running": true,
          "StartedAt": "2024-05-02T16:34:52.392095586Z",
          "Status": "running"
      }
  }
  ]

• The nginx configuration (if applicable) via dokku nginx:show-config APP_NAME

  
  server {
  listen      [::]:5000;
  listen      5000;
  server_name database-of-life.com;
  access_log  /var/log/nginx/nextjs-access.log;
  error_log   /var/log/nginx/nextjs-error.log;
  underscores_in_headers off;
  
  location    / {
  
  gzip on;
  gzip_min_length  1100;
  gzip_buffers  4 32k;
  gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/wasm application/json application/xml application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
  gzip_vary on;
  gzip_comp_level  6;
  
  proxy_pass  http://nextjs-5000;
  proxy_http_version 1.1;
  proxy_read_timeout 60s;
  proxy_buffer_size 4k;
  proxy_buffering on;
  proxy_buffers 8 4k;
  proxy_busy_buffers_size 8k;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $http_connection;
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-For $remote_addr;
  proxy_set_header X-Forwarded-Port $server_port;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Request-Start $msec;
  
  }
  
  client_max_body_size 1m;
  
  error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
  location /400-error.html {
  root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
  internal;
  }
  
  error_page 404 /404-error.html;
  location /404-error.html {
  root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
  internal;
  }
  
  error_page 500 501 502 503 504 505 506 507 508 509 510 511 /500-error.html;
  location /500-error.html {
  root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
  internal;
  }
  include /home/dokku/nextjs/nginx.conf.d/*.conf;

}

server { listen [::]:80; listen 80; server_name database-of-life.com; access_log /var/log/nginx/nextjs-access.log; error_log /var/log/nginx/nextjs-error.log; underscores_in_headers off;

include /home/dokku/nextjs/nginx.conf.d/*.conf; location / { return 301 https://$host:443$request_uri; }

}

server { listen [::]:443 ssl http2; listen 443 ssl http2;

server_name database-of-life.com; access_log /var/log/nginx/nextjs-access.log; error_log /var/log/nginx/nextjs-error.log; underscores_in_headers off;

ssl_certificate /home/dokku/nextjs/tls/server.crt; ssl_certificate_key /home/dokku/nextjs/tls/server.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off;

keepalive_timeout 70;

location / {

gzip on;
gzip_min_length  1100;
gzip_buffers  4 32k;
gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
gzip_vary on;
gzip_comp_level  6;

proxy_pass  http://nextjs-5000;
http2_push_preload on;
proxy_http_version 1.1;
proxy_read_timeout 60s;
proxy_buffer_size 4k;
proxy_buffering on;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Start $msec;

}

client_max_body_size 1m;

error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html; location /400-error.html { root /var/lib/dokku/data/nginx-vhosts/dokku-errors; internal; }

error_page 404 /404-error.html; location /404-error.html { root /var/lib/dokku/data/nginx-vhosts/dokku-errors; internal; }

error_page 500 501 503 504 505 506 507 508 509 510 511 /500-error.html; location /500-error.html { root /var/lib/dokku/data/nginx-vhosts/dokku-errors; internal; }

error_page 502 /502-error.html; location /502-error.html { root /var/lib/dokku/data/nginx-vhosts/dokku-errors; internal; } include /home/dokku/nextjs/nginx.conf.d/*.conf; }

upstream nextjs-5000 {

server 172.17.0.5:5000; }

[adamgyulavari]

fyi @boazpoolman I've managed to solve the issue by adding www-data user to the dokku group on the machine I'm hosting dokku:

ssh root@yourdokku
gpasswd -a www-data dokku

For more context: nginx is being run by the www-data user and that user cannot access the dokku apps' files and directories owned by user and group dokku. Not sure when this changed, but it seemed to be working before my last update which was dokku version 0.32.x.

[boazpoolman]

Is this something that needs to be added to the readme?

Or can we solve the issue from within the source code of the plugin?

[adamgyulavari]

I think it should be solved within the source, so the proper word for my solution is a workaround 😀

[boazpoolman]

Check!

[josegonzalez]

Are ya'll running SELinux or something? What version of ubuntu are you running?

[josegonzalez]

For reference, I've been seeing issues with more "hardened" dokku installs where the nginx config isn't reloaded or similar - this is due to the issue @adamgyulavari brought up.

There is an issue upstream in Dokku to move these configs into the /etc/nginx folder and let nginx handle it, but I haven't gone through the motions of making the change, mostly cause it will be obnoxious to do and likely to cause issues in migration if not done right...

[evenreven]

I'm getting this issue on my first ever test-run of dokku, on a new VPS with Ubuntu 22.04 LTS on Google Cloud. Apart from bootstrapping dokku the way the docs say, I haven't installed a single package, so no extra security shenanigans (unless it's part of Jammy out of the box).

Can confirm the workaround in https://github.com/dokku/dokku-maintenance/issues/19#issuecomment-2100753293 works.

[conscribtor]

I'm running into this issue as well with nginx 1.27.0, Dokku 0.34.7 on Debian 12.
AFAIK we have not diverged from a default installation.

However, it works fine on a Debian 11 installation.
Unfortunately, the workaround in https://github.com/dokku/dokku-maintenance/issues/19#issuecomment-2100753293 does not seem to work on Debian 12.

[conscribtor]

I've in the meanwhile noticed that in Debian 12 the Dokku user home (/home/dokku) is created with permissions 0700 instead of 0755, which prevents Nginx from accessing it. I've used the Ansible role to install Dokku.

The workaround described above did not work for me, because:

• When using the Ansible role to install Dokku, the dependant role used to install Nginx sources a package that configures the server to use a user nginx instead of www-data.
• Even if that user is in the dokku group, the dokku group does not have access to the dokku user's home.

So for me chmod 0755 /home/dokku solved the issue.