403 Forbidden nginx

[matbrgz]

Sandstorm debug: ...** SANDSTORM SUPERVISOR: Starting up grain. Sandbox type: userns touch: cannot touch '/opt/app/database/database.sqlite': Read-only file system chmod: changing permissions of '/opt/app/database/database.sqlite': Read-only file system chmod: changing permissions of '/opt/app/bootstrap/': Read-only file system chmod: changing permissions of '/opt/app/bootstrap/app.php': Read-only file system chmod: changing permissions of '/opt/app/bootstrap/autoload.php': Read-only file system chmod: changing permissions of '/opt/app/bootstrap/cache': Read-only file system chmod: changing permissions of '/opt/app/bootstrap/cache/.gitignore': Read-only file system chmod: changing permissions of '/opt/app/bootstrap/cache/compiled.php': Read-only file system chmod: changing permissions of '/opt/app/bootstrap/cache/config.php': Read-only file system chmod: changing permissions of '/opt/app/bootstrap/cache/routes.php': Read-only file system chmod: changing permissions of '/opt/app/bootstrap/cache/services.php': Read-only file system chmod: changing permissions of '/opt/app/bootstrap/cachet': Read-only file system chmod: changing permissions of '/opt/app/bootstrap/cachet/.gitignore': Read-only file system chmod: changing permissions of '/opt/app/bootstrap/cachet/production.php': Read-only file system chmod: changing permissions of '/opt/app/storage': Read-only file system chmod: changing permissions of '/opt/app/storage/.gitignore': Read-only file system chmod: changing permissions of '/opt/app/storage/app': Read-only file system chmod: changing permissions of '/opt/app/storage/app/.gitignore': Read-only file system chmod: changing permissions of '/opt/app/storage/app/public': Read-only file system chmod: changing permissions of '/opt/app/storage/framework': Read-only file system chmod: changing permissions of '/opt/app/storage/framework/.gitignore': Read-only file system chmod: changing permissions of '/opt/app/storage/framework/cache': Read-only file system chmod: changing permissions of '/opt/app/storage/framework/cache/.gitignore': Read-only file system chmod: changing permissions of '/opt/app/storage/framework/sessions': Read-only file system chmod: changing permissions of '/opt/app/storage/framework/sessions/.gitignore': Read-only file system chmod: changing permissions of '/opt/app/storage/framework/views': Read-only file system chmod: changing permissions of '/opt/app/storage/framework/views/.gitignore': Read-only file system chmod: changing permissions of '/opt/app/storage/logs': Read-only file system chmod: changing permissions of '/opt/app/storage/logs/.gitignore': Read-only file system chmod: changing permissions of '/opt/app/storage/logs/laravel-2017-06-12.log': Read-only file system chmod: changing permissions of '/opt/app/storage/logs/laravel-2017-06-13.log': Read-only file system chmod: changing permissions of '/opt/app/storage/logs/laravel-2017-06-14.log': Read-only file system 2017/06/14 22:18:17 [error] 17#0: *2 directory index of "/opt/app/" is forbidden, client:

Maybe because Cachet to run need some special nginx configuration that I don't have idea how to implement.

• [ ] Generate your SSL key+certificate
• [ ] Create a new vhost such as /etc/nginx/sites-enabled/cachet.conf

/etc/nginx/sites-enabled/cachet.conf:

# Upstream to abstract backend connection(s) for php
upstream php {
    server unix:/tmp/php-cgi.socket;
    server 127.0.0.1:9000;
}

server {
    server_name  cachet.mycompany.com; # Or whatever you want to use
    listen 80 default;
    rewrite ^(.*) https://cachet.mycompany.com$1 permanent;
}

# HTTPS server

server {
    listen 443;
    server_name cachet.mycompany.com;

    root /var/vhost/cachet.mycompany.com/public;
    index index.php;

    ssl on;
    ssl_certificate /etc/ssl/crt/cachet.mycompany.com.crt; # Or wherever your crt is
    ssl_certificate_key /etc/ssl/key/cachet.mycompany.com.key; # Or wherever your key is
    ssl_session_timeout 5m;

    # Best practice as at March 2014
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
    ssl_buffer_size 1400; # 1400 bytes, within MTU - because we generally have small responses. Could increase to 4k, but default 16k is too big

    location / {
        add_header Strict-Transport-Security max-age=15768000;
        try_files $uri /index.php$is_args$args;
    }

    location ~ \.php$ {
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_index index.php;
                fastcgi_keep_conn on;
                add_header Strict-Transport-Security max-age=15768000;
    }
}

[matbrgz]

I'm changing /.sandstorm/service-config/nginx.conf I hope works

[JamborJan]

Hey @MatheusRV,

Some important things:

• I guess you don't want to have SSL enabled within the grain. The certificate and key cannot be real as they would expire and nobody could change them.
• chmod 777 dosen't work because only files and folders in /var are readable
• you should symlink them like I did here https://github.com/JamborJan/paperwork/blob/master/.sandstorm/build.sh#L30

If you allow me to re-organize your code base I would create a fork and send you a pull request. But I only will do that if you allow me to, I don't want to force you to use my stil of porting apps to Sandstorm :-)

Just let me know and I'll start.

[matbrgz]

Yes, I need help, I want to port many apps to Sandstorm and I'm learning about.

[JamborJan]

Okay, these 3 Folders must be re-located into the /varfolder as they need to be writable:

• /opt/app/database/
• /opt/app/bootstrap/
• /opt/app/storage/

I have done the same thing here for one folder called storage: https://github.com/JamborJan/paperwork/blob/master/.sandstorm/build.sh#L27-L30

If there is a default content in those folders you can put it there during the first spin up of the grain. Like I did here: https://github.com/JamborJan/paperwork/blob/master/.sandstorm/build.sh#L27-L30

This plus removing the ssl in the grain should help with the issue. I will try to fork the repo as soon as I have some time, cannot yet promise when this will be but I will answer any question you have as quick as possible.

[JamborJan]

Have you been able to apply the suggested changes? Please give me a short update and I'll fork your project to help you porting this cool app for Sandstorm.

[matbrgz]

Hey, @JamborJan could u help me?

[JamborJan]

Hey @MatheusRV,

I‘ll work on that as soon as possible. I have some other stuff on my shortlist and I’m on vacation right now. I’ll let you know as soon as I’m working on it.

[JamborJan]

Hey @MatheusRV, I was able to start working on this issue, see: https://github.com/JamborJan/Cachet-Sandstorm

I still have an issue starting up the grain but I guess it's only too late now and I don't see the reason :-)

...** SANDSTORM SUPERVISOR: Starting up grain. Sandbox type: userns
waiting for php5-fpm to be available at /var/run/php/php7.0-fpm.sock
waiting for php5-fpm to be available at /var/run/php/php7.0-fpm.sock
Could not open input file: artisan
Could not open input file: artisan
2018/05/23 19:41:33 [error] 24#0: *2 FastCGI sent in stderr: "PHP message: PHP Warning:  file_get_contents(/var/bootstrap/../VERSION): failed to open stream: No such file or directory in /var/bootstrap/autoload.php on line 14
PHP message: PHP Warning:  require(/var/bootstrap/../vendor/autoload.php): failed to open stream: No such file or directory in /var/bootstrap/autoload.php on line 28
PHP message: PHP Fatal error:  require(): Failed opening required '/var/bootstrap/../vendor/autoload.php' (include_path='.:/usr/share/php:/usr/share/pear') in /var/bootstrap/autoload.php on line 28" while reading response header from upstream, client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "ui-804c29758bf7697178ba3b6dcf11a8a5.local.sandstorm.io:6080"

I'll take a look at this during the next days and then I'll hopefully have a solution and send a PR to your repo.

Never the less: we should have a call / talk to discuss a better approach to keep the app up to date. You can find me on keybase: https://keybase.io/jamborjan let me know when you have time and I can share some experience which hopefully makes life easier for you to maintain the package.

Cheers

[JamborJan]

I was focused on making the app spin up that I totally forgot that we are missing the most important thing: we need to get in touch to the outside world to get some status information from services we are monitoring. When I get the docs right it should be possible to get around that with http(s). But unfortunately this is a very hacky solution right now in Sandstorm. There is a http bridge but the last time i tried to build something on top of that it was simply not possible / buildable.

@kentonv: can you say something new about that http bridge? Is it now more stable or easier to work with that? Is it at all possible to work with that in Cachets case?

@ocdtrekkie: thanks for pointing me at this point

[kentonv]

I think you're talking about the Powerbox? https://docs.sandstorm.io/en/latest/developing/powerbox/

It should work for making outgoing HTTP requests.

[ocdtrekkie]

@kentonv It doesn't work with sandstorm-http-bridge though, right?

[kentonv]

@ocdtrekkie It does. http-bridge has a whole built-in HTTP proxy so that you don't need to use Cap'n Proto at all.

[ocdtrekkie]

So like, this is all you'd need to do to access arbitrary HTTP endpoints as part of an app? https://docs.sandstorm.io/en/latest/developing/powerbox/#using-sandstorm-http-bridge_1

Does it get user consent in any way yet? Is there a way to add endpoints outside of the app definition? (That'd probably be the main need for something like Cachet.)

[kentonv]

@ocdtrekkie That section is about exporting APIs, but I think the relevant question in this thread is about importing APIs -- that is, the app wants to make outgoing HTTP requests to third-party servers. That's covered here: https://docs.sandstorm.io/en/latest/developing/powerbox/#using-sandstorm-http-bridge

[ocdtrekkie]

Ah, I see that. It's a bit confusing because the exporting APIs example uses public Google API URLs. Suggesting an API from outside Sandstorm.

[kentonv]

Yeah, the idea there is that the app is advertising that it exports an API compatible with the Google API, and so should be offered as an option when another app requests the Google API.

[JamborJan]

Hey @kentonv & @ocdtrekkie, thanks for your help. I'll check what I can do with that and if it works.