Error 404 when attempting to access Friendica behind Nginx Proxy Manager

[SpencerDub]

I'm trying to set up Friendica from scratch as a Docker container behind Nginx Proxy Manager as my reverse proxy, and I'm having a bit of trouble.

Right now, attempting to go to motley.club (my Friendica URL) gives me an error 404. I'll post my configuration below.

Configuration

Docker-Compose File

services:
  db:
    container_name: friendica_db
    image: mariadb
    restart: always
    volumes:
      - ./db:/var/lib/mysql
    environment:
      - MYSQL_USER=friendica
      - MYSQL_PASSWORD=<SENSITIVE VALUE OMITTED>
      - MYSQL_DATABASE=friendica
      - MYSQL_RANDOM_ROOT_PASSWORD=yes

  app:
    container_name: friendica
    image: friendica:fpm
    restart: always
    volumes:
      - ./friendica:/var/www/html    
    environment:
      - MYSQL_HOST=db
      - MYSQL_USER=friendica
      - MYSQL_PASSWORD=<SENSITIVE VALUE OMITTED>
      - MYSQL_DATABASE=friendica
      - FRIENDICA_ADMIN_MAIL=<SENSITIVE VALUE OMITTED>
      - FRIENDICA_URL=https://motley.club/
      - FRIENDICA_SITENAME=Motley
    networks:
      - proxy-tier
      - default

  web:
    container_name: friendica_nginx
    image: nginx
    #ports: #disabled because I don't want to expose them on the host machine directly but proxy through NPM
    #  - 8080:80
    links:
      - app
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro    
    restart: always
    networks:
      - npm-nw
      - proxy-tier  

networks:
  npm-nw: # this is the network that my existing Nginx Proxy Manager, in another container, uses
    external: true
  proxy-tier:

nginx.conf file

This is placed in the same directory as the Motley.yml Docker Compose file.

##
# Friendica Nginx configuration
# by Olaf Conradi, modified by Philipp Holzer
#
worker_processes 4;

events {
  worker_connections 1024;
}

error_log /var/log/nginx/error.log warn;
pid       /var/run/nginx.pid;

http {
  charset utf-8;

  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

  access_log    /var/log/nginx/access.log main;

  # If behind reverse proxy, forwards the correct IP
  set_real_ip_from 10.0.0.0/8;
  set_real_ip_from 172.16.0.0/12;
  set_real_ip_from 192.168.0.0/16;
  set_real_ip_from fc00::/7;
  real_ip_header X-Real-IP;

  upstream php-handler {
    server app:9000;
  }

  server {
    listen 80;
    server_name motley.club; # I changed this from friendica.local; does it need to be changed back?

    index index.php;

     root /var/www/html;
       #Uncomment the following line to include a standard configuration file
       #Note that the most specific rule wins and your standard configuration
       #will therefore *add* to this file, but not override it.
     #include standard.conf
     # allow uploads up to 20MB in size
     client_max_body_size 20m;
     client_body_buffer_size 128k;

     # rewrite to front controller as default rule
     location / {
       if (!-e $request_filename) {
         rewrite ^(.*)$ /index.php?pagename=$1;
       }
     }
    # make sure webfinger and other well known services aren't blocked
    # by denying dot files and rewrite request to the front controller
    location ^~ /.well-known/ {
      allow all;
      if (!-e $request_filename) {
        rewrite ^(.*)$ /index.php?pagename=$1;
      }
    }

    # statically serve these file types when possible
    # otherwise fall back to front controller
    # allow browser to cache them
    # added .htm for advanced source code editor library
    #location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {
    #  expires 30d;
    #  try_files $uri /index.php?pagename=$uri&$args;
    #}

    include mime.types;

    # block these file types
    location ~* \.(tpl|md|tgz|log|out)$ {
      deny all;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    # or a unix socket
    location ~* \.php$ {
      # Zero-day exploit defense.
      # http://forum.nginx.org/read.php?2,88845,page=3
      # Won't work properly (404 error) if the file is not stored on this
      # server, which is entirely possible with php-fpm/php-fcgi.
      # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
      # another machine.  And then cross your fingers that you won't get hacked.
      try_files $uri =404;

      # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
      fastcgi_split_path_info ^(.+\.php)(/.+)$;

      fastcgi_pass php-handler;

      include fastcgi_params;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # deny access to all dot files
    location ~ /\. {
      deny all;
    }
  }
}

Friendica's local.config.php

<?php

// Local configuration

/* If automatic system installation fails:
 *
 * Copy this file to local.config.php
 *
 * Why local.config.php? Because it contains sensitive information which could
 * give somebody complete control of your database. Apache's default
 * configuration will interpret any .php file as a script and won't show the values
 *
 * Then set the following for your MySQL installation
 *
 * If you're unsure about what any of the config keys below do, please check the static/defaults.config.php file for
 * detailed documentation of their data type and behavior.
 */

return [
        'database' => [
                'hostname' => 'localhost',
                'username' => 'friendica',
                'password' => <SENSITIVE VALUE OMITTED>,
                'database' => 'friendica',
                'charset' => 'utf8mb4',
        ],

        // ****************************************************************
        // The configuration below will be overruled by the admin panel.
        // Changes made below will only have an effect if the database does
        // not contain any configuration for the friendica system.
        // ****************************************************************

        'config' => [
                'admin_email' => '[email protected]',
                'sitename' => 'Motley',
                'register_policy' => \Friendica\Module\Register::OPEN,
                'register_text' => '',
        ],
        'system' => [
                'default_timezone' => 'America/Los_angeles',
                'language' => 'en',
                'url' => 'https://motley.club/',
        ],
];

Nginx conf file for Friendica

This was generated by Nginx Proxy Manager:

# ------------------------------------------------------------
# motley.club
# ------------------------------------------------------------



map $scheme $hsts_header {
    https   "max-age=63072000; preload";
}

server {
  set $forward_scheme http;
  set $server         "friendica_nginx";
  set $port           80;

  listen 80;
#listen [::]:80;

listen 443 ssl;
#listen [::]:443;


  server_name motley.club;
http2 off;


  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-cache.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-10/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-10/privkey.pem;






  # Block Exploits
  include conf.d/include/block-exploits.conf;








proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;


  access_log /data/logs/proxy-host-7_access.log proxy;
  error_log /data/logs/proxy-host-7_error.log warn;







  location / {







    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;


    # Proxy!
    include conf.d/include/proxy.conf;
  }


  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

Encountered behavior

When navigating to https://motley.club, I am given an error 404.

Further explanation

I have already set up Nginx Proxy Manager on my server, listening on ports 443 and 80. It is successfully proxying other services on the host machine. I want to use that same reverse proxy for Friendica, because why duplicate work?

I was unclear from the guide here whether the web container defined in the example file was supposed to be used in addition to a public-facing reverse proxy, or if it was supposed to itself be the public-facing reverse proxy.

In Nginx Proxy Manager, I'm preferring to direct traffic to services using their container names, which is why you see set $server "friendica_nginx";. As the comment in my Friendica Docker-Compose file indicates, I am trying to avoid exposing ports on my host server unnecessarily, which is why I commented out the ports: line.

Questions

• If I already have a container running Nginx Reverse Proxy, is the web container in the Docker Compose file superfluous?
• What changes do I need to make to my configuration so I can access my Friendica installation at motley.club?

Thanks in advance for the help. I'm hoping to get this properly stood up so I can restore my database backup from a previous installation and get reconnected!

[SpencerDub]

@MrPetovan Normally I wouldn't ping anyone directly, but I thought I'd reach out as a friend, especially since my normal method of getting in touch with you is, well, inaccessible at the moment (see above)!

Would you be able to help troubleshoot this, or direct me to someone who can? I'm quite eager to get my server back up and running, and I'm having a rotten time trying to figure out what piece in the chain isn't working right now.

[MrPetovan]

Hi @SpencerDub , I don't mind you pinging me this way, however I'm very new to both Docker and nginx, so I'd be in the same situation as you.

As a general troubleshooting advice, a 404 error is likely borne out of rewriting rules not directing to the correct place. Being able to debug what the path looks like after it's been rewritten is important in this case, but unfortunately I only know how to do it with Apache.

[ne20002]

What is the

  # Block Exploits
  include conf.d/include/block-exploits.conf;

file?

[SpencerDub]

@ne20002 That is the result of the "block common exploits" option in Nginx Proxy Manager. You can view its contents here.