[SOLVED] ngnix 403 Forbidden / directory index of "/var/www/html/" is forbidden (firewall issues)

[vaxul]

Describe the bug
After starting DDEV the ngnix return a 403.

To Reproduce
It worked a day ago. It just stopped working. I thought about it and the only thing I can tell is, the only thing what changed obvious, is my WIFI connection/office.
I not 100% sure, but it could be, that I forgot to ddev stop before closing my IDE and shutdown the computer.

Expected behavior
It should show me the frontend of the TYPO3 which I tested a day ago.

Logs
Output from ddev start

Starting environment for typo3-8-7...
Pulling db (drud/mariadb-local:v0.20.0)...
Pulling web (drud/nginx-php-fpm-local:v0.20.0)...
Pulling dba (drud/phpmyadmin:v0.20.0)...
Creating ddev-typo3-8-7-db ... done
Creating ddev-typo3-8-7-dba ... done
Creating ddev-typo3-8-7-web ... done

Network ddev_default is external, skipping
Unable to properly check port status: dial tcp 127.0.0.1:80: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.
Unable to properly check port status: dial tcp 127.0.0.1:443: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.
Pulling ddev-router (drud/ddev-router:v0.20.0)...
Creating ddev-router ... done

Successfully started typo3-8-7
Your project can be reached at http://typo3-8-7.ddev.local, https://typo3-8-7.ddev.local, http://127.0.0.1:32792

The "Unable to properly check port status" is normal in my case and were the same in the last days.

Output from ddev logs

+ set -o errexit nounset pipefail
+ DDEV_PHP_VERSION=7.1
+ '[' -n '' ']'
+ '[' -f /mnt/ddev_config/nginx-site.conf ']'
+ '[' -n 7.1 ']'
+ update-alternatives --set php /usr/bin/php7.1
+ ln -sf /usr/sbin/php-fpm7.1 /usr/sbin/php-fpm
+ export PHP_INI=/etc/php/7.1/fpm/php.ini
+ PHP_INI=/etc/php/7.1/fpm/php.ini
+ '[' -d /mnt/ddev_config/php ']'
+ '[' typo3 = backdrop ']'
+ rm -f /etc/nginx/nginx-site.conf
+ '[' -f /etc/nginx/nginx-site-typo3.conf ']'
+ ln -s /etc/nginx/nginx-site-typo3.conf /etc/nginx/nginx-site.conf
+ envsubst '$NGINX_DOCROOT'
+ '[' false '!=' true ']'
+ disable_xdebug
php-fpm: no process found
Disabled xdebug
+ echo 'Server started'
+ exec /usr/bin/supervisord -n -c /etc/supervisord.conf
Server started
2018-07-07 13:05:48,299 CRIT Set uid to user 0
2018-07-07 13:05:48,316 INFO RPC interface 'supervisor' initialized
2018-07-07 13:05:48,316 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2018-07-07 13:05:48,317 INFO supervisord started with pid 1
2018-07-07 13:05:49,318 INFO spawned: 'php-fpm' with pid 348
2018-07-07 13:05:49,325 INFO spawned: 'nginx' with pid 349
2018-07-07 13:05:49,330 INFO spawned: 'tail' with pid 350
2018-07-07 13:05:49,332 INFO spawned: 'mailhog' with pid 351
==> /var/log/nginx/error.log <==

==> /var/log/php-fpm.log <==
[07-Jul-2018 13:05:49] NOTICE: fpm is running, pid 348
[07-Jul-2018 13:05:49] NOTICE: ready to handle connections
[07-Jul-2018 13:05:49] NOTICE: systemd monitor interval set to 10000ms
2018-07-07 13:05:50,360 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-07-07 13:05:50,361 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-07-07 13:05:50,361 INFO success: tail entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-07-07 13:05:50,361 INFO success: mailhog entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

==> /var/log/nginx/error.log <==
2018/07/07 13:07:28 [error] 355#355: *87 directory index of "/var/www/html/" is forbidden, client: 172.18.0.5, server: _, request: "GET / HTTP/1.1", host: "typo3-8-7.ddev.local", referrer: "http://typo3-8-7.ddev.l
ocal/"

Version and configuration information (please complete the following information):

• Windows 10 1803
• Docker version

Client:
 Version:      18.03.1-ce
 API version:  1.37
 Go version:   go1.9.5
 Git commit:   9ee9f40
 Built:        Thu Apr 26 07:12:48 2018
 OS/Arch:      windows/amd64
 Experimental: false
 Orchestrator: swarm

Server:
 Engine:
  Version:      18.03.1-ce
  API version:  1.37 (minimum version 1.12)
  Go version:   go1.9.5
  Git commit:   9ee9f40
  Built:        Thu Apr 26 07:22:38 2018
  OS/Arch:      linux/amd64
  Experimental: false

• ddev version

cli     v0.20.0
web     drud/nginx-php-fpm-local:v0.20.0
db      drud/mariadb-local:v0.20.0
dba     drud/phpmyadmin:v0.20.0
router  drud/ddev-router:v0.20.0
commit  v0.20.0
domain  ddev.local

• config.yaml content

name: typo3-8-7
type: typo3
docroot: ""
php_version: "7.1"
router_http_port: "80"
router_https_port: "443"
xdebug_enabled: false
additional_hostnames: []
provider: default

• TYPO3_8_7 branch from git://git.typo3.org/Packages/TYPO3.CMS.git
• same problem ist current master branch

Additional context
I used ddev ssh to look into the container. The odd thing is, the DocRoot /var/www/html/ seems empty (besides .ddev-folder). Like if nothing get linked into the container.

root@4c2ed1860005:/var/www/html# ls -alt
total 4
drwxr-xr-x 3 root root   60 Jul  7 12:35 .ddev
drwxr-xr-x 3 root root   60 Jul  7 12:35 .
drwxrwxrwx 1 root root 4096 May 21 21:58 ..

[rfay]

Docroot being empty has always meant a very stressed docker when it's happened to me - too many projects running, too little memory, failure to mount code. I recommend running only a few projects at a time, use ddev rm on ones that you don't need today (it's nondestructive). And consider raising your docker memory from the default 2GB to whatever works. I find that 2GB works great for 4-5 sites running at a time, which is enough for me.

[vaxul]

Thanks for the response.

In my case I tried to run only one project at the time. And no other VMs are running.

I had the default 2 GB memory configured. I tried it with 4 GB without solving the problem.

[rfay]

Yeah, do please reboot your host computer, also check the disk status on docker.

Is your home directory (or directory this is mounted from) a regular NTFS volume? Is the drive it's on shared with docker?

[rfay]

Oh, and please try another trivial project, to see whether it's the project. (I doubt it, but always good)

[vaxul]

I tested it with 2 GB memory again. This is the docker stats output:

ONTAINER ID        NAME                 CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS
aa40809131aa        ddev-router          0.75%               12.9MiB / 1.934GiB    0.65%               928B / 0B           868kB / 0B          31
4c2ed1860005        ddev-typo3-8-7-web   0.02%               35.32MiB / 1.934GiB   1.78%               970B / 0B           3.08MB / 8.19kB     15
6ce85c537a8f        ddev-typo3-8-7-dba   0.05%               30.24MiB / 1.934GiB   1.53%               443kB / 133kB       1.5MB / 0B          9
3e730d7a2521        ddev-typo3-8-7-db    8.43%               149.7MiB / 1.934GiB   7.56%               134kB / 442kB       365kB / 0B          31

also check the disk status on docker.

What exactly do you referring to? I'm not a docker pro. :-)

Is your home directory (or directory this is mounted from) a regular NTFS volume?

Yes, standard NTFS. "Special" is, it uses Bitlocker for encryption. Which should not be a problem.

Is the drive it's on shared with docker?

Yes

Oh, and please try another trivial project, to see whether it's the project.

I tested https://github.com/drud/wordpress as mentioned here:
https://www.drud.com/ddev-local/one-minute-wordpress/

Same 403 error.

I runned ddev config to update the config.yml.

ddev start

Starting environment for wordpress...
ddev needs to add an entry to your hostfile.
It will require administrative privileges via the sudo command, so you may be required
to enter your password for sudo. ddev is about to issue the command:
    sudo C:\Program Files\ddev\ddev.exe hostname wordpress.ddev.local 127.0.0.1
Please enter your password if prompted.
Running Command Command=sudo C:\Program Files\ddev\ddev.exe hostname wordpress.ddev.local 127.0.0.1
Failed to execute sudo command, you will need to manually execute 'C:\Program Files\ddev\ddev.exe hostname wordpress.ddev.local 127.0.0.1' with administrative privileges
Creating ddev-wordpress-db ... done
Creating ddev-wordpress-dba ... done
Creating ddev-wordpress-web ... done

Network ddev_default is external, skipping
Unable to properly check port status: dial tcp 127.0.0.1:80: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.
Unable to properly check port status: dial tcp 127.0.0.1:443: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.
Creating ddev-router ... done

Successfully started wordpress
Your project can be reached at http://wordpress.ddev.local, https://wordpress.ddev.local, http://127.0.0.1:32779

I set the host manually.

ddev logs

+ set -o errexit nounset pipefail
+ DDEV_PHP_VERSION=7.1
+ '[' -n htdocs ']'
+ export NGINX_DOCROOT=/var/www/html/htdocs
+ NGINX_DOCROOT=/var/www/html/htdocs
+ '[' -f /mnt/ddev_config/nginx-site.conf ']'
+ '[' -n 7.1 ']'
+ update-alternatives --set php /usr/bin/php7.1
+ ln -sf /usr/sbin/php-fpm7.1 /usr/sbin/php-fpm
+ export PHP_INI=/etc/php/7.1/fpm/php.ini
+ PHP_INI=/etc/php/7.1/fpm/php.ini
+ '[' -d /mnt/ddev_config/php ']'
+ '[' wordpress = backdrop ']'
+ rm -f /etc/nginx/nginx-site.conf
+ '[' -f /etc/nginx/nginx-site-wordpress.conf ']'
+ ln -s /etc/nginx/nginx-site-wordpress.conf /etc/nginx/nginx-site.conf
+ envsubst '$NGINX_DOCROOT'
+ '[' false '!=' true ']'
+ disable_xdebug
php-fpm: no process found
Disabled xdebug
+ echo 'Server started'
+ exec /usr/bin/supervisord -n -c /etc/supervisord.conf
Server started
2018-07-07 14:53:46,492 CRIT Set uid to user 0
2018-07-07 14:53:46,510 INFO RPC interface 'supervisor' initialized
2018-07-07 14:53:46,510 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2018-07-07 14:53:46,510 INFO supervisord started with pid 1
2018-07-07 14:53:47,512 INFO spawned: 'php-fpm' with pid 351
2018-07-07 14:53:47,513 INFO spawned: 'nginx' with pid 352
2018-07-07 14:53:47,515 INFO spawned: 'tail' with pid 353
2018-07-07 14:53:47,516 INFO spawned: 'mailhog' with pid 354
==> /var/log/nginx/error.log <==

==> /var/log/php-fpm.log <==
[07-Jul-2018 14:53:47] NOTICE: fpm is running, pid 351
[07-Jul-2018 14:53:47] NOTICE: ready to handle connections
[07-Jul-2018 14:53:47] NOTICE: systemd monitor interval set to 10000ms
2018-07-07 14:53:48,540 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-07-07 14:53:48,540 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-07-07 14:53:48,540 INFO success: tail entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-07-07 14:53:48,540 INFO success: mailhog entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

==> /var/log/nginx/error.log <==
2018/07/07 14:54:29 [error] 359#359: *39 directory index of "/var/www/html/htdocs/" is forbidden, client: 172.18.0.5, server: _, request: "GET / HTTP/1.1", host: "wordpress.ddev.local"

[rfay]

The bottom line is that docker isn't mounting your /var/www/html (which is your project directory), and you can verify that by ddev ssh and seeing that nothing is there.

You may need to reset docker, assuming the reboot of your host computer didn't help.

Here's the docker settings I was talking about:

"Reset" is the bottom item on your docker settings.

[vaxul]

Looks the same, even after ddev start:

[rfay]

Please:

1. Reset docker completely (factory defaults).
2. Reboot your host machine.
3. ddev config and ddev start for a simple project (Even a directory with nothing in it but an index.html) - It will be of type 'php' and the docroot will be "".
4. ddev ssh into this simple project to see if the directory gets mounted.
5. If that works out, and you see the same files in the project on the host as inside the container (with ddev ssh) then try it on this project.

Thanks,
-Randy

[vaxul]

I've followed your steps and stopped while trying to share the drive with Docker. I got an error caused by the firewall:

The docs pointing to some possible issues:
https://docs.docker.com/docker-for-windows/#shared-drives

After some tries without help I force closed Kaspersky. Drive share was possible from there and the TYPO3 runs as expected. The files get linked into the container.

The odd thing is, that it worked in the first place with Kaspersky and now it didn't... :-(

So it seems, I have to look for Kaspersky-firewall+Docker issues. I write my results here, before closing this issue.

[vaxul]

In my case it's the same, as explained here:
https://stackoverflow.com/a/44838110

I removed the port 445 from the list and it seems to work. No error message while applying drive sharing.

The DDEV project is working too. :-)

EDIT:
Another option might be:

Instead of removing 445 from the list, changed 'Action' from 'Blocked' to 'By Application Rules' and it worked for me. So I guess removing 445 from 'Local Services (TCP)' and creating a new rule 'Docker SMB Mount' with action 'By Application Rules' should also work.

---

Thank you @rfay for your time and help to nail it down. 👍

[rfay]

Thanks for working through this! I added a Stack Overflow answer at https://stackoverflow.com/questions/51227365/i-get-an-ngnix-403-forbidden-when-starting-ddev/51227366#51227366 - feel free to comment there if I didn't quite capture it. Linked to this though.

[vaxul]

I'd like to share, that the other opinion seems to work as well:

So I guess [...] and creating a new rule 'Docker SMB Mount' with action 'By Application Rules' should also work.

This is my current additional firewall network package rule:

I leave the port 445 in the original ruleset and just create an additional one.

[rfay]

Thanks for that! That link will be valuable to people. The bottom line is there's lots of firewall and virus checker interaction with Docker, all of which can break everything.

[vaxul]

Update to Kaspersky Endpoint Security for Windows 11:

‼ Don't forget to restart Windows completely.

[rfay]

Awesome, thanks @vaxul