Question
Docker containers are up and running but website throws a HTTP 403 / 502
- Posted on February 9, 2023
- DeploymentDigitalOcean DropletsDjangoDockerNginx
Asked by ssss sssss
So I’ve managed to get my containers up and running for my Django app, pretty sure this is coming from the server itself.
Django-admin app, with Nginx, Gunicorn and PostgreSQL. Droplet - 1 GB / 25 GB Disk / FRA1 - Ubuntu 20.04 (LTS) x64. DomainName bought at GoDaddy.
Screenshot of the webpage.
HTTPstatus.io response details
Status code
403
Status message
Forbidden
Response headersView body
* ServerSucuri/Cloudproxy
* DateThu, 09 Feb 2023 19:28:19 GMT
* Content-Typetext/html
* Transfer-Encodingchunked
* Connectionclose
* X-Sucuri-Id19040
* X-Xss-Protection1; mode=block
* X-Frame-OptionsSAMEORIGIN
* X-Content-Type-Optionsnosniff
* Content-Security-Policyupgrade-insecure-requests;
* X-Sucuri-BlockDDOS22
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ce55184b5f2a html_app "gunicorn --access-l…" 3 minutes ago Up 3 minutes 0.0.0.0:8000->8000/tcp, :::8000->8000/tcp html_app_1
04e39330ebac html_nginx "/docker-entrypoint.…" 3 minutes ago Up 3 minutes 0.0.0.0:80->80/tcp, :::80->80/tcp html_nginx_1
a72ce37c3e46 html_db "docker-entrypoint.s…" About an hour ago Up 3 minutes (healthy) 5432/tcp html_db_1
docker logs 04e39330ebac
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs from the packaged version
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/02/09 19:21:38 [notice] 1#1: using the "epoll" event method
2023/02/09 19:21:38 [notice] 1#1: nginx/1.22.1
2023/02/09 19:21:38 [notice] 1#1: built by gcc 11.2.1 20220219 (Alpine 11.2.1_git20220219)
2023/02/09 19:21:38 [notice] 1#1: OS: Linux 5.15.0-58-generic
2023/02/09 19:21:38 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2023/02/09 19:21:38 [notice] 1#1: start worker processes
2023/02/09 19:21:38 [notice] 1#1: start worker process 29
docker logs ce55184b5f2a
[2023-02-09 19:21:50 +0000] [1] [INFO] Starting gunicorn 20.1.0
[2023-02-09 19:21:50 +0000] [1] [INFO] Listening at: unix:/run/gunicorn.sock (1)
[2023-02-09 19:21:50 +0000] [1] [INFO] Using worker: sync
[2023-02-09 19:21:50 +0000] [7] [INFO] Booting worker with pid: 7
[2023-02-09 19:21:50 +0000] [8] [INFO] Booting worker with pid: 8
[2023-02-09 19:21:50 +0000] [9] [INFO] Booting worker with pid: 9
docker logs a72ce37c3e46
PostgreSQL Database directory appears to contain a database; Skipping initialization
LOG: database system was shut down at 2023-02-09 19:20:16 UTC
LOG: MultiXact member wraparound protections are now enabled
LOG: database system is ready to accept connections
LOG: autovacuum launcher started
cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
source /etc/network/interfaces.d/*
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether e2:d6:db:d6:3b:cb brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet {IP_ADDRESS_OF_THE_SERVER}/20 brd {IP_ADDRESS_OF_THE_SERVER} scope global eth0
valid_lft forever preferred_lft forever
inet 10.19.0.6/16 brd 10.19.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::e0d6:dbff:fed6:3bcb/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 12:c7:32:6c:ea:10 brd ff:ff:ff:ff:ff:ff
altname enp0s4
inet 10.114.0.3/20 brd 10.114.15.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::10c7:32ff:fe6c:ea10/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:25:6b:04:7d brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:25ff:fe6b:47d/64 scope link
valid_lft forever preferred_lft forever
5: br-fd6471af0f27: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:77:9a:27:16 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-fd6471af0f27
valid_lft forever preferred_lft forever
ip route
default via {IP_ADDRESS_OF_THE_SERVER} dev eth0 proto static
10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.6
10.114.0.0/20 dev eth1 proto kernel scope link src 10.114.0.3
{IP_ADDRESS_OF_THE_SERVER}/20 dev eth0 proto kernel scope link src {IP_ADDRESS_OF_THE_SERVER}
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-fd6471af0f27 proto kernel scope link src 172.18.0.1 linkdown
iptables -nvL --line-numbers
Chain INPUT (policy DROP 5989 packets, 275K bytes)
num pkts bytes target prot opt in out source destination
1 25311 6221K ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
2 25311 6221K ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
3 6050 278K ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
4 5989 275K ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
5 5989 275K ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
6 5989 275K ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2911 32M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
2 2911 32M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
3 1899 32M ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
5 1012 99653 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
6 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
7 0 0 ACCEPT all -- * br-fd6471af0f27 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
8 0 0 DOCKER all -- * br-fd6471af0f27 0.0.0.0/0 0.0.0.0/0
9 0 0 ACCEPT all -- br-fd6471af0f27 !br-fd6471af0f27 0.0.0.0/0 0.0.0.0/0
10 0 0 ACCEPT all -- br-fd6471af0f27 br-fd6471af0f27 0.0.0.0/0 0.0.0.0/0
11 0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
12 0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
13 0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
14 0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
15 0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
16 0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 11 packets, 508 bytes)
num pkts bytes target prot opt in out source destination
1 19429 4395K ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
2 19429 4395K ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
3 203 18947 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
4 203 18947 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
5 203 18947 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
6 203 18947 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (2 references)
num pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num pkts bytes target prot opt in out source destination
1 1012 99653 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
2 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-fd6471af0f27 !br-fd6471af0f27 0.0.0.0/0 0.0.0.0/0
3 2911 32M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
2 0 0 DROP all -- * br-fd6471af0f27 0.0.0.0/0 0.0.0.0/0
3 1012 99653 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
num pkts bytes target prot opt in out source destination
1 2911 32M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
num pkts bytes target prot opt in out source destination
1 9 702 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
2 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
3 10 440 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
4 42 2040 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
5 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
6 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
7 0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
num pkts bytes target prot opt in out source destination
1 773 37106 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
6 0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
num pkts bytes target prot opt in out source destination
1 3512 1120K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 14755 4760K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 16 2203 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4 16 2203 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
6 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
7 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
8 8 288 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
9 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
10 7020 338K ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
11 32 5726 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
12 0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
13 6988 332K ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
num pkts bytes target prot opt in out source destination
1 3514 1120K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 15712 3256K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 203 18947 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
num pkts bytes target prot opt in out source destination
1 16 2203 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
2 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
num pkts bytes target prot opt in out source destination
1 6988 332K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
2 32 5726 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
3 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
4 0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
num pkts bytes target prot opt in out source destination
1 61 3182 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
num pkts bytes target prot opt in out source destination
1 11 668 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
2 181 17771 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
num pkts bytes target prot opt in out source destination debug2: channel 0: window 993984 sent adjust 54592
1 801 47460 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 105 5215 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 /* 'dapp_Nginx%20Full' */
3 10 440 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000
4 2 92 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8000
5 20 1016 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /* 'dapp_Postfix' */
6 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
7 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
8 0 0 ACCEPT tcp -- * * 109.221.175.158 0.0.0.0/0 tcp dpt:22
9 0 0 ACCEPT udp -- * * 109.221.175.158 0.0.0.0/0 udp dpt:22
Chain ufw-user-limit (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
2 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
num pkts bytes target prot opt in out source destination
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
8000 ALLOW IN Anywhere
25/tcp (Postfix) ALLOW IN Anywhere
443 ALLOW IN Anywhere
22 ALLOW IN 109.221.175.158
22/tcp (v6) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
8000 (v6) ALLOW IN Anywhere (v6)
25/tcp (Postfix (v6)) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
cat /etc/netplan/50-cloud-init.yaml
# This file is generated from information provided by the datasource. Changes
# to it will not persist across an instance reboot. To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
version: 2
ethernets:
eth0:
addresses:
- {IP_ADDRESS_OF_THE_SERVER}/20
- 10.19.0.6/16
gateway4: {IP_ADDRESS_OF_THE_SERVER}
match:
macaddress: e2:d6:db:d6:3b:cb
nameservers:
addresses:
- 67.207.67.3
- 67.207.67.2
search: []
set-name: eth0
eth1:
addresses:
- 10.114.0.3/20
match:
macaddress: 12:c7:32:6c:ea:10
nameservers:
addresses:
- 67.207.67.3
- 67.207.67.2
search: []
set-name: eth1
There’s obviously something that I missed.
Submit an answer
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.
Get started for free
Enter your email to get $200 in credit for your first 60 days with DigitalOcean.
New accounts only. By submitting your email you agree to our Privacy Policy.
Hi there,
As far as I can see from the output the 403 error that you are seeing is coming from Cloudproxy which is a service offered by GoDaddy.
What I could suggest is just using a free DigitalOcean Cloud firewall instead, that way you will have better control over of what traffic is allowed.
On another note, your Docker setup looks good, does it work if you try to access your server IP directly rather than going via the GoDaddy firewall?
Best,
Bobby
Hi Bobby! Many thanks for your really kind input!
Still struggling with this.
I’ve changed the ports at the end of my docker-compose.prod from “80:80” to “443:443”, gunicorn is not throwing any error anymore however I still have the hosting server read timeout. I’ve been jumping back and forth between Sucuri support and Digital Ocean support with no luck.