By veliona
Hi! I am hosting my database (Pocketbase) on DO Droplet. I wanted to ensure secure connection so I set up a custom subdomain and have SSL certificate for it. I pointed my DNS using A record to Droplet IP (209.38.41.103). However, now I struggle with nginx set-up file. I used to get nginx welcome screen but now I get 404. I need to allow POST for emails (/api/collections/waiting_list/records) and GET for other collections (/api/collections/(artists|artworks)/records).
Pocketbase running: http://209.38.41.103:8090/_
Here is my /etc/nginx/sites-available/pocketbase file:
server {
listen 80;
server_name pocketbase.artdots.co;
# Redirect all HTTP traffic to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name pocketbase.artdots.co;
# SSL configuration
ssl_certificate /etc/ssl/certs/certificate.pem;
ssl_certificate_key /etc/ssl/private/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'HIGH:!aNULL:!MD5';
ssl_prefer_server_ciphers on;
# Add global CORS headers
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization";
# Handle POST requests for waiting_list
location = /api/collections/waiting_list/records {
if ($request_method !~ ^(POST|OPTIONS)$) {
return 405; # Method Not Allowed
}
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# CORS for preflight (OPTIONS) requests
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "POST, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization";
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204; # No Content
}
}
# Handle GET requests for images in artists and artworks collections
location ~ ^/api/collections/(artists|artworks)/records {
if ($request_method !~ ^(GET|OPTIONS)$) {
return 405; # Method Not Allowed
}
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# CORS for preflight (OPTIONS) requests
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization";
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204; # No Content
}
}
# Default location block for all other requests
location / {
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Could you point me to problems in my set-up?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Heya,
Your current nginx configuration file for pocketbase.artdots.co has several issues that might be causing the problems you’re facing. Here’s an analysis of the key areas and suggestions to resolve the issues:
Missing SSL Files or Permissions
- Cause: Incorrect or inaccessible SSL certificate and key files can cause the HTTPS server block to fail.
- Fix: Verify the paths and permissions of
ssl_certificateandssl_certificate_key
ls -l /etc/ssl/certs/certificate.pem
ls -l /etc/ssl/private/private.key
nsure they are readable by the nginx user.
CORS Headers Repeated Inside OPTIONS Blocks
- Cause: You’re adding CORS headers twice: globally and inside
OPTIONSblocks. This redundancy can cause confusion. - Fix: Since you already have global CORS headers (
add_header Access-Control-Allow-*;) outside location blocks, remove the duplicates from theOPTIONSsections.
Incorrect Handling of OPTIONS Requests
- Cause: Preflight
OPTIONSrequests are being conditionally handled but not properly matched. - Fix: Use a dedicated
locationblock forOPTIONSrequests:
location / {
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization";
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204; # No Content
}
# Other rules go here...
}
Conflicting location Blocks
- Cause: The
=location for/api/collections/waiting_list/recordswill only match exactly that path, while the~regex for/api/collections/(artists|artworks)/recordsmay cause unexpected behavior. - Fix: Change the strict match (
=) to a prefix match (^~) for consistency:
location ^~ /api/collections/waiting_list/records {
# POST-specific rules
}
Improved Configuration
Here is the revised configuration:
server {
listen 80;
server_name pocketbase.artdots.co;
# Redirect all HTTP traffic to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name pocketbase.artdots.co;
# SSL configuration
ssl_certificate /etc/ssl/certs/certificate.pem;
ssl_certificate_key /etc/ssl/private/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'HIGH:!aNULL:!MD5';
ssl_prefer_server_ciphers on;
# Global CORS headers
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization";
# Handle POST requests for waiting_list
location ^~ /api/collections/waiting_list/records {
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Handle GET requests for artists and artworks
location ~ ^/api/collections/(artists|artworks)/records {
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Default location block for all other requests
location / {
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Test and troubleshoot
- Test the
nginxconfiguration:
nginx -t
systemctl reload nginx
- Verify your Pocketbase server at
http://127.0.0.1:8090is running and accessible locally. - Check DNS propagation for
pocketbase.artdots.co. - Use a tool like
curlto verify HTTP and HTTPS responses:
curl -X OPTIONS https://pocketbase.artdots.co/api/collections/waiting_list/records
curl -X GET https://pocketbase.artdots.co/api/collections/artists/records`
- Monitor logs for errors:
`` tail -f /var/log/nginx/access.log /var/log/nginx/error.log
Let me know how it goes!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.