By veliona
Hi! I am hosting my database (Pocketbase) on DO Droplet. I wanted to ensure secure connection so I set up a custom subdomain and have SSL certificate for it. I pointed my DNS using A record to Droplet IP (209.38.41.103). However, now I struggle with nginx set-up file. I used to get nginx welcome screen but now I get 404. I need to allow POST for emails (/api/collections/waiting_list/records) and GET for other collections (/api/collections/(artists|artworks)/records).
Pocketbase running: http://209.38.41.103:8090/_
Here is my /etc/nginx/sites-available/pocketbase file:
server {
listen 80;
server_name pocketbase.artdots.co;
# Redirect all HTTP traffic to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name pocketbase.artdots.co;
# SSL configuration
ssl_certificate /etc/ssl/certs/certificate.pem;
ssl_certificate_key /etc/ssl/private/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'HIGH:!aNULL:!MD5';
ssl_prefer_server_ciphers on;
# Add global CORS headers
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization";
# Handle POST requests for waiting_list
location = /api/collections/waiting_list/records {
if ($request_method !~ ^(POST|OPTIONS)$) {
return 405; # Method Not Allowed
}
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# CORS for preflight (OPTIONS) requests
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "POST, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization";
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204; # No Content
}
}
# Handle GET requests for images in artists and artworks collections
location ~ ^/api/collections/(artists|artworks)/records {
if ($request_method !~ ^(GET|OPTIONS)$) {
return 405; # Method Not Allowed
}
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# CORS for preflight (OPTIONS) requests
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization";
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204; # No Content
}
}
# Default location block for all other requests
location / {
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Could you point me to problems in my set-up?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Heya,
Your current nginx
configuration file for pocketbase.artdots.co
has several issues that might be causing the problems you’re facing. Here’s an analysis of the key areas and suggestions to resolve the issues:
ssl_certificate
and ssl_certificate_key
ls -l /etc/ssl/certs/certificate.pem
ls -l /etc/ssl/private/private.key
nsure they are readable by the nginx
user.
OPTIONS
BlocksOPTIONS
blocks. This redundancy can cause confusion.add_header Access-Control-Allow-*;
) outside location blocks, remove the duplicates from the OPTIONS
sections.OPTIONS
RequestsOPTIONS
requests are being conditionally handled but not properly matched.location
block for OPTIONS
requests:location / {
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization";
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204; # No Content
}
# Other rules go here...
}
location
Blocks=
location for /api/collections/waiting_list/records
will only match exactly that path, while the ~
regex for /api/collections/(artists|artworks)/records
may cause unexpected behavior.=
) to a prefix match (^~
) for consistency:location ^~ /api/collections/waiting_list/records {
# POST-specific rules
}
Here is the revised configuration:
server {
listen 80;
server_name pocketbase.artdots.co;
# Redirect all HTTP traffic to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name pocketbase.artdots.co;
# SSL configuration
ssl_certificate /etc/ssl/certs/certificate.pem;
ssl_certificate_key /etc/ssl/private/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'HIGH:!aNULL:!MD5';
ssl_prefer_server_ciphers on;
# Global CORS headers
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization";
# Handle POST requests for waiting_list
location ^~ /api/collections/waiting_list/records {
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Handle GET requests for artists and artworks
location ~ ^/api/collections/(artists|artworks)/records {
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Default location block for all other requests
location / {
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
nginx
configuration:nginx -t
systemctl reload nginx
http://127.0.0.1:8090
is running and accessible locally.pocketbase.artdots.co
.curl
to verify HTTP and HTTPS responses:curl -X OPTIONS https://pocketbase.artdots.co/api/collections/waiting_list/records
curl -X GET https://pocketbase.artdots.co/api/collections/artists/records`
`` tail -f /var/log/nginx/access.log /var/log/nginx/error.log
Let me know how it goes!
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.