New to lucee with nginx but stuck on 403 not found error /lucee/admin/server.cfm

te...@brandexpedia.com

unread,

Jan 13, 2016, 3:13:14 PM1/13/16

to Lucee

Glen here, I am new to Lucee with nginx and I am stuck with a 403 forbidden error when trying to access url: mydomain.co.za/lucee/admin/server.cfm. I would really appreciate it if someone can point out where I am going wrong here.

I followed this awesome script https://github.com/foundeo/ubuntu-nginx-lucee which I adapted a little for installing on debian 8.2 x64. When I get to the end of the script I get the success statement and I can view my site page but when I try access mydomain.co.za /lucee/admin/server.cfm I get a 403 forbidden error. I hope I am not being too long winded with the details, but here goes.

When I test nginx I get syntax ok:

$ nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

My ports output:

$ netstat -ntlp

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 8920/nginx

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 904/sshd

tcp6 0 0 :::22 :::* LISTEN 904/sshd

My configs and changes as follows,

./install.sh config

#!/bin/bash

#configuration options

export LUCEE_VERSION="4.5.2.018"

export JVM_MAX_HEAP_SIZE="512m"

export JVM_FILE="server-jre-8u66-linux-x64.gz"

export JVM_VERSION="1.8.0_66"

File changes to 100-ubuntu-update.sh adapted for debian 8.2 x64

#!/bin/bash

echo "Updating Debian Software"

aptitude update

aptitude upgrade -y

aptitude remove apt-listchanges

aptitude install curl -y

aptitude install unzip -y

aptitude install git -y

500-nginx.sh changes

#!/bin/bash

web_root="/web"

echo "Installing nginx"

aptitude install nginx -y

echo "Adding lucee nginx configuration files"

cp etc/nginx/conf.d/lucee-global.conf /etc/nginx/conf.d/lucee-global.conf

cp etc/nginx/lucee.conf /etc/nginx/lucee.conf

cp etc/nginx/lucee-proxy.conf /etc/nginx/lucee-proxy.conf

echo "Configuring modcfml shared secret in nginx"

shared_secret=`cat /opt/lucee/modcfml-shared-key.txt`

sed -i "s/SHARED-KEY-HERE/$shared_secret/g" /etc/nginx/lucee-proxy.conf

echo "Creating web root and default sites here: " $web_root

mkdir $web_root

mkdir $web_root/mydomain.co.za

mkdir $web_root/mydomain.co.za/wwwroot

echo "Creating a default index.html"

echo "<!doctype html><html><body><h1>CFML Webroot...</h1></body></html>" > $web_root/mydomain.co.za/wwwroot/index.html

#add tomcat7 to www-data group so it can read files

usermod -aG www-data tomcat7

#set the web directory permissions

chown -R root:www-data $web_root

chmod -R 750 $web_root

echo "Adding Default and Example Site to nginx"

cp etc/nginx/sites-available/*.conf /etc/nginx/sites-available/

echo "Removing nginx default site"

rm /etc/nginx/sites-enabled/default

echo "Adding our default site"

ln -s /etc/nginx/sites-available/mydomain.co.za.conf /etc/nginx/sites-enabled/mydomain.co.za.conf

service nginx restart

changes to /etc/hosts

178.62.29.247 mydomain.co.za www.mydomain.co.za

changes to /etc/nginx/lucee.conf

#block the lucee-context except for certain ip

location ~* /lucee/ {

# Add my domain

allow 178.62.29.247;

deny all;

include lucee-proxy.conf;

}

Sites directory structure

sites-available/

/default

/mydomain.co.za.conf

Changes to mydomain.co.za.conf

server {

listen 80 default_server;

root /web/mydomain.co.za/wwwroot/;

server_name mydomain.co.za www.mydomain.co.za;

# Mod_cfml (Lucee) specific: add a unique ID for this server block.

# For more info, see http://www.modcfml.org/index.cfm/install/web-server-components/nginx-all-os/

set $lucee_context "mydomain.co.za";

include lucee.conf;

}

I think the problem is either an empty directory root mapping and I do not know lucee well enough to know why or how the folder structure works yet. Or it is a permissions and ownership issue.

Any help here will be greatly appreciated, I have spent many hours on this and the solution is probably simple, I hope!!!

Juan Aguilar

unread,

Jan 13, 2016, 3:48:57 PM1/13/16

to Lucee

Maybe I'm missing something so forgive me if this is obvious, but, given your netstat output, is Tomcat installed and running?

Jon Clausen

unread,

Jan 13, 2016, 4:04:35 PM1/13/16

to lu...@googlegroups.com

NGINX runs under the user account “nginx” so, based on the permissions you’re setting in the script below you may need to add the “nginx” user to the group “www-data” (that’s the group you’re setting ownership of the web root to) to ensure permissions for non-proxy access from NGINX:

usermod -a -G www-data nginx

Looking at Pete’s lucee.conf file in the repo you linked below, though the /lucee path is IP restricted. Does your IP match that IP (he has 10.0.0.10 as the IP in his file)?

https://github.com/foundeo/ubuntu-nginx-lucee/blob/master/etc/nginx/lucee.conf

--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/73cc4c03-79cc-472c-9257-319d2f8a87d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Nando Breiter

unread,

Jan 13, 2016, 5:08:19 PM1/13/16

to lu...@googlegroups.com

Here's how I set up admin access, same for ACF, Lucee, Railo ...

https://dnando.github.io/blog/2014/11/04/ssh-tunneling-coldfusion-lockdown-technique/

Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/etPan.5696bbd2.1727254a.4c0%40jonclausen-mbp.local.

GlenS

unread,

Jan 13, 2016, 5:09:57 PM1/13/16

to Lucee

Hi Juan,

When I run netstat-tulpen and these are the ports I get.

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name

tcp 0 0 0.0.0.0:49356 0.0.0.0:* LISTEN 106 10305 509/rpc.statd

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 10195 500/rpcbind

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 40548 26442/nginx -g daem

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 11597 584/sshd

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 109 39807 26231/mysqld

tcp6 0 0 :::111 :::* LISTEN 0 10198 500/rpcbind

tcp6 0 0 :::55890 :::* LISTEN 106 10311 509/rpc.statd

tcp6 0 0 :::22 :::* LISTEN 0 11606 584/sshd

udp 0 0 0.0.0.0:675 0.0.0.0:* 0 10194 500/rpcbind

udp 0 0 127.0.0.1:685 0.0.0.0:* 0 10297 509/rpc.statd

udp 0 0 0.0.0.0:39474 0.0.0.0:* 106 10302 509/rpc.statd

udp 0 0 0.0.0.0:111 0.0.0.0:* 0 10191 500/rpcbind

udp6 0 0 :::675 :::* 0 10197 500/rpcbind

udp6 0 0 :::35391 :::* 106 10308 509/rpc.statd

udp6 0 0 :::111 :::* 0 10196 500/rpcbind

When I run $ ps -ef | grep java

root 26458 631 0 17:02 pts/0 00:00:00 grep java

Nando Breiter

unread,

Jan 13, 2016, 5:11:43 PM1/13/16

to lu...@googlegroups.com

Oh, there are Apache config instructions in there, but the same restriction can of course be set in nginx.

Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

GlenS

unread,

Jan 13, 2016, 5:30:19 PM1/13/16

to Lucee

Hi Jon,

My /etc/nginx/lucee.cnf looks as follows:

#block the lucee-context except for certain ip

location ~* /lucee/ {

allow 10.0.0.10;

deny all;

include lucee-proxy.conf;

}

And I added nginx as a user and then added to the group www-data and restarted nginx. No change in 403 error.

Jon Clausen

unread,

Jan 13, 2016, 5:53:46 PM1/13/16

to lu...@googlegroups.com

Right, you're getting the 403 because your config is disallowing access to the admin from any IP except 10.0.0.10.

You'll need to add your IP or comment out that location block to gain access to the admin.

[Note: Typo assistance courtesy of iPhone]

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/231c614b-f3c4-4264-b4d7-23541903b5af%40googlegroups.com.

GlenS

unread,

Jan 13, 2016, 6:34:02 PM1/13/16

to Lucee

I checked tomcat again with - service tomcat7 status and got back unable to stat /opt/lucee/jvm/current/bin/java (No such ...directory)

This could be the problem.

● tomcat7.service - LSB: Start Tomcat.

Loaded: loaded (/etc/init.d/tomcat7)

Active: active (exited) since Wed 2016-01-13 16:51:20 EST; 1h 3min ago

Jan 13 16:51:20 mydomain.co.za tomcat7[23703]: Starting Tomcat servlet engine: tomcat7start-stop-daemon: unable to stat /opt/lucee/jvm/current/bin/java (No such ...directory)

Jan 13 16:51:20 mydomain.co.za tomcat7[23703]: (already running).

Hint: Some lines were ellipsized, use -l to show in full.

On Wednesday, 13 January 2016 22:48:57 UTC+2, Juan Aguilar wrote:

GlenS

unread,

Jan 13, 2016, 6:34:02 PM1/13/16

to Lucee

Hi Jon, thanks when I add my ip address as in my outbound ip address not my server ip, I then get a 502 Bad Gateway response.

lucee.conf looks like this

#block the lucee-context except for certain ip

location ~* /lucee/ {

allow 123.56.789.111;

deny all;

include lucee-proxy.conf;

}

Checking my /var/log/nginx/error.log shows:

2016/01/13 18:07:37 [error] 26790#0: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 123.56.789.111, server: mydomain.co.za, request: "GE$

2016/01/13 18:10:11 [error] 26805#0: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 123.56.789.111, server: mydomain.co.za, request: "GE$

GlenS

unread,

Jan 13, 2016, 6:34:02 PM1/13/16

to Lucee

I tried this in /etc/nginx/sites-available/mydomain.co.za.conf

location /CFIDE {

order deny,allow;

deny from all;

allow from MYIPADDRESS;

}

But I get Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.

Jon Clausen

unread,

Jan 13, 2016, 6:53:07 PM1/13/16

to lu...@googlegroups.com

Excellent. You’ve solved the 403. Your bad gateway is because Tomcat isn’t running, as referenced in your preceding email. Frankly, I’ve always installed Lucee using the installers so Pete’s installation method is unfamiliar to me. Looking your startup error at his scripts and docs, it looks like the JVM installation wasn’t successful. I would suggest running the “400-jvm.sh” script (https://github.com/foundeo/ubuntu-nginx-lucee/blob/master/scripts/400-jvm.sh ) manually again. That should extract it to the /opt/lucee/jvm/current directory.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/0a870562-567e-446d-a924-1edd42ae2cf1%40googlegroups.com.

GlenS

unread,

Jan 13, 2016, 9:25:00 PM1/13/16

to Lucee

Hi Jon,

Thank you, I followed your advise with the following process:

I checked for directory /opt/lucee/jvm

I ran $ chown -R root:root /opt/lucee/jvm && chmod -R 755 /opt/lucee/jvm

I removed symlink at $ rm /opt/lucee/jvm/current

I linked files again $ ln -s /opt/lucee/jvm/jdk1.8.0_66 /opt/lucee/jvm/current

I restarted Tomcat7 $ service tomcat7 restart

I restarted Nginx $ service nginx restart

I tested for 8080 port $ netstat -ntlp and have ports listing on 8080 for tomcat now.

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:34140 0.0.0.0:* LISTEN 462/rpc.statd

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 939/mysqld

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 451/rpcbind

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1200/nginx -g daemo

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1108/sshd

tcp6 0 0 :::111 :::* LISTEN 451/rpcbind

tcp6 0 0 :::8080 :::* LISTEN 1243/java

tcp6 0 0 :::22 :::* LISTEN 1108/sshd

tcp6 0 0 :::37976 :::* LISTEN 462/rpc.statd

I ran $ service tomcat7 status and got success message.

I ran $ service nginx restart and got success message

I believe that Tomcat is up and working, however I am now getting a 504 gateway timeout. I am going to re-install lucee and see if this helps.

You mentioned you always installed Lucee using the installers. Not having much experience with Lucee setup is there another method that you may recommend?

Jon Clausen

unread,

Jan 13, 2016, 11:01:54 PM1/13/16

to lu...@googlegroups.com

Jordan Michaels helps to maintain several excellent Lucee installers bundled with Tomcat, which can be found in the Lucee downloads section:

http://lucee.org/downloads.html

9 times out of 10, those will do everything you need to do. Here’s what I would suggest to make it easier with what you currently have in place:

Install Apache, and then elect to install the connectors during the Lucee installation script. Then uninstall Apache. You just need it so the installer can set up mod_cfml shared keys - otherwise it won’t add the keys to the mod_cfml valve configuration.

The NGINX proxy configuration to Lucee you already have in place should work with the installers, by simply changing the key to the new mod_cfml key, though I haven’t verified this - as of yet. With the installer, Tomcat is located in /opt/lucee/tomcat and you can grab the shared key from the mod_cfml valve configuration in /opt/lucee/tomcat/conf/server.xml to match up in /etc/nginx/lucee-proxy.conf

If you still have trouble getting mod_cfml up and running you can also just do a direct HTTP proxy to port 8888 from NGINX and configure your web context manually, which works fine too if you don’t mind setting up a new web context context configuration for each app. This is how NGINX/Lucee servers were set up before recent mod_cfml updates, which made it fully compatible with NGINX.

In your nginx.conf add the upstream inside the the http{} config (and use some of the excellent security config blocks that are in your existing install) without :

#upstream configuration - may be used to configure additional servers and options for load balancing
upstream lucee {
    server          127.0.0.1:8888;
}

Then add the following inside your server config:

#Proxy all CFML to Lucee
location ~ \.(cfm|cfml|cfc)(.*)$ {
    proxy_pass $scheme://lucee;
    proxy_cache_bypass $no_cache;
    proxy_http_version  1.1;
    proxy_set_header    Connection "";
  
    proxy_set_header    Host                $host;
    proxy_set_header    X-Forwarded-Host    $host;
    proxy_set_header    X-Forwarded-Server  $host;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;     ## CGI.REMOTE_ADDR
    proxy_set_header    X-Forwarded-Proto   $scheme;                   ## CGI.SERVER_PORT_SECURE
    proxy_set_header    X-Real-IP           $remote_addr;
  
 #everything below is optional and is for tuning:
    expires             epoch;

    client_max_body_size    32m;
    client_body_buffer_size 800k;
    proxy_connect_timeout   900;
    proxy_send_timeout      900;
    proxy_read_timeout     900;
    proxy_buffer_size   128k;
    proxy_buffers   4 256k;
    proxy_busy_buffers_size   256k;

}

#let NGINX handle static files
location ~* ^.+\.(jpe?g|jpg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf|avi|mp3|ttf|woff)$  
{
    root   /web;
    expires 30d;
}

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/8dca3859-4c6f-4860-bf44-8c5d241eb1e1%40googlegroups.com.

GlenS

unread,

Jan 14, 2016, 1:17:51 AM1/14/16

to Lucee

Thanks Jon, thank you to you, Nando, and Juan for your support. I will work through your recommendations and share back the details. Best regards Glen

Reply all

Reply to author

Forward