403 forbidden for thumbnails on s3 when running with CDN

nodomain · April 26, 2023, 2:40pm

We use the official Docker hosting setup on AWS based on GitHub - aws-samples/aws-cdk-for-discourse: AWS CDK for Discourse.

The general CDN setup works fine, e.g. images are delivered fine via CDN URL.

However the initial “32x32” request seems to go to the S3 bucket URL which yields a 403.

Did I miss a configuration bit or is it a bug?

Falco · April 26, 2023, 5:01pm

That’s not official, as it’s an AWS project using a bitnami image for Discourse which we explicitly do not recognize as an official standard install of Discourse, making this outside of the scope of installs that we support here.

Not a bug as it’s not running the app the way we intend it to be ran, but it may be fixed with a config change. Maybe open an issue about this on the sample repository ?

nodomain · April 26, 2023, 7:49pm

The referenced project uses the official Docker image.

github.com

aws-samples/aws-cdk-for-discourse/blob/main/lib/ec2-nested-stack.ts#L150


      
          userData.addCommands(
              "sudo -s",
              "yum -y update",
              "yum -y install docker",
              "yum -y install git",
              "yum -y install jq",
              "amazon-linux-extras install -y postgresql13",
              "systemctl enable docker.service",
              "systemctl start docker.service",
              "systemctl status docker.service",
              "git clone https://github.com/discourse/discourse_docker.git /var/discourse",
              "cd /var/discourse",
              "chmod 700 containers",
              "aws s3 cp s3://" + props.backupBucket.bucketName + "/app.yml.template ./containers/app.yml.template",
              "aws s3 cp s3://" + props.backupBucket.bucketName + "/smtp_credentials_generate.py ./smtp_credentials_generate.py",
              "echo -e 'export DISCOURSE_DB_USERNAME=$(aws secretsmanager get-secret-value --region " + this.region + " --secret-id " + props.auroraServerlessV2SecretArn + " --query SecretString --output text | jq -r .username)' > discourse-env",
              "echo -e 'export DISCOURSE_DB_PASSWORD=$(aws secretsmanager get-secret-value --region " + this.region + " --secret-id " + props.auroraServerlessV2SecretArn + " --query SecretString --output text | jq -r .password)' >> discourse-env",
              "echo -e 'export DISCOURSE_DB_HOST=$(aws secretsmanager get-secret-value --region " + this.region + " --secret-id " + props.auroraServerlessV2SecretArn + " --query SecretString --output text | jq -r .host)' >> discourse-env",
              "echo -e 'export DISCOURSE_DB_NAME=$(aws secretsmanager get-secret-value --region " + this.region + " --secret-id " + props.auroraServerlessV2SecretArn + " --query SecretString --output text | jq -r .dbname)' >> discourse-env",
              "echo -e 'export DISCOURSE_DB_PORT=$(aws secretsmanager get-secret-value --region " + this.region + " --secret-id " + props.auroraServerlessV2SecretArn + " --query SecretString --output text | jq -r .port)' >> discourse-env",
              "echo -e 'export PGPASSWORD=$(aws secretsmanager get-secret-value --region " + this.region + " --secret-id " + props.auroraServerlessV2SecretArn + " --query SecretString --output text | jq -r .password)' >> discourse-env",

No Bitnami - I would not have used that in the first place either

I am going to dig into it and report an issue either there, or here.

Falco · April 26, 2023, 8:03pm

Oh, sorry I went by what is written in the project README.md

github.com

aws-samples/aws-cdk-for-discourse/blob/main/README.md?plain=1#L19


      
          
          1. [Amazon CloudFront](https://aws.amazon.com/cloudfront/) is used for CDN via S3 and the application load balancer
          2. [Amazon Route 53](https://aws.amazon.com/route53/) holds the hosted zone for DNS management to create verified outbound email domains along with domain certificates
          3. [Amazon S3](https://aws.amazon.com/route53/) holds user upload files and static assets in one bucket along with Discourse backups in another bucket
          4. [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/) is used to create a DNS validated certificate
          5. [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) holds the initial setup credentials and created database credentials.
          6. [Amazon Cogntio](https://aws.amazon.com/cognito/) user pools are used via OpenID
          7. [Amazon SES](https://aws.amazon.com/ses/) handles outbound email notifications
          8. [AWS Systems Manager](https://aws.amazon.com/systems-manager/) Session Manager is used to connect to internal instances for debugging purposes
          9. [AWS Auto Scaling](https://aws.amazon.com/autoscaling/) will create the desired number of instances in the desired availability zones
          10. [Amazon EC2](https://aws.amazon.com/pm/ec2/) instances are bootstrapped via a user data script which pulls down the latest stable version of Discourse and sets up the app.yml then launches the [Discourse docker image](https://hub.docker.com/r/bitnami/discourse).
          11. [Amazon RDS](https://aws.amazon.com/rds/) Aurora serverless V2 Postgres database stores user details and posts
          12. [Amazon ElastiCache for Redis](https://aws.amazon.com/elasticache/redis/) is used as a caching layer
          
          ## Requirements
          1. Apache Maven 3.8.5 or greater installed
          2. Java 11 or greater installed
          3. <a href="https://aws.amazon.com/cdk/">AWS Cloud Development Kit</a> (CDK) 1.120.0 or higher
          4. Valid docker login credentials
          5. A domain name hosted by Route53 which is used to
              1. Create a subdomain for discourse

Good luck. Please update here if you find any clues.

nodomain · April 26, 2023, 8:48pm

Pull request for README incoming

nodomain · April 27, 2023, 1:15pm

I found the issue. I restored a backup from another system.

Jagster · April 27, 2023, 1:47pm

What was broken then?

nodomain · April 27, 2023, 2:12pm

Somehow it used the s3 URL for the default Discourse system user avatar image. I did not spend time fixing it because I am still in progress of regularly recreating the environments due to some testing activities.

system · May 27, 2023, 2:12pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What are the right settings to use S3 bucket (with non-Amazon URL)? Installation	19	4552	August 25, 2020
Aws deployed discourse is fetching assets from database url Support unsupported-install	20	2142	November 15, 2020
Configure an S3 compatible object storage provider for uploads Self-Hosting cdn , configuring , how-to , reference	230	38448	October 24, 2024
S3 Bucket backup setting page problem Installation	6	522	April 25, 2022
Problem setup on AWS: EC2, RDS, ElastiCache Installation unsupported-install	3	2451	June 8, 2024

403 forbidden for thumbnails on s3 when running with CDN

Related topics