Permissions for uploads folder?

First I tried to run Discourse with semi-default settings and it worked quite fine, I was able to upload files as well as do other stuff.

Then I realized the path in app.yml was /var/discourse and I updated it to /var/www/discourse, stopped and destroyed the container, removed the previous folder completely. And I have it up and running again… but I noticed now I cannot upload files any more.

What kind of permissions does uploads folder need? I can do some changes manually, but I’d like to know what exactly and whether it’s fine in general (shouldn’t the launcher take care of setting right permissions, especially when launched from scratch?)

IN the logs I have nginx errors like

2024/07/12 19:11:23 [crit] 76#76: *160552 stat() “/var/www/discourse/public/uploads/default/original/1X/971c712ff3f1758abc63ac777ad708042cc41ddf.png” failed (13: Permission denied), client: 172.17.0.1, server: _, request: “GET /phorum/uploads/default/original/1X/971c712ff3f1758abc63ac777ad708042cc41ddf.png HTTP/1.0”, host: “myhost.com”, referrer: “https://myhost.com/phorum/admin/site_settings/category/branding

Permissions on uploads are like:

drwxr--r--+ 3 discourse www-data 21 Jul 12 11:47 uploads

That’s whats recommended.

The /var/www/discourse path is the path to discourse inside the container. /var/discourse is the normal path for Discourse_docker outside the container.

Since you just started, I would likely recommend that you just start over and don’t rename anything this time.

My guess is that you didn’t update the path in your app.yml and so it’s trying to access something that doesn’t exist.

I have many other projects on this server and they’re all are nicely located in my /var/www folder, so I prefer to keep it like this :slight_smile: And I don’t care how it is inside the container.

But I did update it? In mounts, or where else should it go?

Sorry, can’t help. But I’m totally sure you don’t have Nginx there :wink: Situation is same with docker container.

Sorry, I’m not getting, which nginx? The logs are from Discourse nginx, my SSL-terminating nginx is above it.

Exacly my point. Because your reverse proxy nginx isn’t in that path why should docker container be.

But a container lives its own life and path to container should not affect what its Nginx does. Did you change something else too?

I checked what I have:

lrwxrwxrwx 1 root root 15 Jul 12 10:10 uploads -> /shared/uploads

And as an example one image on /var/www/discourse/public/uploads/default/original/1X looks like that:

-rw-r--r-- 1 discourse www-data 7100 May 19 2022 08335563eac3a393e60a902d4d38cffdfa6d967d

That much I know. Because otherwise Docker is one very huge mystery for me :rofl:

So basically world-writable? Isn’t it considered bad for security?

You really don’t want to run the risk of serving your secrets in your app.yml to the world.

1 Like

Inside docker? I don’t think so. And… I don’t care because all of that is planned and made by CDCK and I trust they know what they do :smirk:

Sure, but I’m not serving anything :slight_smile:

Permissions are the same regardless whether inside/outside. And uploads folder is mounted.

Okay, nothing worked, so I ended up changing permissions for uploads folder to 755 and it’s fine now. After rebuild it seems the uploads themselves were okay (from the engine side), however nginx was not able to read those.

I don’t totally understand why you are doing all this. It is your choise to put container in the path that will be wordwide visible if you do a small mistake, but that is your choise. But everything else… why?

To have a reverse proxy front of Discourse is really trivial and otherwise your setup would be a standard install without all that hazzle. Sure, if you want to play and that is your hobby, but quite soon someone will pop-up and say you can get support only for standard install and the biggest issue is anyone actually doesn’t know what you have done. Or why.

What “this”? I have relatively standard setup :slight_smile: And I’m trying to fix the issue.

If you want you can upload a file and see what it’s permissions are and copy that.

Maybe upload a few and then do

 find uploads -ls |less

You are fixing an issue you got when you started to do something else what a standard one needs. Even with reverse proxy.

That’s why you are quite far away standard :smirk: Because there is two options

  • you have a bug in your hands that no one else has
  • you did something funny

Perhaps it is a bug. And you have confirmed it making a standard install using safe (in so many ways) path and at same time connecting your reverse proxy proper way. Because if it is still broken I can bet the issue is in virtual host and/or ports. But if it works… then we are back on option ”funny” — where no one knows what you did.

Do you see the problem here?

Either way — using a reverse proxy leads to no support… that’s policy here. But yet another users can and quite often will help,

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.