[GH-ISSUE #377] nginx sub dir get forbidden error #200

New Issue

Closed

opened 2026-04-08 16:51:06 +03:00 by zhus · 10 comments

zhus commented 2026-04-08 16:51:06 +03:00

Owner

Copy Link

Originally created by @carlsue on GitHub (Apr 24, 2024).
Original GitHub issue: https://github.com/sigoden/dufs/issues/377

i setup nginx and dufs on the same device ,config nginx revers proxy to dufs ,but get forbidden error:
location /dufs { proxy_pass http://127.0.0.1:5000; }

Originally created by @carlsue on GitHub (Apr 24, 2024). Original GitHub issue: https://github.com/sigoden/dufs/issues/377 i setup nginx and dufs on the same device ,config nginx revers proxy to dufs ,but get forbidden error: `location /dufs { proxy_pass http://127.0.0.1:5000; }`  

zhus closed this issue 2026-04-08 16:51:06 +03:00

zhus commented 2026-04-08 16:51:07 +03:00

Author

Owner

Copy Link

@sigoden commented on GitHub (Apr 24, 2024):

Must be misconfig on auth options. Don't include /dufs prefix in the auth path.
If it still fails, please provide the full configuration for further assistance.

<!-- gh-comment-id:2073869451 --> @sigoden commented on GitHub (Apr 24, 2024): Must be misconfig on auth options. Don't include `/dufs` prefix in the auth path. If it still fails, please provide the full configuration for further assistance.

zhus commented 2026-04-08 16:51:07 +03:00

Author

Owner

Copy Link

@carlsue commented on GitHub (Apr 24, 2024):

Must be misconfig on auth options. Don't include /dufs prefix in the auth path. If it still fails, please provide the full configuration for further assistance.

config dufs 'config'
option enabled '1'
option port '5000'
option allow_upload '1'
option allow_search '1'
list auth '2:2@/sda1:rw'
list auth '1:1@/sda1/TDDOWNLOAD'
option internet '1'
option enable_cors '1'

`
worker_processes auto;

user root;

include module.d/*.module;

events {}

http {
access_log off;
log_format openwrt
'$request_method $scheme://$host$request_uri => $status'
' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';

    include mime.types;
    default_type application/octet-stream;
    sendfile on;

    client_max_body_size 128M;
    large_client_header_buffers 2 1k;

    gzip on;
    gzip_vary on;
    gzip_proxied any;

    root /www;

    server { #see uci show 'nginx._lan'
            listen 443 ssl default_server;
            listen [::]:443 ssl default_server;
            server_name _lan;
            include restrict_locally;
            include conf.d/*.locations;
            ssl_certificate /etc/nginx/conf.d/_lan.crt;
            ssl_certificate_key /etc/nginx/conf.d/_lan.key;
            ssl_session_cache shared:SSL:32k;
            ssl_session_timeout 64m;
            access_log off; # logd openwrt;
    }

    server { #see uci show 'nginx._redirect2ssl'
            listen 80;
            listen [::]:80;
            server_name _redirect2ssl;
            return 302 https://$host$request_uri;
    }

    include conf.d/*.conf;

}

configuration file /etc/nginx/module.d/luci.module:

load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so;

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                                      mml;
text/plain                                       txt;
text/vnd.sun.j2me.app-descriptor                 jad;
text/vnd.wap.wml                                 wml;
text/x-component                                 htc;

image/avif                                       avif;
image/png                                        png;
image/svg+xml                                    svg svgz;
image/tiff                                       tif tiff;
image/vnd.wap.wbmp                               wbmp;
image/webp                                       webp;
image/x-icon                                     ico;
image/x-jng                                      jng;
image/x-ms-bmp                                   bmp;

font/woff                                        woff;
font/woff2                                       woff2;

application/java-archive                         jar war ear;
application/json                                 json;
application/mac-binhex40                         hqx;
application/msword                               doc;
application/pdf                                  pdf;
application/postscript                           ps eps ai;
application/rtf                                  rtf;
application/vnd.apple.mpegurl                    m3u8;
application/vnd.google-earth.kml+xml             kml;
application/vnd.google-earth.kmz                 kmz;
application/vnd.ms-excel                         xls;
application/vnd.ms-fontobject                    eot;
application/vnd.ms-powerpoint                    ppt;
application/vnd.oasis.opendocument.graphics      odg;
application/vnd.oasis.opendocument.presentation  odp;
application/vnd.oasis.opendocument.spreadsheet   ods;
application/vnd.oasis.opendocument.text          odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                 pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                 xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                 docx;
application/vnd.wap.wmlc                         wmlc;
application/wasm                                 wasm;
application/x-7z-compressed                      7z;
application/x-cocoa                              cco;
application/x-java-archive-diff                  jardiff;
application/x-java-jnlp-file                     jnlp;
application/x-makeself                           run;
application/x-perl                               pl pm;
application/x-pilot                              prc pdb;
application/x-rar-compressed                     rar;
application/x-redhat-package-manager             rpm;
application/x-sea                                sea;
application/x-shockwave-flash                    swf;
application/x-stuffit                            sit;
application/x-tcl                                tcl tk;
application/x-x509-ca-cert                       der pem crt;
application/x-xpinstall                          xpi;
application/xhtml+xml                            xhtml;
application/xspf+xml                             xspf;
application/zip                                  zip;

application/octet-stream                         bin exe dll;
application/octet-stream                         deb;
application/octet-stream                         dmg;
application/octet-stream                         iso img;
application/octet-stream                         msi msp msm;

audio/midi                                       mid midi kar;
audio/mpeg                                       mp3;
audio/ogg                                        ogg;
audio/x-m4a                                      m4a;
audio/x-realaudio                                ra;

video/3gpp                                       3gpp 3gp;
video/mp2t                                       ts;
video/mp4                                        mp4;
video/mpeg                                       mpeg mpg;
video/quicktime                                  mov;
video/webm                                       webm;
video/x-flv                                      flv;
video/x-m4v                                      m4v;
video/x-mng                                      mng;
video/x-ms-asf                                   asx asf;
video/x-ms-wmv                                   wmv;
video/x-msvideo                                  avi;

}

configuration file /etc/nginx/restrict_locally:

    allow ::1;
    allow fc00::/7;
    allow fec0::/10;
    allow fe80::/10;
    allow 127.0.0.0/8;
    allow 10.0.0.0/8;
    allow 172.16.0.0/12;
    allow 192.168.0.0/16;
    allow 169.254.0.0/16;
    allow 171.213.0.0/16;
    deny all;

configuration file /etc/nginx/conf.d/luci.locations:

location /cgi-bin/luci {
index index.html;
include uwsgi_params;
uwsgi_param SERVER_ADDR $server_addr;
uwsgi_modifier1 9;
uwsgi_pass unix:////var/run/luci-webui.socket;
}
location ~ /cgi-bin/cgi-(backup|download|upload|exec) {
include uwsgi_params;
uwsgi_param SERVER_ADDR $server_addr;
uwsgi_modifier1 9;
uwsgi_pass unix:////var/run/luci-cgi_io.socket;
}

location /luci-static {
error_log stderr crit;
}

location /ubus {
ubus_interpreter;
ubus_socket_path /var/run/ubus/ubus.sock;
ubus_parallel_req 2;
}

location /dufs {
proxy_pass http://127.0.0.1:5000;
}

configuration file /etc/nginx/uwsgi_params:

uwsgi_param QUERY_STRING $query_string;
uwsgi_param REQUEST_METHOD $request_method;
uwsgi_param CONTENT_TYPE $content_type;
uwsgi_param CONTENT_LENGTH $content_length;

uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param REQUEST_SCHEME $scheme;
uwsgi_param HTTPS $https if_not_empty;

uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name;
`

<!-- gh-comment-id:2074215370 --> @carlsue commented on GitHub (Apr 24, 2024): > Must be misconfig on auth options. Don't include `/dufs` prefix in the auth path. If it still fails, please provide the full configuration for further assistance. config dufs 'config' option enabled '1' option port '5000' option allow_upload '1' option allow_search '1' list auth '2:2@/sda1:rw' list auth '1:1@/sda1/TDDOWNLOAD' option internet '1' option enable_cors '1' ------------------------------------------------------ ` worker_processes auto; user root; include module.d/*.module; events {} http { access_log off; log_format openwrt '$request_method $scheme://$host$request_uri => $status' ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer'; include mime.types; default_type application/octet-stream; sendfile on; client_max_body_size 128M; large_client_header_buffers 2 1k; gzip on; gzip_vary on; gzip_proxied any; root /www; server { #see uci show 'nginx._lan' listen 443 ssl default_server; listen [::]:443 ssl default_server; server_name _lan; include restrict_locally; include conf.d/*.locations; ssl_certificate /etc/nginx/conf.d/_lan.crt; ssl_certificate_key /etc/nginx/conf.d/_lan.key; ssl_session_cache shared:SSL:32k; ssl_session_timeout 64m; access_log off; # logd openwrt; } server { #see uci show 'nginx._redirect2ssl' listen 80; listen [::]:80; server_name _redirect2ssl; return 302 https://$host$request_uri; } include conf.d/*.conf; } # configuration file /etc/nginx/module.d/luci.module: load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so; # configuration file /etc/nginx/mime.types: types { text/html html htm shtml; text/css css; text/xml xml; image/gif gif; image/jpeg jpeg jpg; application/javascript js; application/atom+xml atom; application/rss+xml rss; text/mathml mml; text/plain txt; text/vnd.sun.j2me.app-descriptor jad; text/vnd.wap.wml wml; text/x-component htc; image/avif avif; image/png png; image/svg+xml svg svgz; image/tiff tif tiff; image/vnd.wap.wbmp wbmp; image/webp webp; image/x-icon ico; image/x-jng jng; image/x-ms-bmp bmp; font/woff woff; font/woff2 woff2; application/java-archive jar war ear; application/json json; application/mac-binhex40 hqx; application/msword doc; application/pdf pdf; application/postscript ps eps ai; application/rtf rtf; application/vnd.apple.mpegurl m3u8; application/vnd.google-earth.kml+xml kml; application/vnd.google-earth.kmz kmz; application/vnd.ms-excel xls; application/vnd.ms-fontobject eot; application/vnd.ms-powerpoint ppt; application/vnd.oasis.opendocument.graphics odg; application/vnd.oasis.opendocument.presentation odp; application/vnd.oasis.opendocument.spreadsheet ods; application/vnd.oasis.opendocument.text odt; application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; application/vnd.wap.wmlc wmlc; application/wasm wasm; application/x-7z-compressed 7z; application/x-cocoa cco; application/x-java-archive-diff jardiff; application/x-java-jnlp-file jnlp; application/x-makeself run; application/x-perl pl pm; application/x-pilot prc pdb; application/x-rar-compressed rar; application/x-redhat-package-manager rpm; application/x-sea sea; application/x-shockwave-flash swf; application/x-stuffit sit; application/x-tcl tcl tk; application/x-x509-ca-cert der pem crt; application/x-xpinstall xpi; application/xhtml+xml xhtml; application/xspf+xml xspf; application/zip zip; application/octet-stream bin exe dll; application/octet-stream deb; application/octet-stream dmg; application/octet-stream iso img; application/octet-stream msi msp msm; audio/midi mid midi kar; audio/mpeg mp3; audio/ogg ogg; audio/x-m4a m4a; audio/x-realaudio ra; video/3gpp 3gpp 3gp; video/mp2t ts; video/mp4 mp4; video/mpeg mpeg mpg; video/quicktime mov; video/webm webm; video/x-flv flv; video/x-m4v m4v; video/x-mng mng; video/x-ms-asf asx asf; video/x-ms-wmv wmv; video/x-msvideo avi; } # configuration file /etc/nginx/restrict_locally: allow ::1; allow fc00::/7; allow fec0::/10; allow fe80::/10; allow 127.0.0.0/8; allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; allow 169.254.0.0/16; allow 171.213.0.0/16; deny all; # configuration file /etc/nginx/conf.d/luci.locations: location /cgi-bin/luci { index index.html; include uwsgi_params; uwsgi_param SERVER_ADDR $server_addr; uwsgi_modifier1 9; uwsgi_pass unix:////var/run/luci-webui.socket; } location ~ /cgi-bin/cgi-(backup|download|upload|exec) { include uwsgi_params; uwsgi_param SERVER_ADDR $server_addr; uwsgi_modifier1 9; uwsgi_pass unix:////var/run/luci-cgi_io.socket; } location /luci-static { error_log stderr crit; } location /ubus { ubus_interpreter; ubus_socket_path /var/run/ubus/ubus.sock; ubus_parallel_req 2; } location /dufs { proxy_pass http://127.0.0.1:5000; } # configuration file /etc/nginx/uwsgi_params: uwsgi_param QUERY_STRING $query_string; uwsgi_param REQUEST_METHOD $request_method; uwsgi_param CONTENT_TYPE $content_type; uwsgi_param CONTENT_LENGTH $content_length; uwsgi_param REQUEST_URI $request_uri; uwsgi_param PATH_INFO $document_uri; uwsgi_param DOCUMENT_ROOT $document_root; uwsgi_param SERVER_PROTOCOL $server_protocol; uwsgi_param REQUEST_SCHEME $scheme; uwsgi_param HTTPS $https if_not_empty; uwsgi_param REMOTE_ADDR $remote_addr; uwsgi_param REMOTE_PORT $remote_port; uwsgi_param SERVER_PORT $server_port; uwsgi_param SERVER_NAME $server_name; `

zhus commented 2026-04-08 16:51:07 +03:00

Author

Owner

Copy Link

@sigoden commented on GitHub (Apr 24, 2024):

I don't know much nginx, you'd better leave nginx alone and see if the dufs configuration is correct.

First, do not set auth and see if dufs can be accessed normally.
Second, set auth, check if Nginx passes the Authorization header to dufs. @carlsue

<!-- gh-comment-id:2074230471 --> @sigoden commented on GitHub (Apr 24, 2024): I don't know much nginx, you'd better leave nginx alone and see if the dufs configuration is correct. First, do not set auth and see if dufs can be accessed normally. Second, set auth, check if Nginx passes the Authorization header to dufs. @carlsue

zhus commented 2026-04-08 16:51:07 +03:00

Author

Owner

Copy Link

@carlsue commented on GitHub (Apr 24, 2024):

I don't know much nginx, you'd better leave nginx alone and see if the dufs configuration is correct.

First, do not set auth and see if dufs can be accessed normally. Second, set auth, check if Nginx passes the Authorization header to dufs. @carlsue

<!-- gh-comment-id:2074513905 --> @carlsue commented on GitHub (Apr 24, 2024): > I don't know much nginx, you'd better leave nginx alone and see if the dufs configuration is correct. > > First, do not set auth and see if dufs can be accessed normally. Second, set auth, check if Nginx passes the Authorization header to dufs. @carlsue 

zhus commented 2026-04-08 16:51:07 +03:00

Author

Owner

Copy Link

@sigoden commented on GitHub (Apr 24, 2024):

I can only help with the problem of dufs. You must be involved with nginx. I can't help you.

You'd better report the issue through https://github.com/sigoden/dufs/issues/new?assignees=&labels=&projects=&template=bug_report.md

<!-- gh-comment-id:2074544185 --> @sigoden commented on GitHub (Apr 24, 2024): I can only help with the problem of dufs. You must be involved with nginx. I can't help you. You'd better report the issue through https://github.com/sigoden/dufs/issues/new?assignees=&labels=&projects=&template=bug_report.md

zhus commented 2026-04-08 16:51:07 +03:00

Author

Owner

Copy Link

@sigoden commented on GitHub (Apr 24, 2024):

some tips if you want to run dufs with subpath /dufs :

• pass the --path-prefix /dufs option
• auth expression don't require the/dufs prefix

-- -a user:admin@/dufs/dir1
++ -a user:admin@/dir1

<!-- gh-comment-id:2074554987 --> @sigoden commented on GitHub (Apr 24, 2024): some tips if you want to run dufs with subpath `/dufs` : - pass the `--path-prefix /dufs` option - auth expression don't require the`/dufs` prefix ```diff -- -a user:admin@/dufs/dir1 ++ -a user:admin@/dir1 ```

zhus commented 2026-04-08 16:51:07 +03:00

Author

Owner

Copy Link

@sigoden commented on GitHub (Apr 25, 2024):

Closing this issue due to lack of information.

<!-- gh-comment-id:2076285511 --> @sigoden commented on GitHub (Apr 25, 2024): Closing this issue due to lack of information.

zhus commented 2026-04-08 16:51:07 +03:00

Author

Owner

Copy Link

@carlsue commented on GitHub (Apr 27, 2024):

通过测试，发现跟nginx版本有关系。
在windows上用nginx同样配置可以成功
server
{
listen 80;
server_name 127.0.0.1;

location /ddd {
   proxy_pass http://192.168.1.21:5000/;
  sub_filter '/__dufs_v0.40.0__/' '/ddd/__dufs_v0.40.0__/';
  sub_filter_types *;
  sub_filter_once off;
}
access_log  logs/127.0.0.1_80.access.log;
error_log  logs/127.0.0.1_80.error.log;

}

但在openwrt上安装的nginx由于没有sub_filter模块，所以会有如下错误

<!-- gh-comment-id:2080345647 --> @carlsue commented on GitHub (Apr 27, 2024): 通过测试，发现跟nginx版本有关系。 在windows上用nginx同样配置可以成功 server { listen 80; server_name 127.0.0.1; location /ddd { proxy_pass http://192.168.1.21:5000/; sub_filter '/__dufs_v0.40.0__/' '/ddd/__dufs_v0.40.0__/'; sub_filter_types *; sub_filter_once off; } access_log logs/127.0.0.1_80.access.log; error_log logs/127.0.0.1_80.error.log; }  但在openwrt上安装的nginx由于没有sub_filter模块，所以会有如下错误 

zhus commented 2026-04-08 16:51:08 +03:00

Author

Owner

Copy Link

@carlsue commented on GitHub (Apr 27, 2024):

successed! install nginx-full instade nginx in the openwrt OS.

<!-- gh-comment-id:2080405901 --> @carlsue commented on GitHub (Apr 27, 2024): successed! install nginx-full instade nginx in the openwrt OS.

zhus commented 2026-04-08 16:51:08 +03:00

Author

Owner

Copy Link

@sigoden commented on GitHub (Apr 27, 2024):

Congratulation ✨

<!-- gh-comment-id:2080411262 --> @sigoden commented on GitHub (Apr 27, 2024): Congratulation ✨

zhus referenced this issue 2026-04-08 16:53:15 +03:00

[PR #204] [MERGED] feat: add timestamp metadata to generated zip file #515

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

chore-release

v0.46.0-rc1

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.0

v0.35.0

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.0

v0.27.0

v0.26.0

v0.25.0

v0.24.0

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.1

v0.17.0

v0.16.0

v0.15.1

v0.15.0

v0.14.0

v0.13.2

v0.13.1

v0.13.0

v0.12.1

v0.11.0

v0.10.1

v0.10.0

v0.9.0

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.4.0

v0.3.0

v0.2.1

v0.2.0

v0.1.0

Labels

Clear labels

bug

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

zhus

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sigoden/dufs#200