403 Access Denied on Fresh Installation #162

New Issue

GiteaMirror · 2025-11-13T11:51:53-06:00

GiteaMirror commented

2025-11-13 11:51:53 -06:00

Originally created by @leopck on GitHub (Mar 21, 2025).

I followed the guide to install, mostly just setting up my DNS to point to my A record IP address on my server, I'm using CloudFlare's DNS but I turned off Proxy so it's just Proxying DNS only so no CloudFlare redirection.

My installation steps are:

sudo ./installer.sh
# Fill up all the questions
docker compose up -d

Then I tried to access via my domain name xyz.com and I got 403 Unauthorized. Also, all the docker logs are not showing any errors :(

traefik logs:

{"level":"info","version":"3.3.3","time":"2025-03-21T11:49:35Z","message":"Traefik version 3.3.3 built on 2025-01-31T14:55:01Z"}
{"level":"info","time":"2025-03-21T11:49:35Z","message":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"}
{"level":"info","plugins":["crowdsec","badger"],"time":"2025-03-21T11:49:35Z","message":"Loading plugins..."}
{"level":"info","plugins":["crowdsec","badger"],"time":"2025-03-21T11:49:36Z","message":"Plugins loaded."}
{"level":"info","time":"2025-03-21T11:49:36Z","message":"Starting provider aggregator *aggregator.ProviderAggregator"}
{"level":"info","time":"2025-03-21T11:49:36Z","message":"Starting provider *file.Provider"}
{"level":"info","time":"2025-03-21T11:49:36Z","message":"Starting provider *traefik.Provider"}
{"level":"info","time":"2025-03-21T11:49:36Z","message":"Starting provider *http.Provider"}
{"level":"info","time":"2025-03-21T11:49:36Z","message":"Starting provider *acme.ChallengeTLSALPN"}
{"level":"info","time":"2025-03-21T11:49:36Z","message":"Starting provider *acme.Provider"}
{"level":"info","providerName":"letsencrypt.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","time":"2025-03-21T11:49:36Z","message":"Testing certificate renew..."}
{"level":"info","providerName":"letsencrypt.acme","time":"2025-03-21T11:49:44Z","message":"Register..."}
{"level":"warn","time":"2025-03-21T11:59:36Z","message":"A new release of Traefik has been found: 3.3.4. Please consider updating."}

gerbil logs:

INFO: 2025/03/21 11:49:28 Fetching remote config from http://pangolin:3001/api/v1/gerbil/get-config
INFO: 2025/03/21 11:49:34 Created WireGuard interface wg0
INFO: 2025/03/21 11:49:34 Assigned IP address xx.xx.xx.xx/24 to interface wg0
INFO: 2025/03/21 11:49:34 Attempting to delete existing MSS clamping rule for chain INPUT
INFO: 2025/03/21 11:49:34 Attempting to delete existing MSS clamping rule for chain OUTPUT
INFO: 2025/03/21 11:49:34 Attempting to delete existing MSS clamping rule for chain FORWARD
INFO: 2025/03/21 11:49:34 Adding MSS clamping rule for chain INPUT
INFO: 2025/03/21 11:49:34 Successfully added and verified MSS clamping rule for chain INPUT
INFO: 2025/03/21 11:49:34 Adding MSS clamping rule for chain OUTPUT
INFO: 2025/03/21 11:49:34 Successfully added and verified MSS clamping rule for chain OUTPUT
INFO: 2025/03/21 11:49:34 Adding MSS clamping rule for chain FORWARD
INFO: 2025/03/21 11:49:34 Successfully added and verified MSS clamping rule for chain FORWARD
INFO: 2025/03/21 11:49:34 WireGuard interface wg0 created and configured
INFO: 2025/03/21 11:49:34 Starting server on :3003

pangolin logs:

> @fosrl/pangolin@0.0.0 start
> NODE_OPTIONS=--enable-source-maps NODE_ENV=development ENVIRONMENT=prod sh -c 'node dist/migrations.mjs && node dist/server.mjs'

Running migrations...
Migrations completed successfully.
2025-03-21T11:49:23.823Z [info]: Server admin (<email>) created
2025-03-21T11:49:26.233Z [info]: API server is running on http://localhost:3000
2025-03-21T11:49:26.288Z [info]: Internal server is running on http://localhost:3001
2025-03-21T11:49:27.094Z [info]: Next.js server is running on http://localhost:3002
2025-03-21T11:49:33.697Z [info]: Created new exit node Exit Node ja/R09vR with address xx.xx.xx.xx/24 and port 51820

Crowdsec logs:


time="2025-03-21T12:24:40Z" level=info msg="127.0.0.1 - [Fri, 21 Mar 2025 12:24:40 UTC] \"GET /v1/allowlists?with_content=true HTTP/1.1 200 3.459685ms \"crowdsec/v1.6.6-416eb27f-docker\" \""
time="2025-03-21T12:25:40Z" level=info msg="127.0.0.1 - [Fri, 21 Mar 2025 12:25:40 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.426621ms \"crowdsec/v1.6.6-416eb27f-docker\" \""
time="2025-03-21T12:25:40Z" level=info msg="127.0.0.1 - [Fri, 21 Mar 2025 12:25:40 UTC] \"GET /v1/allowlists?with_content=true HTTP/1.1 200 1.376711ms \"crowdsec/v1.6.6-416eb27f-docker\" \""

Originally created by @leopck on GitHub (Mar 21, 2025). I followed the guide to install, mostly just setting up my DNS to point to my A record IP address on my server, I'm using CloudFlare's DNS but I turned off Proxy so it's just Proxying DNS only so no CloudFlare redirection. My installation steps are: ```sh sudo ./installer.sh # Fill up all the questions docker compose up -d ``` Then I tried to access via my domain name `xyz.com` and I got 403 Unauthorized. Also, all the docker logs are not showing any errors :( traefik logs: ``` {"level":"info","version":"3.3.3","time":"2025-03-21T11:49:35Z","message":"Traefik version 3.3.3 built on 2025-01-31T14:55:01Z"} {"level":"info","time":"2025-03-21T11:49:35Z","message":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"} {"level":"info","plugins":["crowdsec","badger"],"time":"2025-03-21T11:49:35Z","message":"Loading plugins..."} {"level":"info","plugins":["crowdsec","badger"],"time":"2025-03-21T11:49:36Z","message":"Plugins loaded."} {"level":"info","time":"2025-03-21T11:49:36Z","message":"Starting provider aggregator *aggregator.ProviderAggregator"} {"level":"info","time":"2025-03-21T11:49:36Z","message":"Starting provider *file.Provider"} {"level":"info","time":"2025-03-21T11:49:36Z","message":"Starting provider *traefik.Provider"} {"level":"info","time":"2025-03-21T11:49:36Z","message":"Starting provider *http.Provider"} {"level":"info","time":"2025-03-21T11:49:36Z","message":"Starting provider *acme.ChallengeTLSALPN"} {"level":"info","time":"2025-03-21T11:49:36Z","message":"Starting provider *acme.Provider"} {"level":"info","providerName":"letsencrypt.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","time":"2025-03-21T11:49:36Z","message":"Testing certificate renew..."} {"level":"info","providerName":"letsencrypt.acme","time":"2025-03-21T11:49:44Z","message":"Register..."} {"level":"warn","time":"2025-03-21T11:59:36Z","message":"A new release of Traefik has been found: 3.3.4. Please consider updating."} ``` gerbil logs: ``` INFO: 2025/03/21 11:49:28 Fetching remote config from http://pangolin:3001/api/v1/gerbil/get-config INFO: 2025/03/21 11:49:34 Created WireGuard interface wg0 INFO: 2025/03/21 11:49:34 Assigned IP address xx.xx.xx.xx/24 to interface wg0 INFO: 2025/03/21 11:49:34 Attempting to delete existing MSS clamping rule for chain INPUT INFO: 2025/03/21 11:49:34 Attempting to delete existing MSS clamping rule for chain OUTPUT INFO: 2025/03/21 11:49:34 Attempting to delete existing MSS clamping rule for chain FORWARD INFO: 2025/03/21 11:49:34 Adding MSS clamping rule for chain INPUT INFO: 2025/03/21 11:49:34 Successfully added and verified MSS clamping rule for chain INPUT INFO: 2025/03/21 11:49:34 Adding MSS clamping rule for chain OUTPUT INFO: 2025/03/21 11:49:34 Successfully added and verified MSS clamping rule for chain OUTPUT INFO: 2025/03/21 11:49:34 Adding MSS clamping rule for chain FORWARD INFO: 2025/03/21 11:49:34 Successfully added and verified MSS clamping rule for chain FORWARD INFO: 2025/03/21 11:49:34 WireGuard interface wg0 created and configured INFO: 2025/03/21 11:49:34 Starting server on :3003 ``` pangolin logs: ``` > @fosrl/pangolin@0.0.0 start > NODE_OPTIONS=--enable-source-maps NODE_ENV=development ENVIRONMENT=prod sh -c 'node dist/migrations.mjs && node dist/server.mjs' Running migrations... Migrations completed successfully. 2025-03-21T11:49:23.823Z [info]: Server admin (<email>) created 2025-03-21T11:49:26.233Z [info]: API server is running on http://localhost:3000 2025-03-21T11:49:26.288Z [info]: Internal server is running on http://localhost:3001 2025-03-21T11:49:27.094Z [info]: Next.js server is running on http://localhost:3002 2025-03-21T11:49:33.697Z [info]: Created new exit node Exit Node ja/R09vR with address xx.xx.xx.xx/24 and port 51820 ``` Crowdsec logs: ``` time="2025-03-21T12:24:40Z" level=info msg="127.0.0.1 - [Fri, 21 Mar 2025 12:24:40 UTC] \"GET /v1/allowlists?with_content=true HTTP/1.1 200 3.459685ms \"crowdsec/v1.6.6-416eb27f-docker\" \"" time="2025-03-21T12:25:40Z" level=info msg="127.0.0.1 - [Fri, 21 Mar 2025 12:25:40 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.426621ms \"crowdsec/v1.6.6-416eb27f-docker\" \"" time="2025-03-21T12:25:40Z" level=info msg="127.0.0.1 - [Fri, 21 Mar 2025 12:25:40 UTC] \"GET /v1/allowlists?with_content=true HTTP/1.1 200 1.376711ms \"crowdsec/v1.6.6-416eb27f-docker\" \"" ```

GiteaMirror closed this issue

2025-11-13 11:51:53 -06:00

GiteaMirror commented

2025-11-13 11:51:54 -06:00

@oschwartz10612 commented on GitHub (Mar 21, 2025):

My guess is that this is crowdsec blocking you. You could try to disable crowdsec or whitelist your host. Take a look at a couple of hhf's guides:

https://forum.hhf.technology/t/crowdsec-manager-for-pangolin-user-guide/579
https://forum.hhf.technology/t/whitelisting-ips-and-users-in-crowdsec-with-pangolin/575

@oschwartz10612 commented on GitHub (Mar 21, 2025): My guess is that this is crowdsec blocking you. You could try to disable crowdsec or whitelist your host. Take a look at a couple of hhf's guides: https://forum.hhf.technology/t/crowdsec-manager-for-pangolin-user-guide/579 https://forum.hhf.technology/t/whitelisting-ips-and-users-in-crowdsec-with-pangolin/575

GiteaMirror commented

2025-11-13 11:51:54 -06:00

@leopck commented on GitHub (Mar 21, 2025):

My guess is that this is crowdsec blocking you. You could try to disable crowdsec or whitelist your host. Take a look at a couple of hhf's guides:

https://forum.hhf.technology/t/crowdsec-manager-for-pangolin-user-guide/579 https://forum.hhf.technology/t/whitelisting-ips-and-users-in-crowdsec-with-pangolin/575

I believe it could be related to this as well.

I got it to work but I don't see why.

So my VPC's name is XYZ and during the installation, initially I chose my Dashboard domain name to be ABC, so that it uses ABC.example.com however, if I were to set to use my VPN's hostname which is XYZ as my Dashboard domain name meaning XYZ.example.com, it works...

@leopck commented on GitHub (Mar 21, 2025): > My guess is that this is crowdsec blocking you. You could try to disable crowdsec or whitelist your host. Take a look at a couple of hhf's guides: > > https://forum.hhf.technology/t/crowdsec-manager-for-pangolin-user-guide/579 https://forum.hhf.technology/t/whitelisting-ips-and-users-in-crowdsec-with-pangolin/575 I believe it could be related to this as well. I got it to work but I don't see why. So my VPC's name is XYZ and during the installation, initially I chose my Dashboard domain name to be ABC, so that it uses ABC.example.com however, if I were to set to use my VPN's hostname which is XYZ as my Dashboard domain name meaning XYZ.example.com, it works...

GiteaMirror commented

2025-11-13 11:51:54 -06:00

@oschwartz10612 commented on GitHub (Mar 30, 2025):

Feel free to reopen if you still have the issue!

@oschwartz10612 commented on GitHub (Mar 30, 2025): Feel free to reopen if you still have the issue!

GiteaMirror referenced this issue

2026-04-16 07:57:41 -05:00

[GH-ISSUE #162] [Bug] Not possible to logout #1318

GiteaMirror referenced this issue

2026-04-20 07:10:58 -05:00

[GH-ISSUE #162] [Bug] Not possible to logout #3260

GiteaMirror referenced this issue