403 Forbidden on EC2 Foundry setup

  1. The problem I’m having:
    I’m trying to access my foundry server and setup a domain name to access it on EC2. Checking on DNS lookup, it’s forwarded through the correct DNS A records, but when I arrive at my server, I’m getting the following:
curl -vL www.drunkgoblindnd.com
*   Trying 66.96.162.128:80...
* Connected to www.drunkgoblindnd.com (66.96.162.128) port 80 (#0)
> GET / HTTP/1.1
> Host: www.drunkgoblindnd.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Date: Mon, 25 Mar 2024 17:40:34 GMT
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 209
< Connection: keep-alive
< Server: Apache
< Age: 0
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
</body></html>

2. Error messages and/or full log output:

Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387705.0895047,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387705.089632,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"debug","ts":1711387705.0897686,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}],"logs":{"logger_names":{"drunkgoblindnd.com":"log0"}}},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:30000"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{},"logs":{"logger_names":{"drunkgoblindnd.com":"log0"}}}}}}
Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"debug","ts":1711387705.0901117,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387705.0902526,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387705.0904036,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"debug","ts":1711387705.090537,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387705.0906632,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387705.0907686,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["drunkgoblindnd.com"]}
Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387705.0908813,"logger":"http","msg":"servers shutting down with eternal grace period"}
Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387705.0912194,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387705.0912912,"logger":"admin.api","msg":"load complete"}
Mar 25 17:28:25 ip-172-31-12-253 systemd[1]: Reloaded Caddy.
Mar 25 17:28:25 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387705.0938187,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
Mar 25 17:30:23 ip-172-31-12-253 systemd[1]: Reloading Caddy...
Mar 25 17:30:23 ip-172-31-12-253 caddy[2391]: {"level":"info","ts":1711387823.9297748,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Mar 25 17:30:23 ip-172-31-12-253 caddy[2391]: {"level":"warn","ts":1711387823.9313874,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":5}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387823.932448,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/load","remote_ip":"127.0.0.1","remote_port":"36624","headers":{"Accept-Encoding":["gzip"],"Cache-Control":["must-revalidate"],"Content-Length":["520"],"Content-Type":["application/json"],"Origin":["http://localhost:2019"],"User-Agent":["Go-http-client/1.1"]}}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387823.9335504,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387823.933658,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387823.9336793,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"debug","ts":1711387823.9337103,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}],"logs":{"logger_names":{"drunkgoblindnd.com":"log0"}}},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:30000"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{},"logs":{"logger_names":{"drunkgoblindnd.com":"log0"}}}}}}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387823.9338746,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"debug","ts":1711387823.9340672,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387823.9342475,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"debug","ts":1711387823.9343302,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387823.9343426,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387823.9343488,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["drunkgoblindnd.com"]}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387823.9343667,"logger":"http","msg":"servers shutting down with eternal grace period"}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387823.9346437,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387823.934708,"logger":"admin.api","msg":"load complete"}
Mar 25 17:30:23 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387823.9357462,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
Mar 25 17:30:23 ip-172-31-12-253 systemd[1]: Reloaded Caddy.
Mar 25 17:30:53 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711387853.9172552,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"87.121.69.52","remote_port":"51878","client_ip":"87.121.69.52","proto":"HTTP/1.1","method":"CONNECT","host":"google.com:443","uri":"google.com:443","headers":{"User-Agent":["Go-http-client/1.1"]}},"bytes_read":0,"user_id":"","duration":0.000036509,"size":0,"status":308,"resp_headers":{"Connection":["close"],"Location":["https://google.com/"],"Content-Type":[],"Server":["Caddy"]}}
Mar 25 17:33:55 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711388035.797525,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"135.125.246.110","remote_port":"43816","client_ip":"135.125.246.110","proto":"HTTP/1.1","method":"GET","host":"18.226.165.0","uri":"/.env","headers":{"Connection":["keep-alive"],"Accept-Encoding":["gzip, deflate"],"Accept":["*/*"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"]}},"bytes_read":0,"user_id":"","duration":0.000037236,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://18.226.165.0/.env"],"Content-Type":[]}}
Mar 25 17:33:56 ip-172-31-12-253 caddy[1742]: {"level":"info","ts":1711388036.0502868,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"135.125.246.110","remote_port":"44134","client_ip":"135.125.246.110","proto":"HTTP/1.1","method":"POST","host":"18.226.165.0","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"],"Connection":["keep-alive"],"Content-Type":["application/x-www-form-urlencoded"],"Content-Length":["20"],"Accept-Encoding":["gzip, deflate"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000039274,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://18.226.165.0/"],"Content-Type":[]}}
~
~
~
~
~
~
~
~
~
~
~
~
(END)

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list

sudo apt update
sudo apt install caddy -y


### d. My complete Caddy config:

A CONFIG SECTION FOR YOUR HOSTNAME

{
debug
}
https://drunkgoblindnd.com {
reverse_proxy localhost:30000

log {
    output file /var/log/caddy/access.log
}

}

Refer to the Caddy docs for more information:

The Caddyfile — Caddy Documentation



### 5. Links to relevant resources:
This is the guide I followed: 
https://foundryvtt.wiki/en/setup/linux-installation

This doesn’t seem like a problem with Caddy. Your upstream app is responding with a 403. We can’t help with that, you’ll need to find out why the app is doing that.

Edit: Oh scratch that, you’re not even hitting Caddy. I don’t think your DNS is correct, you’re hitting an Apache server instead.

You made a request to www.drunkgoblindnd.com but your Caddyfile is only configured for drunkgoblindnd.com. Those are different domains, and have different DNS configuration. In fact, they resolve to different IPs right now:

$ host www.drunkgoblindnd.com                                                                                   
www.drunkgoblindnd.com has address 66.96.162.128

$ host drunkgoblindnd.com                                                                                      
drunkgoblindnd.com has address 18.226.165.0