DEV Community

Manoj Swami
Manoj Swami

Posted on

Troubleshooting Nginx Permission Issues for Stripe Domain Verification

Setting up Stripe's Apple Pay integration involves verifying your domain by serving a specific file via a .well-known path. However, if you're running your server with Nginx, you might encounter a 403 Forbidden error when attempting to access this file. In this post, I'll walk you through the steps to resolve this issue and ensure smooth domain verification.

The Problem

After adding the required apple-developer-merchantid-domain-association file to the .well-known directory and configuring Nginx, you might run into a 403 Forbidden error when trying to access the file via your browser or a tool like curl. This error typically indicates a permissions issue, meaning Nginx can't read the file.

Here's how to troubleshoot and resolve this issue.

Step 1: Understand the Nginx Configuration

First, ensure that your Nginx configuration for the .well-known path is set up correctly. Below is an example of a typical configuration block:

location /.well-known/apple-developer-merchantid-domain-association {
    alias /home/ubuntu/project-folder/dist/.well-known/apple-developer-merchantid-domain-association;
    default_type text/plain;
}
Enter fullscreen mode Exit fullscreen mode

Key Points:

  • alias: Ensure the alias directive correctly points to the full file path.
  • default_type: Set to text/plain to ensure the correct content type.

Step 2: Check File and Directory Permissions

Permissions are a common cause of the 403 Forbidden error. To fix this:

  1. Set Proper Ownership: The Nginx user (often www-data) should own the .well-known directory and its contents.
   sudo chown -R www-data:www-data /home/ubuntu/project-folder/dist/.well-known/
Enter fullscreen mode Exit fullscreen mode
  1. Adjust Permissions:
    • Directories should typically have 755 permissions (drwxr-xr-x).
    • Files should have 644 permissions (-rw-r--r--).

Run the following commands:

   sudo chmod 755 /home/ubuntu/project-folder/dist/.well-known/
   sudo chmod 644 /home/ubuntu/project-folder/dist/.well-known/apple-developer-merchantid-domain-association
Enter fullscreen mode Exit fullscreen mode
  1. Verify Permissions of Parent Directories: The Nginx user needs execute permissions on all parent directories. Adjust them if necessary:
   sudo chmod o+x /home
   sudo chmod o+x /home/ubuntu
   sudo chmod o+x /home/ubuntu/project-folder
   sudo chmod o+x /home/ubuntu/project-folder/dist
Enter fullscreen mode Exit fullscreen mode

Step 3: Restart Nginx

After making these changes, restart Nginx to apply the new settings:

sudo systemctl restart nginx
Enter fullscreen mode Exit fullscreen mode

Step 4: Verify Access

Now, test the file access again:

curl -I http://yourdomain.com/.well-known/apple-developer-merchantid-domain-association
Enter fullscreen mode Exit fullscreen mode

You should see a 200 OK response, indicating that the file is accessible.

Additional Considerations

SELinux or AppArmor

If you're still experiencing issues and your server uses SELinux or AppArmor, these security modules might be blocking access. You can temporarily disable SELinux to test if it's the culprit:

sudo setenforce 0
Enter fullscreen mode Exit fullscreen mode

If disabling SELinux resolves the issue, you'll need to adjust the security context:

sudo chcon -R --type=httpd_sys_content_t /home/ubuntu/project-folder/dist/.well-known/
Enter fullscreen mode Exit fullscreen mode

Directory Indexing

If directory indexing is enabled, Nginx might look for an index file and throw a 403 if it doesn't find one. You can disable directory listing with:

autoindex off;
Enter fullscreen mode Exit fullscreen mode

Add this line within your .well-known location block in the Nginx configuration.

Conclusion

By following these steps, you should be able to resolve any 403 Forbidden errors when serving the apple-developer-merchantid-domain-association file via Nginx. Proper file permissions and understanding Nginx’s configuration are crucial in preventing these issues.

Top comments (0)