Needing help with a Fedora 42 Nginx breakage

Ask Fedora
,
1

I have a Fedora IoT machine that I use as a reverse proxy. For months, Fedora 41 + Nginx served that role well, proxying data to the right webservers. When Fedora IoT moved to Fedora 42, one of my servers (InvoiceNinja + Debian + Nginx) started to exhibit issues.

InvoiceNinja users could no longer view client PDFs or login outside of the LAN. They could view the site login page and client landing pages. For users on LAN everything functions just fine. Using the magic of Fedora IoT, I rebooted the device into the previous Fedora 41 ostree branch and everything works again. What changed in Fedora 42 that might cause this? I believe the Nginx versions is the same between both: “nginx version: nginx/1.26.3”

Also I believe it is just InvoiceNinja, other webservers like Nextcloud and Bookstack seem to be fine.

Here is the proxy config file that works in Fedora 41, but not in Fedora 42.

server {
#    if ($host = REDACTED.SERVER.NAME) {
#        return 301 https://$host$request_uri;
#    } # managed by Certbot

        listen 80;
        server_name REDACTED.SERVER.NAME;
#   return 404; # managed by Certbot
        location / {
                proxy_pass http://XXX.XXX.X.XX;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

server {
        listen 443 ssl;
        server_name REDACTED.SERVER.NAME;
        location / {
                proxy_pass https://XXX.XXX.X.XX;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    ssl_certificate /etc/letsencrypt/live/REDACTED.SERVER.NAME/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/REDACTED.SERVER.NAME/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

Also here is the main nginx.con file:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    keepalive_timeout   65;
    types_hash_max_size 4096;
    client_max_body_size 12000M;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80;
        listen       [::]:80;
        server_name  _;
        root         /usr/share/nginx/html;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
    }
}

Edit: If any other information would be helpful, please feel free to let me know.

2

You can do some additional investigation by comparing the changed packages between the “good” and “bad” versions of IoT:

rpm-ostree db diff <good commit> <bad commit>

Where the commits are the Commit values found in rpm-ostree status. For example:

$ rpm-ostree status
State: idle
Deployments:
â—Ź fedora-iot:fedora/stable/x86_64/iot
                  Version: 42.20250601.0 (2025-06-01T11:14:00Z)
                   Commit: 16efd3ebe5badbfbda7149e3214e4e2bc853bf2e4ab544c5c7b931f3be6ea7d1
             GPGSignature: Valid signature by B0F4950458F69E1150C6C5EDC8AC4916105EF944

  fedora-iot:fedora/stable/x86_64/iot
                  Version: 42.20250429.0 (2025-04-29T14:29:47Z)
                   Commit: f2a7a92c7363822c198a3148af9247f94f8c3305ba3f8778a86836c253cc1ed0
             GPGSignature: Valid signature by B0F4950458F69E1150C6C5EDC8AC4916105EF944
[core@localhost ~]$ rpm-ostree db diff f2a7a92c7363822c198a3148af9247f94f8c3305ba3f8778a86836c253cc1ed0 16efd3ebe5badbfbda7149e3214e4e2bc853bf2e4ab544c5c7b931f3be6ea7d1
ostree diff commit from: f2a7a92c7363822c198a3148af9247f94f8c3305ba3f8778a86836c253cc1ed0
ostree diff commit to:   16efd3ebe5badbfbda7149e3214e4e2bc853bf2e4ab544c5c7b931f3be6ea7d1
Upgraded:
  aardvark-dns 2:1.14.0-1.fc42 -> 2:1.15.0-1.fc42
  alternatives 1.32-1.fc42 -> 1.33-1.fc42
  atheros-firmware 20250410-1.fc42 -> 20250509-1.fc42
  bootc 1.1.7-1.fc42 -> 1.3.0-1.fc42
  bootupd 0.2.26-3.fc42 -> 0.2.27-2.fc42
  brcmfmac-firmware 20250410-1.fc42 -> 20250509-1.fc42
  container-selinux 4:2.236.0-1.fc42 -> 4:2.237.0-1.fc42
  containernetworking-plugins 1.6.2-2.fc42 -> 1.7.1-1.fc42
  containers-common 5:0.62.2-1.fc42 -> 5:0.63.0-1.fc42
  containers-common-extra 5:0.62.2-1.fc42 -> 5:0.63.0-1.fc42
  coreutils 9.6-2.fc42 -> 9.6-4.fc42
  coreutils-common 9.6-2.fc42 -> 9.6-4.fc42
  elfutils-default-yama-scope 0.192-9.fc42 -> 0.193-2.fc42
  elfutils-libelf 0.192-9.fc42 -> 0.193-2.fc42
  elfutils-libs 0.192-9.fc42 -> 0.193-2.fc42
  filesystem 3.18-36.fc42 -> 3.18-42.fc42
  fwupd 2.0.8-1.fc42 -> 2.0.10-1.fc42
  fwupd-plugin-modem-manager 2.0.8-1.fc42 -> 2.0.10-1.fc42
  fwupd-plugin-uefi-capsule-data 2.0.8-1.fc42 -> 2.0.10-1.fc42
  glib2 2.84.1-1.fc42 -> 2.84.2-1.fc42
  hwdata 0.394-1.fc42 -> 0.395-1.fc42
  iptables-libs 1.8.11-6.fc42 -> 1.8.11-8.fc42
  iputils 20240905-3.fc42 -> 20240905-4.fc42
  iwlwifi-mvm-firmware 20250410-1.fc42 -> 20250509-1.fc42
  kernel 6.14.4-300.fc42 -> 6.14.9-300.fc42
  kernel-core 6.14.4-300.fc42 -> 6.14.9-300.fc42
  kernel-modules 6.14.4-300.fc42 -> 6.14.9-300.fc42
  kernel-modules-core 6.14.4-300.fc42 -> 6.14.9-300.fc42
  libgcc 15.1.1-1.fc42 -> 15.1.1-2.fc42
  libgomp 15.1.1-1.fc42 -> 15.1.1-2.fc42
  libmodulemd 2.15.0-16.fc42 -> 2.15.1-1.fc42
  libstdc++ 15.1.1-1.fc42 -> 15.1.1-2.fc42
  linux-firmware 20250410-1.fc42 -> 20250509-1.fc42
  linux-firmware-whence 20250410-1.fc42 -> 20250509-1.fc42
  microcode_ctl 2:2.1-69.fc42 -> 2:2.1-70.fc42
  mpdecimal 4.0.0-2.fc42 -> 4.0.1-1.fc42
  netavark 2:1.14.1-1.fc42 -> 2:1.15.1-1.fc42
  openssh 9.9p1-10.fc42 -> 9.9p1-11.fc42
  openssh-clients 9.9p1-10.fc42 -> 9.9p1-11.fc42
  openssh-server 9.9p1-10.fc42 -> 9.9p1-11.fc42
  pam 1.7.0-4.fc42 -> 1.7.0-5.fc42
  pam-libs 1.7.0-4.fc42 -> 1.7.0-5.fc42
  passim-libs 0.1.9-1.fc42 -> 0.1.10-1.fc42
  passt 0^20250415.g2340bbf-1.fc42 -> 0^20250512.g8ec1341-1.fc42
  passt-selinux 0^20250415.g2340bbf-1.fc42 -> 0^20250512.g8ec1341-1.fc42
  podman 5:5.4.2-1.fc42 -> 5:5.5.0-1.fc42
  polkit 126-2.fc42 -> 126-3.fc42
  polkit-libs 126-2.fc42 -> 126-3.fc42
  realtek-firmware 20250410-1.fc42 -> 20250509-1.fc42
  rpm-ostree 2025.7-1.fc42 -> 2025.8-1.fc42
  rpm-ostree-libs 2025.7-1.fc42 -> 2025.8-1.fc42
  selinux-policy 41.38-1.fc42 -> 41.41-1.fc42
  selinux-policy-targeted 41.38-1.fc42 -> 41.41-1.fc42
  systemd 257.5-2.fc42 -> 257.6-1.fc42
  systemd-libs 257.5-2.fc42 -> 257.6-1.fc42
  systemd-pam 257.5-2.fc42 -> 257.6-1.fc42
  systemd-resolved 257.5-2.fc42 -> 257.6-1.fc42
  systemd-shared 257.5-2.fc42 -> 257.6-1.fc42
  systemd-sysusers 257.5-2.fc42 -> 257.6-1.fc42
  systemd-udev 257.5-2.fc42 -> 257.6-1.fc42
  vim-data 2:9.1.1275-1.fc42 -> 2:9.1.1418-1.fc42
  vim-minimal 2:9.1.1275-1.fc42 -> 2:9.1.1418-1.fc42
  wpa_supplicant 1:2.11-4.fc42 -> 1:2.11-6.fc42

Is there anything in the nginx logs? Or logs on the webservers that would indicate the issue?

3

@miabbott Thank you for the response. I follow your advice and looked at the diff between the commits. Lots of changes, but nothing jumped out to me as a culprit.

Is there anything in the nginx logs? Or logs on the webservers that would indicate the issue? -miabbott

I had looked over my logs initially, but took a glance again today and there it was.

2025/06/02 15:43:50 [crit] 1194#1194: *420 open() “/var/lib/nginx/tmp/proxy/1/00/0000000001” failed (13: Permission denied) while reading upstream, client: XXX.XX.XXX.XXX, server: REDACTED.SERVER.NAME, request: “GET /client/showBlob/4ookTzLEswxVbw80LRurfTyXcdvIaJr3ClhoJaE3U1EKGnZsYAnWP3BLNMIThZme HTTP/1.1”, upstream: “https://REDACTED.SERVER.NAME/client/showBlob/4ookTzLEswxVbw80LRurfTyXcdvIaJr3ClhoJaE3U1EKGnZsYAnWP3BLNMIThZme”, host: “REDACTED.SERVER.NAME”, referrer: "https://REDACTED.SERVER.NAME/client/invoices/K9b68pReEv?silent=true

According to this very old post, It is a permission error on “/var/lib/nginx/tmp/proxy”. I checked the folder with ls -l /var/lib/nginx/tmp/proxy/ and it showed all users and groups to be 980:980. I ran the following, as my webuser is nginx, chown -R nginx:root /var/lib/nginx/tmp/proxy && systemctl restart nginx and the now PDFs load again on my InvoiceNinja server. Not sure why the ownership changed in F42 and properly reverts when I rolled back to F41. Over the next few days I will continue to look for other regressions, but it seems back to normal. Thank you very much for the help and also for getting me to read the logs more carefully :wink:.

1 Like
4

This might be related to the sysusers change that landed in F42 - Changes/RPMSuportForSystemdSysusers - Fedora Project Wiki

We have seen issues in the rpm-ostree ecosystem where upgrading to F42 is causing problems with UIDs/GIDs (or sometimes not upgrading at all) due to how rpm-ostree is handling the sysusers, e.g. Cannot layer any package adding a user or group on Fedora 42 · Issue #5365 · coreos/rpm-ostree · GitHub

Fixes are still being worked on, but it would be wise to inspect your systems to make sure there is no other UID/GID drift happening.

1 Like