nginxssldocker-composegoogle-tag-manager

Server-Side GTM not (always) serving gtag.js with Nginx/Docker


I've been setting up a Server-Side GTM manually on a server, using Docker and Google's gcr.io/cloud-tagging-10302018/gtm-cloud-image:stable image. I am serving it with Nginx to a vhost such as sst.domain.com. Looking at healthz returns a 200 Ok message. I've been configuring the server container through Tag Manager and all set up as per the docs. If I cURL my preview server with my container config, I can follow the page-view event on the GTM preview interface. So, everything looks great until I try to load the gtag.js script from my server.

Using chrome to access https://sst.domain.com/gtag/js?id=G-XXXXXX will lead to a ERR_CONNECTION_REFUSED and using cURL will respond with the actual js code. If I load the script in an app such as described in the docs, I'll get an error. Note that I followed the docs and configured the client in GTM for my server container to be able to serve the file (Default gtag.js paths for specific IDs).

That leads me to think there is a misconfiguration with my web server. Any clues about what I should look at in my conf file? I've tried over http1.1, without any headers or other ssl configuration, and that doesn't change a thing to my problem. Or maybe the problem lies elsewhere? Thanks!

server {
  listen 80;
  server_name sst.domain.com;

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-Content-Type-Options nosniff;
  add_header Set-Cookie "Path=/; HttpOnly; Secure";

}

server {
  listen 443 ssl;
  http2 on;
  server_name sst.domain.com;

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-Content-Type-Options nosniff;
  add_header Set-Cookie "Path=/; HttpOnly; Secure";

  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;
  ssl_session_tickets off;

  ssl_protocols TLSv1.3;
  ssl_prefer_server_ciphers off;

  ssl_stapling on;
  ssl_stapling_verify on;

  ssl_certificate /etc/nginx/ssl/sst.domain.com.crt;
  ssl_certificate_key /etc/nginx/ssl/sst.domain.com.key;

  client_body_buffer_size 10K; 
  client_header_buffer_size 1k;
  client_max_body_size 8m;
  large_client_header_buffers 2 1k;

  client_body_timeout 40;
  client_header_timeout 40;
  keepalive_timeout 40;
  send_timeout 40;

  access_log off;

  location /preview/ {
    proxy_pass http://gtm-preview-server:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 40s;
    proxy_connect_timeout 40s;
    proxy_send_timeout 40s;
  }

  location / {
    proxy_pass http://gtm-tagging-cluster:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 40s;
    proxy_connect_timeout 40s;
    proxy_send_timeout 40s;
  }
}

Solution

  • Okay, so it was just a typo in the URL. 🙃