Answer the question
In order to leave comments, you need to log in
H
H
Human2016-06-30 18:50:02
Human, 2016-06-30 18:50:02
Why does a 403 error pop up?
403 Forbidden
nginx
Gets out with this nginx config:
/etc/nginx/nginx.conf
user www-data;
worker_processes 2;
pid /var/run/nginx.pid;
events {
worker_connections 2048;
use epoll;
}
http {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/mime.types;
default_type application/octet-stream;
keepalive_timeout 65;
server_tokens off;
gzip on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "msie6";
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_max_body_size 100m;
types_hash_max_size 2048;
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default no;
RU yes;
UA yes;
BY yes;
CZ yes;
US yes;
}
include /etc/nginx/conf.d/*.conf;
}upstream php_workers {
server unix:/var/run/php-fpm.socket;
}
server {
listen 80;
server_name mail.somehost.ru;
if ($allowed_country = no) {
return 404;
}
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name mail.somehost.ru;
ssl on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
ssl_certificate /etc/nginx/certs/somehost.ru.crt;
ssl_certificate_key /etc/nginx/certs/somehost.ru.key;
ssl_dhparam /etc/ssl/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
if ($allowed_country = no) {
return 404;
}
index index.php;
# Deny all attempts to access hidden files such as .htaccess.
location ~ /\. { deny all; }
# Handling noisy favicon.ico messages
location = ^/favicon.ico { access_log off; log_not_found off; }
# Roundcube webmail
location ~ ^/mail(.*)\.php$ {
include fastcgi_params;
fastcgi_pass php_workers;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail$1.php;
}
location ~ ^/mail(.*) {
alias /opt/www/roundcubemail$1;
index index.php;
}
location ~ ^/mail/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { deny all; }
# Normal PHP scripts
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php_workers;
fastcgi_param SCRIPT_FILENAME /opt/www/$fastcgi_script_name;
}
# iRedAdmin: static files under /iredadmin/static
location ~ ^/iredadmin/static/(.*)\.(png|jpg|gif|css|js) {
alias /opt/www/iredadmin/static/$1.$2;
}
# iRedAdmin: Python scripts
location ~ ^/iredadmin(.*) {
rewrite ^/iredadmin(/.*)$ $1 break;
include uwsgi_params;
uwsgi_pass unix:/var/run/uwsgi_iredadmin.socket;
uwsgi_param UWSGI_CHDIR /opt/www/iredadmin;
uwsgi_param UWSGI_SCRIPT iredadmin;
uwsgi_param SCRIPT_NAME /iredadmin;
allow XXXXXXXXXX;
allow XXXXXXXXXX;
deny all;
}
# iRedAdmin: redirect /iredadmin to /iredadmin/
location = /iredadmin {
rewrite ^ /iredadmin/;
}
}In the logs at this time:
error.log
2016/06/30 18:48:13 [error] 25415#0: *16 directory index of "/usr/share/nginx/html/" is forbidden, client: XXX.XXX .XXX.XXX, server: mail.somehost.ru, request: "GET / HTTP/1.1", host: "mail.somehost.ru"
access.log
XXX.XXX.XXX.XXX - - [30/Jun/2016 :18:49:27 +0300] "GET / HTTP/1.1" 403 162 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
XXX.XXX.XXX.XXX - - [30/Jun/2016:18:49:28 +0300] "GET / HTTP/1.1" 403 162 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 "
XXX.XXX.XXX.XXX - - [30/Jun/2016:18:49:29 +0300] "GET / HTTP/1.1" 403 162 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 45. 0) Gecko/20100101 Firefox/45.0"
4 answer(s)
@BuriK666
and specify root
@antonsr98
@ifaustrue
of Humans @tenhi_shadow
but it still doesn't work ;)
A
Andrey Burov, 2016-06-30 @BuriK666
You don't have a location to request to
/nginx.org/en/docs/http/request_processing.html
do
location / {
index index.php;
}and specify root
A
Anton Ulanov, 2016-06-30 @antonsr98
your logs say that you can't access: directory index of "/usr/share/nginx/html/" is forbidden
C
Cool Admin, 2016-06-30 @ifaustrue
Visually, I don’t see anything in the config that interferes and gives exactly 403. But I advise you to start with a simple one - remove all unnecessary, all checks for GeoIP \ allow and deny sections, leave only one server and one location, check and then remove comments from everything else . Proper localization of the problem will help you.
Well, check that php does not return 403 to you. You never know. Create index.html at the root, check how it will be allowed into it.
H
Human, 2016-07-01 of Humans @tenhi_shadow
corrected like this:
ssl_prefer_server_ciphers on;
# if ($allowed_country = no) {
# return 404;
# }
root /opt/www/roundcubemail;
index index.php;
location / {
index index.php;
}
# Deny all attempts to access hidden files such as .htaccess.
location ~ /\. { deny all; }
# Handling noisy favicon.ico messages
location = ^/favicon.ico { access_log off; log_not_found off; }
but it still doesn't work ;)
Similar questions
L
P
D
D
Dmitry Tarasov2020-01-11 20:15:29
How to create a websocket ratchet connection with SSL NGINX?
1Reply
T
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question