Join the community today
Become a Member

Nginx 403 Forbidden

Discussion in 'Install & Upgrades or Pre-Install Questions' started by elargento, Jun 1, 2017.

  1. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    3:51 PM
    10
    • CentOS Version: CentOS 7 64bit ?
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.11.10
    • PHP Version Installed: i.e. 5.6.30 or 7.0.15
    I'm getting this error on a website (xenforo) I transferred from another server. I already followed the steps here Nginx Rewrites for Xenforo Friendly Urls - CentminMod.com LEMP Nginx web stack for CentOS and chown nginx.nginx. Nginx restart without issues.

    This also happened two hours ago while I was testing the server but I updated nginx through centmin menu and the forum was loading. However, now it doesn't. I don't want to try to update nginx again since I want to find out what's the problem and not temporarly fix it.

    vhost:
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name domain.com;
    #            return 301 $scheme://www.domain.com$request_uri;
    #       }
    
    server {
     
      server_name domain.com www.domain.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
     
     root /home/nginx/domains/domain.com/public;
     
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
     
    location /forum/ {
        try_files $uri $uri/ /forum/index.php?$uri&$args;
        index index.php index.html;
    }
    
    location /forum/install/data/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    location /forum/install/templates/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    location /forum/internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    location /forum/library/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass    127.0.0.1:9000;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include         fastcgi_params;
    }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,966
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    4:51 AM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod values security and puts additional measures in place so that end users are also mindful of security. From Nginx Configuration Examples - CentminMod.com LEMP Nginx web stack for CentOS

    check out Nginx Rewrites for Xenforo Friendly Urls - CentminMod.com LEMP Nginx web stack for CentOS which discuss the below autoprotect.sh mechanism.

    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
     
  3. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    3:51 PM
    10
    sorry, it is getting harder to understand technical words. This thread helped me to understand: https://community.centminmod.com/th...ccess-check-migration-to-nginx-deny-all.7308/

    I've deleted all .htaccess files, then run /usr/local/src/centminmod/tools/autoprotect.sh and finally I was able to load the website.

    EDIT:
    Autoprotect added this rule which was causing the error:
    Code:
    location ~* ^/ { allow 127.0.0.1; deny all; }
    and this is the .htaccess file which autoprotect scanned
    Code:
    RewriteEngine on
    <IfModule mod_suphp.c>
     suPHP_ConfigPath /home/user
     <Files php.ini>
       order allow,deny
       deny from all
     </Files>
    </IfModule>
    
    # Begin Bad Bot Blocking
    BrowserMatchNoCase OmniExplorer_Bot/6.11.1 bad_bot
    BrowserMatchNoCase omniexplorer_bot bad_bot
    BrowserMatchNoCase Baiduspider bad_bot
    BrowserMatchNoCase Baiduspider/2.0 bad_bot
    BrowserMatchNoCase yandex bad_bot
    BrowserMatchNoCase yandeximages bad_bot
    BrowserMatchNoCase Spinn3r bad_bot
    BrowserMatchNoCase sogou bad_bot
    BrowserMatchNoCase Sogouwebspider/3.0 bad_bot
    BrowserMatchNoCase Sogouwebspider/4.0 bad_bot
    BrowserMatchNoCase sosospider+ bad_bot
    BrowserMatchNoCase jikespider bad_bot
    BrowserMatchNoCase ia_archiver bad_bot
    BrowserMatchNoCase PaperLiBot bad_bot
    BrowserMatchNoCase ahrefsbot bad_bot
    BrowserMatchNoCase ahrefsbot/1.0 bad_bot
    BrowserMatchNoCase SiteBot/0.1 bad_bot
    BrowserMatchNoCase DNS-Digger/1.0 bad_bot
    BrowserMatchNoCase DNS-Digger-Explorer/1.0 bad_bot
    BrowserMatchNoCase boardreader bad_bot
    BrowserMatchNoCase radian6 bad_bot
    BrowserMatchNoCase R6_FeedFetcher bad_bot
    BrowserMatchNoCase R6_CommentReader bad_bot
    BrowserMatchNoCase ScoutJet bad_bot
    BrowserMatchNoCase ezooms bad_bot
    BrowserMatchNoCase CC-rget/5.818 bad_bot
    BrowserMatchNoCase libwww-perl/5.813 bad_bot
    BrowserMatchNoCase magpie-crawler 1.1 bad_bot
    BrowserMatchNoCase jakarta bad_bot
    BrowserMatchNoCase discobot/1.0 bad_bot
    BrowserMatchNoCase MJ12bot bad_bot
    BrowserMatchNoCase MJ12bot/v1.2.0 bad_bot
    BrowserMatchNoCase MJ12bot/v1.2.5 bad_bot
    BrowserMatchNoCase SemrushBot/0.9 bad_bot
    BrowserMatchNoCase MLBot bad_bot
    BrowserMatchNoCase butterfly bad_bot
    BrowserMatchNoCase SeznamBot/3.0 bad_bot
    BrowserMatchNoCase HuaweiSymantecSpider bad_bot
    BrowserMatchNoCase Exabot/2.0 bad_bot
    BrowserMatchNoCase netseer/0.1 bad_bot
    BrowserMatchNoCase NetSeer crawler/2.0 bad_bot
    BrowserMatchNoCase NetSeer/Nutch-0.9 bad_bot
    BrowserMatchNoCase psbot/0.1 bad_bot
    BrowserMatchNoCase moreoverbot/5.0 bad_bot
    BrowserMatchNoCase Jakarta Commons-HttpClient/3.0 bad_bot
    BrowserMatchNoCase SocialSpider-Finder/0.2 bad_bot
    
    Order Deny,Allow
    Deny from env=bad_bot
    # End Bad Bot Blocking
    
    # php -- BEGIN cPanel-generated handler, do not edit
    # NOTE this account's php is controlled via FPM and the vhost, this is a place holder.
    # Do not edit. This next line is to support the cPanel php wrapper (php_cli).
    # AddType application/x-httpd-ea-php70 .php .phtml
    # php -- END cPanel-generated handler, do not edit
    
     
    • Informative Informative x 1
  4. eva2000

    eva2000 Administrator Staff Member

    30,966
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    4:51 AM
    Nginx 1.13.x
    MariaDB 5.5
  5. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    3:51 PM
    10
    well..if .htaccess aren't going to be processed anymore there is no need to have them :p

    BTW how do you deal with htaccess rules on nginx to force www and https?
    Code:
    RewriteCond %{HTTP_HOST} www.domain.com$
    RewriteRule ^(.*)$ http://domain.com/forum/$1 [R=301,L]
    are expires necessary to be set in nginx just like in .htaccess or does centmin do it already?
    https://developer.yahoo.com/performance/rules.html#expires
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,966
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    4:51 AM
    Nginx 1.13.x
    MariaDB 5.5
    when you reupload an entire zip file contents i.e. upgrade software, usually .htaccess get re-uploaded that's why bypass file is good to have :)

    Posted at centminmod.com/nginx_domain_dns_setup.html#httpsredirect

    key to testing is using 302 temp redirect first in a private incognito browser session otherwise the problems you can experience may end up being due to browser caching or 301 permanent redirects unless you clear browser cache and reboot local computer(s) and even then some web browsers don't let go of 301 permanent redirect browser cache that willingly :)

    centmin mod nginx has in each vhost include file for staticfiles.conf include file with expires set
     
    • Informative Informative x 1