Nginx 403 Forbidden

Kakifrucht

I had an odd issue with my install where accessing my forum at it's base URL caused a 403 Forbidden in Nginx, however accessing the forum through any other URL, like a discussion or user profile worked normally. I hadn't changed anything about my configs, the only thing I did was doing a Nginx config reload, since I had an issue with another service running on the same machine.

The Nginx error logs showed following message: directory index of "/usr/share/nginx/halfminer_forum/public/" is forbidden, client: xx.xx.xx.xx, server: forum.halfminer.de, request: "GET / HTTP/1.1", host: "forum.halfminer.de"

After a bit of digging I found this post on Stackoverflow, indicating that Nginx was trying to list the directory contents, which caused the 403, since autoindexing is off by default. Removing the $uri/ part in the .nginx.conf solved the issue.

However, I still don't know why this issue has only started now (I was running with that config for a while), and if the removal of the $uri/ part causes any issues down the line. It worked perfectly fine after updating to beta14, only after reloading the nginx config the issues started to happen. My folder permissions seem correct and I have also regenerated the vendor directory with mv vendor vendor_old && composer install.

Why is that part included in the config anyways? Is it really required? No issues seem to arise with it removed.

Relevant nginx server block:

server {
    server_name forum.halfminer.de;

    root /usr/share/nginx/halfminer_forum/public;
    include /etc/nginx/fastcgi.conf;
    include /usr/share/nginx/halfminer_forum/.nginx.conf;

    location /forum {
        rewrite ^/forum(/.*)$ $1 permanent;
    }

    location = /sitemap.xml {
        try_files $uri $uri/ /index.php?$query_string;
    }

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/forum.halfminer.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/forum.halfminer.de/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

Included fastcgi.conf:

fastcgi_intercept_errors on;

location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}

clarkwinkelmann

Kakifrucht I have personally never experienced this issue, but I don't think there will be any issue removing $uri/ from the try_files rule. I think that rule is only intended to be able to list directories when forgetting the ending / because otherwise Flarum would try to handle the request. But if directory listing is disabled, it wouldn't have any use.

Kakifrucht

clarkwinkelmann I understand that all webservers nowadays have potentially problematic directory listing disabled by default, but why include it anyways as a default if it isn't necessary for any Flarum related functionality?

Do you run beta14 on nginx with a similar config by any chance?

clarkwinkelmann

Kakifrucht I'm not sure how that rule got in there. It must be based on some nginx best practices from a while ago and has been kept ever since.

I unfortunately haven't updated any of my forums to beta 14 yet, but I have multiple beta 13 forums running on nginx with try_files $uri $uri/ /index.php?$query_string; syntax, which is also the default syntax used by my managed hosting with Laravel Forge.

Kakifrucht

clarkwinkelmann Alright, I think I solved it. I didn't specify an index file in my config.
After adding index index.php; to the config the site loads normally, even with $uri/ set.
That doesn't explain why it worked without issues before (for over 2 years with that config?), but I guess I can live with that.

Thanks for your help!

teleclimber

Kakifrucht Just hit the 403 problem myself, and can confirm: Adding index.php to the "index" line of nginx config made the problem go away.