Develop Reference

403 forbidden on POST request nginx + amazon linux 2

I have setup a server on AWS everything working fine, i am able to fetch data from server but unable to POST, POST data is continuously giving 403 forbidden response,
i have check nginx logs, call never even reach there, but GET request are shows up on access.log.
error.log are empty and nothing happening there.
server {
listen 80;
listen [::]:80 default_server;
server_name example.com www.example.com;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass "http://127.0.0.1:3004";
}
}
and yes there is a Load Balancer which is running on 443 port and forward to port 80 on the instance.

I get it after looking all the way arounds, there was a rule defined on Load Balancer, post call methoud be defined in lower case like post not POST.

I was getting 403 Forbidden errors from the AWS Load Balancer WAF when the body of my POST request contained "http://127.0.0.1". When I change it to "http://localhost" instead, it doesn't fail. That's pretty lame.

Trouble setting up NGINX behind pfSense Router

I'm attempting to setup an NGINX reverse proxy on my network, it is currently running on an Ubuntu VM. I'd like to run a website running in IIS, and another site running on Apache in a Linux VM behind the same public IP address. NGINX seemed like the perfect solution.
I've followed several guides and can't seem to get everything working. The NGINX config seems to work locally if I access the NGINX VM's IP directly it serves me the default config, and I can even change it between the IIS site, or the Apache site, and get it to work locally. My problem comes in with any external connection.
Previously my pfSense router was setup to forward port 80 and 443 to the IIS VM, and that was working fine, so I know at a basic level that pfSense was able to forward those ports to that windows client. Once I got NGINX setup I changed my port forwards for 80 and 443 to point to the VM running NGINX. Now none of my websites will work, the ip address for the domains resolves to my public IP, but the requests time out / never reach any web server.
nginx.conf is the default, I made no changes.
default nginx host conf:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
return 404;
}
}
Apache host conf:
server {
listen 80;
server_name domain.com;
location / {
proxy_pass http://0.0.0.0:80; # Apache internal IP
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
pfSense Port 80 Rule:
Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: TCP
Source: Any
Destination: NGINX VM IP
From: 80
To: 80
I'm not getting any error messages in the console, in the NGINX log, etc. I'm honestly at a loss. Any advice would be greatly appreciated.

You have it set up so Apache is forwarding to Nginx. Your Nginx file is not forwarding anything. If Nginxis going to be the reverse proxy, then the location / { ... } components showing in the Apache config file need to be in the Nginx config file. Also, I would change "server name _" to show your domain name in the Nginx file.

Not able to change NGINX port

The problem I'm having trouble with is that I can't access remotely unless I use port 80 and I want to use a different port.
Here's the NGINX configuration I'm using. This will work on port 80. However, if I change
listen 80;
to
listen 6000;
it does not work when accessed from outside the local machine.
In other words, curl 127.0.0.1:6000 on the machine works. However trying to visit externally with 184.169.100.100:6000 does not work. (Pretending that's my public IP address.) It gives me a "site can't be reached" error in Chrome.
I've checked the security settings to make sure port 6000 is open. It's an AWS EC2 instance.
Optional note to put things in context: Overall what I'm trying to do is set up two different servers on one machine, each accessible from a different port, and each running it's own set of python workers. As a first step, I just want to make sure I can change the port by which a server is accessed, however, I'm not even able to do that yet and still access it externally.
ubuntu#ip-172-31-9-113:/etc/nginx/conf.d$ cat flask.conf
upstream gunicorn_server {
server localhost:8080 fail_timeout=0;
}
server {
listen 80;
server_name 184.169.100.100;
root /home/ubuntu/www;
client_max_body_size 4G;
keepalive_timeout 5;
proxy_read_timeout 900;
location / {
try_files $uri #app;
}
location #app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_redirect off;
# pass to the upstream gunicorn server mentioned above
proxy_pass http://gunicorn_server;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
Any help is appreciated.

this happen for firewall.
ubuntu:
if your ufw is enabled:
sudo ufw allow 6000
in centos disable selinux (not recommended. search for selinux config for allow port)

Is 6000 port open ?
Check in inbound port rules.
And then try hitting sudo ufw allow 6000 and check if you can access with 6000 also.
(this question is old, but still answering because if someone is facing same issue this answer may help them)

Try to use this command:
firewall-cmd --zone=public --add-port=6000/tcp --permanent

Answering my own question:
I tried using port 6001 instead of 6000 and then it worked. I could access it from outside. I can't say why, but there must have been an issue with 6000 for my particular case.

nginx using custom port

I have installed LEMP on Ubuntu. I am using a port 4738 as an nginx listener. Everything works fine. I can access the page as 123.123.123.123:4738.
I do want to get rid of port in the url. How to do it? I have read many answers on SO and tried but didn't work for me. Following is an example:
port_in_redirect off;
location / {
proxy_pass http://123.123.123.123:4738;
}
and
proxy_redirect http://123.123.123.123 http://123.123.123.123:4738;
port_in_redirect off;

If you're not using the default port for the protocol, you have to have the port in the URL. You have to listen on port 80 if you expect to not have the port in your HTTP URL.
Configure your server to listen on port 80.

Can I redirect non-SSL traffic that comes in on an SSL port with Nginx

I have a fairly standard setup with nginx fronting a django app. I want the django app to be SSL only, and so I have two listen blocks in my nginx conf, with the traffic coming in on port 80 (HTTP) being redirected to port 443 (SSL). This is working as expected.
I am running this setup inside a VM that has port forwarding turned on, such that I can browser the site from the host machine by going to port 8080 (HTTP) or 8081 (SSL). Again, this work fine, as expected.
The problem comes when I am redirected internally from the Django app during a registration workflow. Because Django never sees the SSL status (SSL is terminated at nginx, and traffic to the app is forwarded on port 5000 over HTTP), but does see the port, the redirect is getting mangled**.
The net result of all of this is that I have traffic being directed into nginx on the SSL port, that is not SSL, e.g. http://127.0.0.1:443/. Is there any way to configure nginx to handle this?
** NB I am setting the X-Forwarded-Proto header in Nginx, and Django is picking up the correct .is_secure() value, this is a specific problem with an external library not checking is_secure and just redirecting on the incoming URL scheme.
[UPDATE 1]
Attached are the relevant config settings. This is from the Vagrantfile itself, showing the port forwarding:
config.vm.forward_port 80, 8080 # website, via nginx (redirects to SSL:8081)
config.vm.forward_port 443, 8081 # website, via nginx (accepts SSL)
config.vm.forward_port 5000, 8180 # website, via gunicorn (direct)
Using the above port forwarding configuration, if I browse to the site on the host machine on the HTTP port (8080), then the request is accepted, and nginx (see below) redirects this request to HTTPS (running on port 8081). Once I am on HTTPS the site itself works fine:
(host) http://127.0.0.1:8080 -> forwarded to -> (guest vm) http://127.0.0.1:80
(host) https://127.0.0.1:8081 -> forwarded to -> (guest vm) https://127.0.0.1:443
The problem occurs when I get a redirect internally from Django which mixed scheme & protocol, and ends up with a request to http:\\127.0.0.1:8081\..., which fails, as nginx is expecting traffic on 8081 to be SSL.
What I really want is a rule that says 'listen on 443 for both SSL and non-SSL and redirect non-SSL'.
This is the relevant nginx configuration:
# Django app is served by Gunicorn, running under port 5000 (via Foreman)
upstream gunicorn {
server 127.0.0.1:5000 fail_timeout=0;
}
server {
listen 80;
# 8081 is the port I am forwarding to on the host machine
rewrite ^ https://127.0.0.1:8081$request_uri? permanent;
}
server {
listen 443;
ssl on;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/self-signed.crt;
ssl_certificate_key /etc/nginx/ssl/self-signed.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location /static/ {
alias /app/static/;
}
location /media/ {
alias /app/media/;
}
location / {
# everything else is to be served by the django app (upstream 'gunicorn')
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# this is set to ensure that django is_secure returns True
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_pass http://gunicorn;
}
}

You should check out "Error Processing" section of this document:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html
Non-standard error code 497 may be used to process plain HTTP request which has been sent to HTTPS port.
Something like this should work (untested):
error_page 497 https://$host$request_uri;
Named locations may also be used in error_page, see http://nginx.org/r/error_page for details.