Linux Firewalld Setup nginx 403 Forbidden error

KodeKloud Engineer
#1

Hello Kodekloud team,

I am getting a 503 error when trying to curl nginx from Jump Server & from LB Server. Does anyone know why this may be occurring?

Are we supposed to do any extra configuration with nginx to get this error to go away or is that the expected behavior for this task. When I run telnet stapp01 8091 it says that it is connected.

Also, being that this is Firewalld, aren’t we supposed to be using the WAN interface? I’m asking because I saw a few references in this forum to iptables being used with eth0 as an interface instead.

Screen Shot 2020-08-31 at 4.07.26 PM
Screen Shot 2020-08-31 at 4.07.26 PM1326×538 52 KB

#2

Hello, @juliettet
No, we will do with firewalld command.

1 Like
#3

Thank you for responding @player001.

Why then am I getting a 403 error when trying to curl nginx.

Any hints? I’m stumped.

#4

What about curl command? Are you able to access with the given port?

#5

When I run curl stapp01:<nginx-port> from Jump Server & from LB Server I get the 403 error shown in the screenshot above.

When I run telnet stapp01 <nginx port>, however, it says that it’s connected.

I’ve tried getting this to work with eth0, without eth0, with WAN, and without any attached network interface, which then requires the use of iptables -F in order to avoid yet another error:No route to host`.

#6

Here are the steps that I have taken on all 3 App Servers:

systemctl status nginx
systemctl status httpd
# get apache port Listen 3004
sudo cat /etc/httpd/conf/httpd.conf | grep Listen
sudo su -
yum install net-tools
# find nginx port 8096
netstat -tulpn | grep LISTEN
yum install -y firewalld 
systemctl restart dbus
systemctl start firewalld
systemctl enable firewalld
systemctl status firewalld
firewall-cmd --zone=public --add-port=8096/tcp --permanent
firewall-cmd --permanent --zone=public --add-service={http,https}
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="172.16.238.14" port protocol=tcp port=3004 accept'
firewall-cmd --permanent --zone=public --change-interface=wan
firewall-cmd --reload
firewall-cmd --get-active-zones
systemctl restart firewalld
systemctl status firewalld
firewall-cmd --zone=public --list-ports
firewall-cmd --zone=public --list-all
firewall-cmd --list-all
# From Jump Host
curl stapp01:8096  == >  //nginx 403 Forbidden
telnet stapp01 8096  //nginx => connected
telnet stapp02 8096  //nginx => connected
telnet stapp03 8096  //nginx => connected
curl stapp01:3004 => //apache => ... No route to host
telnet stapp01 3004 //apache => ..No route to host
telnet stapp02 3004 //apache => ...No route to host
telnet stapp03 3004 //apache => ...No route to host
# from LB server:
curl stapp01:8096  //nginx = > 403 Forbidden
telnet stapp01 8096  //nginx => connects
telnet stapp02 8096  //nginx => connects
telnet stapp03 8096  //nginx => connects
curl stapp01:3004 //apache  => connects
telnet stapp01 3004 //apache => connects
telnet stapp02 3004 //apache => connects
telnet stapp03 3004 //apache => connects
#7

Can anyone help me with this??

Thanks:-)

#8

I guess configuration error. NGINX could not deliver the content that you have configured in nginx.conf.
it could be the file name or the path… or the permission to the content that you would like to publish…

If you can provide the config code, some KodeKloud senior engineers could easily diagnosis the cause of 403.

1 Like
#9

Hi @dthapali!

Thanks for responding. I FINALLY figured it out. You were right: I had to check the nginx.conf, something that I had checked before, but I had missed a couple of things/nuances.

When I went back to the NGINX Reverse Proxy proxy task (I completed that task over a week ago) and checked my notes, it all became a bit more clear.

It seemed so difficult, but now that I know…I know. Sometimes I have to do something a few times in order for things to stick. That’s how we learn I guess. :grinning:

If anyone needs helps with this task let me know.

2 Likes
#10

Good work @juliettet :+1:.

1 Like
#11

Thank you @player001!

#12

Please share your work out.

#13

Hi @Nasri,

Is there a certain part of this task that you are stuck on?

To get rid of the 403 forbidden error when trying to curl nginx from the Jump host and from the LB server, I had to check/set the configuration(s) in the /etc/nginx/nginx.conf config file on each app server like so:

server {
  listen          <nginx-port>;
  listen          [::]:<nginx-port>;
  server_name     <app-server-ip>;
  root            /usr/share/nginx/html;
}

location / {
   proxy_pass http://<app-server-ip>:<apache-port>/; 
}

Then I had to run systemctl restart nginx to persist the changes.

Let me know if this helps:-)

PS.

The /etc/httpd/conf/httpd.conf configuration was already listening on the Apache port, so there were no issues there, but you might want to check it to make sure that it is listening in your environment…just to be sure.

1 Like
#14

Thank you for your reply But I was curious about the part that gives 403 error, how did you fix that?

#15

Hi @Nasri,

Have you checked out my last post above?

I had to check/set the configuration(s) in the /etc/nginx/nginx.conf config file…

Hope this helps:-)

1 Like
#16

Hi Juliettet,
How did you resolve the 403 error message in nginx conf file?
thanks
Swaroop

#17

Hi @swaroopcs88,

Basically, after getting/checking the nginx port via:

sudo su -

yum install net-tools

netstat -tulpn | grep LISTEN

# or get port via checking out conf file:

cat /etc/nginx/nginx.conf => check port #

& getting/checking the httpd port:

sudo cat /etc/httpd/conf/httpd.conf | grep Listen

I had to edit/configure the correct ports in the server block section of the /etc/httpd/conf/httpd.conf file.

Check out my posts above for the steps that I took.

Hope this helps:-)

1 Like