Linux Firewalld Setup nginx 403 Forbidden error

juliettet · August 31, 2020, 11:33pm

Hello Kodekloud team,

I am getting a 503 error when trying to curl nginx from Jump Server & from LB Server. Does anyone know why this may be occurring?

Are we supposed to do any extra configuration with nginx to get this error to go away or is that the expected behavior for this task. When I run telnet stapp01 8091 it says that it is connected.

Also, being that this is Firewalld, aren’t we supposed to be using the WAN interface? I’m asking because I saw a few references in this forum to iptables being used with eth0 as an interface instead.

Tej-Singh-Rana · September 1, 2020, 3:51am

Hello, @juliettet
No, we will do with firewalld command.

juliettet · September 1, 2020, 6:35pm

Thank you for responding @Tej-Singh-Rana.

Why then am I getting a 403 error when trying to curl nginx.

Any hints? I’m stumped.

Tej-Singh-Rana · September 1, 2020, 7:12pm

What about curl command? Are you able to access with the given port?

juliettet · September 1, 2020, 7:16pm

When I run curl stapp01:<nginx-port> from Jump Server & from LB Server I get the 403 error shown in the screenshot above.

When I run telnet stapp01 <nginx port>, however, it says that it’s connected.

I’ve tried getting this to work with eth0, without eth0, with WAN, and without any attached network interface, which then requires the use of iptables -F in order to avoid yet another error:No route to host`.

juliettet · September 1, 2020, 8:45pm

Here are the steps that I have taken on all 3 App Servers:

systemctl status nginx
systemctl status httpd
# get apache port Listen 3004
sudo cat /etc/httpd/conf/httpd.conf | grep Listen
sudo su -
yum install net-tools
# find nginx port 8096
netstat -tulpn | grep LISTEN
yum install -y firewalld 
systemctl restart dbus
systemctl start firewalld
systemctl enable firewalld
systemctl status firewalld
firewall-cmd --zone=public --add-port=8096/tcp --permanent
firewall-cmd --permanent --zone=public --add-service={http,https}
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="172.16.238.14" port protocol=tcp port=3004 accept'
firewall-cmd --permanent --zone=public --change-interface=wan
firewall-cmd --reload
firewall-cmd --get-active-zones
systemctl restart firewalld
systemctl status firewalld
firewall-cmd --zone=public --list-ports
firewall-cmd --zone=public --list-all
firewall-cmd --list-all
# From Jump Host
curl stapp01:8096  == >  //nginx 403 Forbidden
telnet stapp01 8096  //nginx => connected
telnet stapp02 8096  //nginx => connected
telnet stapp03 8096  //nginx => connected
curl stapp01:3004 => //apache => ... No route to host
telnet stapp01 3004 //apache => ..No route to host
telnet stapp02 3004 //apache => ...No route to host
telnet stapp03 3004 //apache => ...No route to host
# from LB server:
curl stapp01:8096  //nginx = > 403 Forbidden
telnet stapp01 8096  //nginx => connects
telnet stapp02 8096  //nginx => connects
telnet stapp03 8096  //nginx => connects
curl stapp01:3004 //apache  => connects
telnet stapp01 3004 //apache => connects
telnet stapp02 3004 //apache => connects
telnet stapp03 3004 //apache => connects

juliettet · September 3, 2020, 5:59pm

Can anyone help me with this??

Thanks:-)

dthapali · September 3, 2020, 9:59pm

I guess configuration error. NGINX could not deliver the content that you have configured in nginx.conf.
it could be the file name or the path… or the permission to the content that you would like to publish…

If you can provide the config code, some KodeKloud senior engineers could easily diagnosis the cause of 403.

juliettet · September 4, 2020, 12:13am

Hi @dthapali!

Thanks for responding. I FINALLY figured it out. You were right: I had to check the nginx.conf, something that I had checked before, but I had missed a couple of things/nuances.

When I went back to the NGINX Reverse Proxy proxy task (I completed that task over a week ago) and checked my notes, it all became a bit more clear.

It seemed so difficult, but now that I know…I know. Sometimes I have to do something a few times in order for things to stick. That’s how we learn I guess.

If anyone needs helps with this task let me know.

Tej-Singh-Rana · September 4, 2020, 3:50am

Good work @juliettet .

juliettet · September 4, 2020, 5:39pm

Thank you @Tej-Singh-Rana!

Nasri · September 4, 2020, 8:58pm

Please share your work out.

juliettet · September 4, 2020, 9:44pm

Hi @Nasri,

Is there a certain part of this task that you are stuck on?

To get rid of the 403 forbidden error when trying to curl nginx from the Jump host and from the LB server, I had to check/set the configuration(s) in the /etc/nginx/nginx.conf config file on each app server like so:

server {
  listen          <nginx-port>;
  listen          [::]:<nginx-port>;
  server_name     <app-server-ip>;
  root            /usr/share/nginx/html;
}

location / {
   proxy_pass http://<app-server-ip>:<apache-port>/; 
}

Then I had to run systemctl restart nginx to persist the changes.

Let me know if this helps:-)

PS.

The /etc/httpd/conf/httpd.conf configuration was already listening on the Apache port, so there were no issues there, but you might want to check it to make sure that it is listening in your environment…just to be sure.

Nasri · September 5, 2020, 10:38am

Thank you for your reply But I was curious about the part that gives 403 error, how did you fix that?

juliettet · September 5, 2020, 5:20pm

Hi @Nasri,

Have you checked out my last post above?

I had to check/set the configuration(s) in the /etc/nginx/nginx.conf config file…

Hope this helps:-)

swaroopcs88 · September 7, 2020, 3:59pm

Hi Juliettet,
How did you resolve the 403 error message in nginx conf file?
thanks
Swaroop

juliettet · September 7, 2020, 4:59pm

Hi @swaroopcs88,

Basically, after getting/checking the nginx port via:

sudo su -

yum install net-tools

netstat -tulpn | grep LISTEN

# or get port via checking out conf file:

cat /etc/nginx/nginx.conf => check port #

& getting/checking the httpd port:

sudo cat /etc/httpd/conf/httpd.conf | grep Listen

I had to edit/configure the correct ports in the server block section of the /etc/httpd/conf/httpd.conf file.

Check out my posts above for the steps that I took.

Hope this helps:-)

TharunTeja4676 · October 12, 2020, 10:18am

Hi @juliettet,

Can you help me to complete this task?

I’m getting No root to host when I use telnet, If I use curl to Nginx port getting HTML code.

juliettet · October 12, 2020, 5:06pm

Hi @TharunTeja4676,

Have you configured/added the iptables rule for the Apache port?

Also, make sure that you have added ServerName with the ip + port (127.0.0.1::<apache-port>) in the Apache conf file (etc/httpd/conf/httpd.conf).

You also need to add Listen <serverip-of-app-server-with-failing-connection>:<apache-port> via the Apache conf file on the app server that is failing to connect.

If you have these three things in place, the no route to host error should go away.

Hope this helps:-)

TharunTeja4676 · October 13, 2020, 5:59am

Thanks for responding @juliettet
I have completed the task successfully.