Questions regarding spdy module, browser behaviour and "access forbidden by rule"

georg georg at riseup.net
Thu Sep 4 15:41:26 UTC 2014


On 09/04/2014 12:39 AM, Valentin V. Bartenev wrote:
> On Thursday 04 September 2014 02:04:09 Valentin V. Bartenev wrote:
>> On Wednesday 03 September 2014 23:50:07 georg wrote:
>>> On 09/03/2014 10:23 PM, Valentin V. Bartenev wrote:
>>>> On Wednesday 03 September 2014 20:18:50 georg wrote:
>>>> [..]
>>>>> However, using Iceweasel 31.0-1~bpo70+1 (out of wheezy-backports), the
>>>>> browser console reads various 403 forbidden, and the nginx log is
>>>>> telling me the cause: "[...] 25108#0: *200 access forbidden by rule,
>>>>> client: XX.XX.XX.XX, server: wiki.example.com, request: "GET
>>>>> /lib/exe/js.php?tseed=1395165407 HTTP/1.1 [...]".
>>>>>
>>>>> I've got no clue how to debug this, to be honest. I didn't made any
>>>>> change, just upgrading one of the involved browsers.
>>>>> Could this be an incompatibility with this new Iceweasel version?
>>>>> Any ideas for this?
>>>>
>>>> That's very strange.  Could you provide a debug log?
>>>> http://nginx.org/en/docs/debugging_log.html
>>>
>>> Sure. I've posted it at [1], the log contains one access, just made with
>>> spdy enabled, and Iceweasel out of wheezy-backports.
>>>
>> [..]
>>
>> It's not clear how it's related to SPDY and Iceweasel, but it looks
>> like misconfiguration on your side.
>>
>> In the debug log I see that docuwiki returns X-Accel-Redirect to 
>> "/var/lib/dokuwiki/data/cache/.." which is matched by location
>> ~/(data|conf|bin|inc)/ with a deny rule.
> 
> Well, I can guess that you have made some change that broke these resources,
> and haven't been noticed due to browser's cache.
> 
> But update of the browser could result in reset of the cache.

I thought of something similar, and to be sure I've used the build-in
"Restart with addons disabled"-function of Iceweasel. At starting up it
will then offer two choices: Either start with addons disabled (so
called "Safe Mode") or reset Iceweasel, which will clear all caches,
settings, etc. Using the second option in Iceweasel out of wheezy (after
I've downgraded Iceweasel out of backports to Iceweasel of of stable)
didn't made a difference, all was fine, no errors reported.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140904/f519799f/attachment.bin>


More information about the nginx mailing list