Questions regarding spdy module, browser behaviour and "access forbidden by rule"

georg georg at
Thu Sep 4 15:56:26 UTC 2014

On 09/04/2014 12:04 AM, Valentin V. Bartenev wrote:
> On Wednesday 03 September 2014 23:50:07 georg wrote:
>> On 09/03/2014 10:23 PM, Valentin V. Bartenev wrote:
>>> On Wednesday 03 September 2014 20:18:50 georg wrote:
>>> [..]
>>>> However, using Iceweasel 31.0-1~bpo70+1 (out of wheezy-backports), the
>>>> browser console reads various 403 forbidden, and the nginx log is
>>>> telling me the cause: "[...] 25108#0: *200 access forbidden by rule,
>>>> client: XX.XX.XX.XX, server:, request: "GET
>>>> /lib/exe/js.php?tseed=1395165407 HTTP/1.1 [...]".
>>>> I've got no clue how to debug this, to be honest. I didn't made any
>>>> change, just upgrading one of the involved browsers.
>>>> Could this be an incompatibility with this new Iceweasel version?
>>>> Any ideas for this?
>>> That's very strange.  Could you provide a debug log?
>> Sure. I've posted it at [1], the log contains one access, just made with
>> spdy enabled, and Iceweasel out of wheezy-backports.
> [..]
> It's not clear how it's related to SPDY and Iceweasel, but it looks
> like misconfiguration on your side.

Still I don't understand why enabling spdy makes this difference, and
how this influences stuff like this, but...

> In the debug log I see that docuwiki returns X-Accel-Redirect to 
> "/var/lib/dokuwiki/data/cache/.." which is matched by location
> ~/(data|conf|bin|inc)/ with a deny rule. put me on the right track, Valentin!

- These locations are denied because these contain for example content,
like cached pages, one could access without authorization. The wiki is
closed, reading and editing is only possible after successfull
authentification, so that's why.

- Dokuwiki supports a header "X-Accel-Redirect", which, when using,
should increase file transfers etc., because then handled directly by
the webserver. Up until today I've used this setting. After disabling,
everything works like a charm, with all browsers (and different
versions) I've tested (Chromium, Iceweasel, MSIE, Opera, Safari).

- Still I don't understand why using this feature (in combination with
spdy) works in Iceweasel 24, and giving these failures in Iceweasel 31.
Anyway, some more people seem to have problems with this (see [1] for
example), at [2] and [3] you'll find a bug report and a follow up,
created in November 2011, fixed and closed in March 2014. I'm quite sure
these changes haven't reached Debian Wheezy, leading to this problem.

Thank you Valentin for your help - I'm fine.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the nginx mailing list