403 Error when changing any settings after enabling force_https with proxy

cryocaustik · October 30, 2019, 3:51pm

Hi, all - I have an issue where if I enable the force_https option (after ensuring everything is on https), I am unable to:

change any settings,
log out (clicking log out does nothing),
or login (sso redirect just takes to logged out home page).

I thought it was a fluke or something I broke initially, so I destroyed the app, dropped all the data, and bootstrapped/started the app again.

With the new app, everything was working great again; I was able to restore from backups, configure all my logos, adjust different settings (change email notification settings, adjust title, customize theme css, etc.), and that there were no SSL errors and brand images were loading in fine.

However, as soon as I enabled the force_https option again, the I started to get all the 403 errors again.

This time I went into the container and disabled the force_https option via the CLI, using:

/var/discourse/launcher enter app
rails c
SiteSetting.force_https = false

As soon as I disabled the option, everything on the site started to function again.

I tried looking through the logs (site_url.com/logs), but there didn’t seem to be much in there other than:

Error: Forbidden
Url: https://site_url.com/assets/ember_jquery-1d5617356dd43f27b8adbf60ccb854a1f5992b9b9f9e51e32ea7287fc9eeb25b.js
Line: 1
Column: 262166
Window Location: https://site_url.com/admin/plugins/chat/discord

which was from an earlier time when I was changing some settings for the discourse-chat-integration plugin.

I am not sure where to go from here and would appreciate any suggestions.

codinghorror · October 30, 2019, 9:06pm

Are you behind any weird proxies?

cryocaustik · October 31, 2019, 3:31am

I am running it on a server with another PHP application, so I am using an Nginx proxy pass; my nginx configuration:

server {
  server_name site_url;
  client_max_body_size 500m;

  location / {
      proxy_pass http://127.0.0.1:8080;
  }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/site_url/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/site_url/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = site_url) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen 80;
  server_name site_url;
    return 404; # managed by Certbot
}

codinghorror · October 31, 2019, 3:49am

I think you are not passing the https through correctly. Search here for solutions.

cryocaustik · October 31, 2019, 5:11am

Completely forgot to set the proxy headers, added in the missing headers and all works well.

Thanks!

In case someone runs into this issue, the proxy pass headers I was missing:

proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

system · November 30, 2019, 5:23am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issues with force https, proxy and invitations Support	8	1041	August 12, 2020
Moved site behind proxy, favicon and header not using https anymore Support	11	2123	May 26, 2020
Changing force_https does not update the url of uploaded images causing a mixed content warning Bug	7	1289	December 14, 2020
Insecure fonts requests Support	10	1202	May 28, 2023
403 Forbidden on Logins (started after update to latest version) Support	6	3669	November 11, 2016

403 Error when changing any settings after enabling force_https with proxy

Related topics