403 Error when changing any settings after enabling force_https with proxy

Hi, all - I have an issue where if I enable the force_https option (after ensuring everything is on https), I am unable to:

  • change any settings,
  • log out (clicking log out does nothing),
  • or login (sso redirect just takes to logged out home page).

I thought it was a fluke or something I broke initially, so I destroyed the app, dropped all the data, and bootstrapped/started the app again.

With the new app, everything was working great again; I was able to restore from backups, configure all my logos, adjust different settings (change email notification settings, adjust title, customize theme css, etc.), and that there were no SSL errors and brand images were loading in fine.

However, as soon as I enabled the force_https option again, the I started to get all the 403 errors again.

This time I went into the container and disabled the force_https option via the CLI, using:

/var/discourse/launcher enter app
rails c
SiteSetting.force_https = false

As soon as I disabled the option, everything on the site started to function again.

I tried looking through the logs (site_url.com/logs), but there didn’t seem to be much in there other than:

Error: Forbidden
Url: https://site_url.com/assets/ember_jquery-1d5617356dd43f27b8adbf60ccb854a1f5992b9b9f9e51e32ea7287fc9eeb25b.js
Line: 1
Column: 262166
Window Location: https://site_url.com/admin/plugins/chat/discord

which was from an earlier time when I was changing some settings for the discourse-chat-integration plugin.

I am not sure where to go from here and would appreciate any suggestions.

Are you behind any weird proxies?

I am running it on a server with another PHP application, so I am using an Nginx proxy pass; my nginx configuration:

server {
  server_name site_url;
  client_max_body_size 500m;

  location / {

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/site_url/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/site_url/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

server {
    if ($host = site_url) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  listen 80;
  server_name site_url;
    return 404; # managed by Certbot

I think you are not passing the https through correctly. Search here for solutions.


Completely forgot to set the proxy headers, added in the missing headers and all works well.


In case someone runs into this issue, the proxy pass headers I was missing:

proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.