Nginx reverse proxy - .js and .css forbidden
My setup: a raspberry pi which is part of 2 separate LAN's (192.168.1.* and 192.168.2.*), running nginx. I would like to setup nginx as a reverse proxy, so I can access the router of the first LAN from the second LAN. (Direct access to the router from outside its LAN is not possible)
So from a computer in the second LAN (let's say 192.168.2.10) I want to go to the address of the pi in the second LAN (let's say 192.168.2.2), and I want to get forwarded to the web interface of the router in the first LAN (192.168.1.1).
With the setup I did, this works partially: it forwards to the correct location but there are problems loading the site, as for every .js and .css file (which are reference inline in the html that gets loaded) I get a 403 error 'forbidden'.
Accessing the router website directly from the pi works without issues, so the problem is linked to the config of the reverse proxy.
Here's what I have setup and the error messages (what I don't specify means it's at default value/setting)
NGINX CONFIG:
location / {
proxy_bind 192.168.1.2;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_pass http://192.168.1.1/;
}
192.168.1.2 is the address of the pi in the first LAN. 192.168.1.1 is the address of the router (part of the first LAN) I want to access.
Example error I see in the developer console of web browser (this goes for all .js and .css files):
HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfil it. GET - http://192.168.2.2/css/main.css
Corresponding line in the access.log of nginx:
"GET /css/main.css HTTP/1.1" 403 100 "http://192.168.2.2/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134"
I'm not sure, but in the line above it shows 192.168.2.2 as the referrer. Since the router is in the 192.168.1.* LAN I'm thinking this might be causing the permission issue. Playing with the "proxy_set_header Referer" yields exactly the same results however, so I might be wrong there?
Corresponding html line in the source file (seen when using curl directly from the pi):
<link rel="stylesheet" href="../css/main.css">
I have already tried many different settings (I played with the header Host/Referer/X-Forwarded-For) but the result is always the same. Since it's the built-in management website of the router, I cannot change permissions on these files (I don't think it's necessary as it works fine without using the proxy). I also have no idea what the root folder would be (it's a TP-Link MR400).
Some additional information: if I open a webbrowser on the LAN of the router and manually navigate directly to http://192.168.1.1/css/main.css I also get the 403 Forbidden. Navigating to http://192.168.1.1/ however loads the inline stylesheet without any problems. Hope this helps to identify the permission issue?
What am I missing?
Thank you in advance, Wim
nginx reverse-proxy
asked Dec 29 '18 at 11:55
WimWim
11
add a comment |
My setup: a raspberry pi which is part of 2 separate LAN's (192.168.1.* and 192.168.2.*), running nginx. I would like to setup nginx as a reverse proxy, so I can access the router of the first LAN from the second LAN. (Direct access to the router from outside its LAN is not possible)
So from a computer in the second LAN (let's say 192.168.2.10) I want to go to the address of the pi in the second LAN (let's say 192.168.2.2), and I want to get forwarded to the web interface of the router in the first LAN (192.168.1.1).
With the setup I did, this works partially: it forwards to the correct location but there are problems loading the site, as for every .js and .css file (which are reference inline in the html that gets loaded) I get a 403 error 'forbidden'.
Accessing the router website directly from the pi works without issues, so the problem is linked to the config of the reverse proxy.
Here's what I have setup and the error messages (what I don't specify means it's at default value/setting)
NGINX CONFIG:
location / {
proxy_bind 192.168.1.2;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_pass http://192.168.1.1/;
}
192.168.1.2 is the address of the pi in the first LAN. 192.168.1.1 is the address of the router (part of the first LAN) I want to access.
Example error I see in the developer console of web browser (this goes for all .js and .css files):
HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfil it. GET - http://192.168.2.2/css/main.css
Corresponding line in the access.log of nginx:
"GET /css/main.css HTTP/1.1" 403 100 "http://192.168.2.2/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134"
I'm not sure, but in the line above it shows 192.168.2.2 as the referrer. Since the router is in the 192.168.1.* LAN I'm thinking this might be causing the permission issue. Playing with the "proxy_set_header Referer" yields exactly the same results however, so I might be wrong there?
Corresponding html line in the source file (seen when using curl directly from the pi):
<link rel="stylesheet" href="../css/main.css">
I have already tried many different settings (I played with the header Host/Referer/X-Forwarded-For) but the result is always the same. Since it's the built-in management website of the router, I cannot change permissions on these files (I don't think it's necessary as it works fine without using the proxy). I also have no idea what the root folder would be (it's a TP-Link MR400).
Some additional information: if I open a webbrowser on the LAN of the router and manually navigate directly to http://192.168.1.1/css/main.css I also get the 403 Forbidden. Navigating to http://192.168.1.1/ however loads the inline stylesheet without any problems. Hope this helps to identify the permission issue?
What am I missing?
Thank you in advance, Wim
nginx reverse-proxy
asked Dec 29 '18 at 11:55
WimWim
11
For people struggling with the same issue: I managed to resolve the issue. The line in the access log kept bugging me since it still said "192.168.2.2" as referer, even when I specified in the configuration that the referer was "192.168.1.2". Just to try, I putproxy_set_header Referer "http://192.168.1.1";in the configuration, and that fixed everything. It seems really weird that this would solve everything, but it does...
– Wim
Dec 29 '18 at 19:23
add a comment |
My setup: a raspberry pi which is part of 2 separate LAN's (192.168.1.* and 192.168.2.*), running nginx. I would like to setup nginx as a reverse proxy, so I can access the router of the first LAN from the second LAN. (Direct access to the router from outside its LAN is not possible)
So from a computer in the second LAN (let's say 192.168.2.10) I want to go to the address of the pi in the second LAN (let's say 192.168.2.2), and I want to get forwarded to the web interface of the router in the first LAN (192.168.1.1).
With the setup I did, this works partially: it forwards to the correct location but there are problems loading the site, as for every .js and .css file (which are reference inline in the html that gets loaded) I get a 403 error 'forbidden'.
Accessing the router website directly from the pi works without issues, so the problem is linked to the config of the reverse proxy.
Here's what I have setup and the error messages (what I don't specify means it's at default value/setting)
NGINX CONFIG:
location / {
proxy_bind 192.168.1.2;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_pass http://192.168.1.1/;
}
192.168.1.2 is the address of the pi in the first LAN. 192.168.1.1 is the address of the router (part of the first LAN) I want to access.
Example error I see in the developer console of web browser (this goes for all .js and .css files):
HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfil it. GET - http://192.168.2.2/css/main.css
Corresponding line in the access.log of nginx:
"GET /css/main.css HTTP/1.1" 403 100 "http://192.168.2.2/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134"
I'm not sure, but in the line above it shows 192.168.2.2 as the referrer. Since the router is in the 192.168.1.* LAN I'm thinking this might be causing the permission issue. Playing with the "proxy_set_header Referer" yields exactly the same results however, so I might be wrong there?
Corresponding html line in the source file (seen when using curl directly from the pi):
<link rel="stylesheet" href="../css/main.css">
I have already tried many different settings (I played with the header Host/Referer/X-Forwarded-For) but the result is always the same. Since it's the built-in management website of the router, I cannot change permissions on these files (I don't think it's necessary as it works fine without using the proxy). I also have no idea what the root folder would be (it's a TP-Link MR400).
Some additional information: if I open a webbrowser on the LAN of the router and manually navigate directly to http://192.168.1.1/css/main.css I also get the 403 Forbidden. Navigating to http://192.168.1.1/ however loads the inline stylesheet without any problems. Hope this helps to identify the permission issue?
What am I missing?
Thank you in advance, Wim
nginx reverse-proxy
asked Dec 29 '18 at 11:55
WimWim
11
My setup: a raspberry pi which is part of 2 separate LAN's (192.168.1.* and 192.168.2.*), running nginx. I would like to setup nginx as a reverse proxy, so I can access the router of the first LAN from the second LAN. (Direct access to the router from outside its LAN is not possible)
So from a computer in the second LAN (let's say 192.168.2.10) I want to go to the address of the pi in the second LAN (let's say 192.168.2.2), and I want to get forwarded to the web interface of the router in the first LAN (192.168.1.1).
With the setup I did, this works partially: it forwards to the correct location but there are problems loading the site, as for every .js and .css file (which are reference inline in the html that gets loaded) I get a 403 error 'forbidden'.
Accessing the router website directly from the pi works without issues, so the problem is linked to the config of the reverse proxy.
Here's what I have setup and the error messages (what I don't specify means it's at default value/setting)
NGINX CONFIG:
location / {
proxy_bind 192.168.1.2;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_pass http://192.168.1.1/;
}
192.168.1.2 is the address of the pi in the first LAN. 192.168.1.1 is the address of the router (part of the first LAN) I want to access.
Example error I see in the developer console of web browser (this goes for all .js and .css files):
HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfil it. GET - http://192.168.2.2/css/main.css
Corresponding line in the access.log of nginx:
"GET /css/main.css HTTP/1.1" 403 100 "http://192.168.2.2/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134"
I'm not sure, but in the line above it shows 192.168.2.2 as the referrer. Since the router is in the 192.168.1.* LAN I'm thinking this might be causing the permission issue. Playing with the "proxy_set_header Referer" yields exactly the same results however, so I might be wrong there?
Corresponding html line in the source file (seen when using curl directly from the pi):
<link rel="stylesheet" href="../css/main.css">
I have already tried many different settings (I played with the header Host/Referer/X-Forwarded-For) but the result is always the same. Since it's the built-in management website of the router, I cannot change permissions on these files (I don't think it's necessary as it works fine without using the proxy). I also have no idea what the root folder would be (it's a TP-Link MR400).
Some additional information: if I open a webbrowser on the LAN of the router and manually navigate directly to http://192.168.1.1/css/main.css I also get the 403 Forbidden. Navigating to http://192.168.1.1/ however loads the inline stylesheet without any problems. Hope this helps to identify the permission issue?
What am I missing?
Thank you in advance, Wim
nginx reverse-proxy
nginx reverse-proxy
asked Dec 29 '18 at 11:55
WimWim
11
asked Dec 29 '18 at 11:55
WimWim
11
asked Dec 29 '18 at 11:55
WimWim
11
asked Dec 29 '18 at 11:55
WimWim
11
asked Dec 29 '18 at 11:55
WimWim
11
11
For people struggling with the same issue: I managed to resolve the issue. The line in the access log kept bugging me since it still said "192.168.2.2" as referer, even when I specified in the configuration that the referer was "192.168.1.2". Just to try, I putproxy_set_header Referer "http://192.168.1.1";in the configuration, and that fixed everything. It seems really weird that this would solve everything, but it does...
– Wim
Dec 29 '18 at 19:23
add a comment |
For people struggling with the same issue: I managed to resolve the issue. The line in the access log kept bugging me since it still said "192.168.2.2" as referer, even when I specified in the configuration that the referer was "192.168.1.2". Just to try, I putproxy_set_header Referer "http://192.168.1.1";in the configuration, and that fixed everything. It seems really weird that this would solve everything, but it does...
– Wim
Dec 29 '18 at 19:23
For people struggling with the same issue: I managed to resolve the issue. The line in the access log kept bugging me since it still said "192.168.2.2" as referer, even when I specified in the configuration that the referer was "192.168.1.2". Just to try, I put
proxy_set_header Referer "http://192.168.1.1"; in the configuration, and that fixed everything. It seems really weird that this would solve everything, but it does...– Wim
Dec 29 '18 at 19:23
For people struggling with the same issue: I managed to resolve the issue. The line in the access log kept bugging me since it still said "192.168.2.2" as referer, even when I specified in the configuration that the referer was "192.168.1.2". Just to try, I put
proxy_set_header Referer "http://192.168.1.1"; in the configuration, and that fixed everything. It seems really weird that this would solve everything, but it does...– Wim
Dec 29 '18 at 19:23
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1388717%2fnginx-reverse-proxy-js-and-css-forbidden%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1388717%2fnginx-reverse-proxy-js-and-css-forbidden%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
For people struggling with the same issue: I managed to resolve the issue. The line in the access log kept bugging me since it still said "192.168.2.2" as referer, even when I specified in the configuration that the referer was "192.168.1.2". Just to try, I put
proxy_set_header Referer "http://192.168.1.1";in the configuration, and that fixed everything. It seems really weird that this would solve everything, but it does...– Wim
Dec 29 '18 at 19:23