Nginx reverse proxy - .js and .css forbidden












0















My setup: a raspberry pi which is part of 2 separate LAN's (192.168.1.* and 192.168.2.*), running nginx. I would like to setup nginx as a reverse proxy, so I can access the router of the first LAN from the second LAN. (Direct access to the router from outside its LAN is not possible)



So from a computer in the second LAN (let's say 192.168.2.10) I want to go to the address of the pi in the second LAN (let's say 192.168.2.2), and I want to get forwarded to the web interface of the router in the first LAN (192.168.1.1).



With the setup I did, this works partially: it forwards to the correct location but there are problems loading the site, as for every .js and .css file (which are reference inline in the html that gets loaded) I get a 403 error 'forbidden'.



Accessing the router website directly from the pi works without issues, so the problem is linked to the config of the reverse proxy.



Here's what I have setup and the error messages (what I don't specify means it's at default value/setting)



NGINX CONFIG:



location / {
proxy_bind 192.168.1.2;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_pass http://192.168.1.1/;
}


192.168.1.2 is the address of the pi in the first LAN. 192.168.1.1 is the address of the router (part of the first LAN) I want to access.



Example error I see in the developer console of web browser (this goes for all .js and .css files):



HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfil it.  GET - http://192.168.2.2/css/main.css


Corresponding line in the access.log of nginx:



"GET /css/main.css HTTP/1.1" 403 100 "http://192.168.2.2/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134"


I'm not sure, but in the line above it shows 192.168.2.2 as the referrer. Since the router is in the 192.168.1.* LAN I'm thinking this might be causing the permission issue. Playing with the "proxy_set_header Referer" yields exactly the same results however, so I might be wrong there?



Corresponding html line in the source file (seen when using curl directly from the pi):



 <link rel="stylesheet" href="../css/main.css">


I have already tried many different settings (I played with the header Host/Referer/X-Forwarded-For) but the result is always the same. Since it's the built-in management website of the router, I cannot change permissions on these files (I don't think it's necessary as it works fine without using the proxy). I also have no idea what the root folder would be (it's a TP-Link MR400).



Some additional information: if I open a webbrowser on the LAN of the router and manually navigate directly to http://192.168.1.1/css/main.css I also get the 403 Forbidden. Navigating to http://192.168.1.1/ however loads the inline stylesheet without any problems. Hope this helps to identify the permission issue?



What am I missing?



Thank you in advance, Wim










share|improve this question























  • For people struggling with the same issue: I managed to resolve the issue. The line in the access log kept bugging me since it still said "192.168.2.2" as referer, even when I specified in the configuration that the referer was "192.168.1.2". Just to try, I put proxy_set_header Referer "http://192.168.1.1"; in the configuration, and that fixed everything. It seems really weird that this would solve everything, but it does...

    – Wim
    Dec 29 '18 at 19:23
















0















My setup: a raspberry pi which is part of 2 separate LAN's (192.168.1.* and 192.168.2.*), running nginx. I would like to setup nginx as a reverse proxy, so I can access the router of the first LAN from the second LAN. (Direct access to the router from outside its LAN is not possible)



So from a computer in the second LAN (let's say 192.168.2.10) I want to go to the address of the pi in the second LAN (let's say 192.168.2.2), and I want to get forwarded to the web interface of the router in the first LAN (192.168.1.1).



With the setup I did, this works partially: it forwards to the correct location but there are problems loading the site, as for every .js and .css file (which are reference inline in the html that gets loaded) I get a 403 error 'forbidden'.



Accessing the router website directly from the pi works without issues, so the problem is linked to the config of the reverse proxy.



Here's what I have setup and the error messages (what I don't specify means it's at default value/setting)



NGINX CONFIG:



location / {
proxy_bind 192.168.1.2;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_pass http://192.168.1.1/;
}


192.168.1.2 is the address of the pi in the first LAN. 192.168.1.1 is the address of the router (part of the first LAN) I want to access.



Example error I see in the developer console of web browser (this goes for all .js and .css files):



HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfil it.  GET - http://192.168.2.2/css/main.css


Corresponding line in the access.log of nginx:



"GET /css/main.css HTTP/1.1" 403 100 "http://192.168.2.2/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134"


I'm not sure, but in the line above it shows 192.168.2.2 as the referrer. Since the router is in the 192.168.1.* LAN I'm thinking this might be causing the permission issue. Playing with the "proxy_set_header Referer" yields exactly the same results however, so I might be wrong there?



Corresponding html line in the source file (seen when using curl directly from the pi):



 <link rel="stylesheet" href="../css/main.css">


I have already tried many different settings (I played with the header Host/Referer/X-Forwarded-For) but the result is always the same. Since it's the built-in management website of the router, I cannot change permissions on these files (I don't think it's necessary as it works fine without using the proxy). I also have no idea what the root folder would be (it's a TP-Link MR400).



Some additional information: if I open a webbrowser on the LAN of the router and manually navigate directly to http://192.168.1.1/css/main.css I also get the 403 Forbidden. Navigating to http://192.168.1.1/ however loads the inline stylesheet without any problems. Hope this helps to identify the permission issue?



What am I missing?



Thank you in advance, Wim










share|improve this question























  • For people struggling with the same issue: I managed to resolve the issue. The line in the access log kept bugging me since it still said "192.168.2.2" as referer, even when I specified in the configuration that the referer was "192.168.1.2". Just to try, I put proxy_set_header Referer "http://192.168.1.1"; in the configuration, and that fixed everything. It seems really weird that this would solve everything, but it does...

    – Wim
    Dec 29 '18 at 19:23














0












0








0








My setup: a raspberry pi which is part of 2 separate LAN's (192.168.1.* and 192.168.2.*), running nginx. I would like to setup nginx as a reverse proxy, so I can access the router of the first LAN from the second LAN. (Direct access to the router from outside its LAN is not possible)



So from a computer in the second LAN (let's say 192.168.2.10) I want to go to the address of the pi in the second LAN (let's say 192.168.2.2), and I want to get forwarded to the web interface of the router in the first LAN (192.168.1.1).



With the setup I did, this works partially: it forwards to the correct location but there are problems loading the site, as for every .js and .css file (which are reference inline in the html that gets loaded) I get a 403 error 'forbidden'.



Accessing the router website directly from the pi works without issues, so the problem is linked to the config of the reverse proxy.



Here's what I have setup and the error messages (what I don't specify means it's at default value/setting)



NGINX CONFIG:



location / {
proxy_bind 192.168.1.2;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_pass http://192.168.1.1/;
}


192.168.1.2 is the address of the pi in the first LAN. 192.168.1.1 is the address of the router (part of the first LAN) I want to access.



Example error I see in the developer console of web browser (this goes for all .js and .css files):



HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfil it.  GET - http://192.168.2.2/css/main.css


Corresponding line in the access.log of nginx:



"GET /css/main.css HTTP/1.1" 403 100 "http://192.168.2.2/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134"


I'm not sure, but in the line above it shows 192.168.2.2 as the referrer. Since the router is in the 192.168.1.* LAN I'm thinking this might be causing the permission issue. Playing with the "proxy_set_header Referer" yields exactly the same results however, so I might be wrong there?



Corresponding html line in the source file (seen when using curl directly from the pi):



 <link rel="stylesheet" href="../css/main.css">


I have already tried many different settings (I played with the header Host/Referer/X-Forwarded-For) but the result is always the same. Since it's the built-in management website of the router, I cannot change permissions on these files (I don't think it's necessary as it works fine without using the proxy). I also have no idea what the root folder would be (it's a TP-Link MR400).



Some additional information: if I open a webbrowser on the LAN of the router and manually navigate directly to http://192.168.1.1/css/main.css I also get the 403 Forbidden. Navigating to http://192.168.1.1/ however loads the inline stylesheet without any problems. Hope this helps to identify the permission issue?



What am I missing?



Thank you in advance, Wim










share|improve this question














My setup: a raspberry pi which is part of 2 separate LAN's (192.168.1.* and 192.168.2.*), running nginx. I would like to setup nginx as a reverse proxy, so I can access the router of the first LAN from the second LAN. (Direct access to the router from outside its LAN is not possible)



So from a computer in the second LAN (let's say 192.168.2.10) I want to go to the address of the pi in the second LAN (let's say 192.168.2.2), and I want to get forwarded to the web interface of the router in the first LAN (192.168.1.1).



With the setup I did, this works partially: it forwards to the correct location but there are problems loading the site, as for every .js and .css file (which are reference inline in the html that gets loaded) I get a 403 error 'forbidden'.



Accessing the router website directly from the pi works without issues, so the problem is linked to the config of the reverse proxy.



Here's what I have setup and the error messages (what I don't specify means it's at default value/setting)



NGINX CONFIG:



location / {
proxy_bind 192.168.1.2;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_pass http://192.168.1.1/;
}


192.168.1.2 is the address of the pi in the first LAN. 192.168.1.1 is the address of the router (part of the first LAN) I want to access.



Example error I see in the developer console of web browser (this goes for all .js and .css files):



HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfil it.  GET - http://192.168.2.2/css/main.css


Corresponding line in the access.log of nginx:



"GET /css/main.css HTTP/1.1" 403 100 "http://192.168.2.2/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134"


I'm not sure, but in the line above it shows 192.168.2.2 as the referrer. Since the router is in the 192.168.1.* LAN I'm thinking this might be causing the permission issue. Playing with the "proxy_set_header Referer" yields exactly the same results however, so I might be wrong there?



Corresponding html line in the source file (seen when using curl directly from the pi):



 <link rel="stylesheet" href="../css/main.css">


I have already tried many different settings (I played with the header Host/Referer/X-Forwarded-For) but the result is always the same. Since it's the built-in management website of the router, I cannot change permissions on these files (I don't think it's necessary as it works fine without using the proxy). I also have no idea what the root folder would be (it's a TP-Link MR400).



Some additional information: if I open a webbrowser on the LAN of the router and manually navigate directly to http://192.168.1.1/css/main.css I also get the 403 Forbidden. Navigating to http://192.168.1.1/ however loads the inline stylesheet without any problems. Hope this helps to identify the permission issue?



What am I missing?



Thank you in advance, Wim







nginx reverse-proxy






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 29 '18 at 11:55









WimWim

11




11













  • For people struggling with the same issue: I managed to resolve the issue. The line in the access log kept bugging me since it still said "192.168.2.2" as referer, even when I specified in the configuration that the referer was "192.168.1.2". Just to try, I put proxy_set_header Referer "http://192.168.1.1"; in the configuration, and that fixed everything. It seems really weird that this would solve everything, but it does...

    – Wim
    Dec 29 '18 at 19:23



















  • For people struggling with the same issue: I managed to resolve the issue. The line in the access log kept bugging me since it still said "192.168.2.2" as referer, even when I specified in the configuration that the referer was "192.168.1.2". Just to try, I put proxy_set_header Referer "http://192.168.1.1"; in the configuration, and that fixed everything. It seems really weird that this would solve everything, but it does...

    – Wim
    Dec 29 '18 at 19:23

















For people struggling with the same issue: I managed to resolve the issue. The line in the access log kept bugging me since it still said "192.168.2.2" as referer, even when I specified in the configuration that the referer was "192.168.1.2". Just to try, I put proxy_set_header Referer "http://192.168.1.1"; in the configuration, and that fixed everything. It seems really weird that this would solve everything, but it does...

– Wim
Dec 29 '18 at 19:23





For people struggling with the same issue: I managed to resolve the issue. The line in the access log kept bugging me since it still said "192.168.2.2" as referer, even when I specified in the configuration that the referer was "192.168.1.2". Just to try, I put proxy_set_header Referer "http://192.168.1.1"; in the configuration, and that fixed everything. It seems really weird that this would solve everything, but it does...

– Wim
Dec 29 '18 at 19:23










0






active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1388717%2fnginx-reverse-proxy-js-and-css-forbidden%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1388717%2fnginx-reverse-proxy-js-and-css-forbidden%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Сан-Квентин

8-я гвардейская общевойсковая армия

Алькесар