403 Forbidden on Logins

tchoa91 2019-03-11 09:45:51 UTC #1

Keywords: Discourse - Google Cloud Platform - Technical issue - Secure Connections (SSL/HTTPS)
bnsupport ID: f8900bb3-20b7-96c6-8e46-b7173cd5e51b
Description:
Bonjour,

I've just installed Discourse version Bitnami v2.2.2 with auto-install on GCP @ https://www.ludgef.com
After setting https up, I cannot login anymore because the server reject the POST with a 403 error.

I tried the solution found here => https://meta.discourse.org/t/403-forbidden-on-logins-started-after-update-to-latest-version/52800/5 but it doesn't work.

Can you please help?

jota 2019-03-11 12:20:36 UTC #2

Hi,

I didn't find anything wrong in the Apache's configuration. However I checked that your http site doesn't work as expected. Checking the configuration, I found that you are not configuring the SSL certificates for your virtual host, can you check if Apache can be restarted properly?

sudo /opt/bitnami/ctlscript.sh restart apache

If it's restarted properly, can you add this line at the beginning of the /opt/bitnami/apps/discourse/httpd-app.conf file

SetEnvIf x-forwarded-proto https HTTPS=on

and restart Apache after that

sudo /opt/bitnami/ctlscript.sh restart apache

Let us know if you find any difference now.

tchoa91 2019-03-11 12:56:47 UTC #3

Hi Jota,

Apache starts properly

Unmonitored apache
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Monitored apache

I added the line at beginning of /opt/bitnami/apps/discourse/conf/http-app.conf and restarted apache.
But I still have this in my chrome console (anonymous window)

Failed to load resource: the server responded with a status of 403 (Forbidden)

Notice : Yesterday, I've edited //opt/bitnami/apache2/conf/extra/proxy-html.conf and removed the edit to apply your fix

About the http version, I did set my discourse domain only to https version (don't know how to add another).
But anyway, I want to force users to browse in https ... I have to look for the way to do it

Looking forward for followup, Thank you very much

tchoa91 2019-03-12 08:01:39 UTC #4

Hey!

It's been +36h I am stuck out of my system. I really need to move forward.

Could you please, at least, tell me how to lower some security so I can have access again ?

Thanks again

jota 2019-03-12 10:35:19 UTC #5

Hi @tchoa91,

Could you please let us know how did you set https in the application? We have this guide in our documentation that explains how configure a certificate and how to force HTTPS, did you follow them?

https://docs.bitnami.com/google/apps/discourse/administration/enable-https-ssl-apache/
https://docs.bitnami.com/google/apps/discourse/administration/force-https-apache/

I just checked that there is a box in the Discourse settings that allows you force HTTPS in the application, did you modify that configuration?

Apart from that, did you make any change in the application's conf files (/opt/bitnami/apps/discourse/htdocs/config/discourse.conf and /opt/bitnami/apps/discourse/htdocs/config/database.yml), the app's user interface or its database? It'd helpful if you check the information in those configuration files and let us know the content of the hostname and host_names parameters.

We think that there is a problem in your configuration, we are trying to reproduce it and find the way to recover your site. If you want, you can also post your question in the Discourse's community forum so the app's developers can help you recovering your site. Please note that Bitnami packages and configures already existing applications, however we can only offer support and help on basic and most frequent application configurations. Always based on the default configuration or on our guides.

https://meta.discourse.org/

Thanks

tchoa91 2019-03-12 12:10:04 UTC #6

Hi @jota

Sure! There is a great chance I did something wrong in the configuration. It's my first try on GCP, I know basic web mastering but not as deep as reverse proxy and other security stuff. Also I'm French, so I can make misunderstanding. I'm sorry for the trouble, guys.

First, yes I used the "force https" option in the Discourse settings, but I can't undo it.
Then, I have many pages of your docs from https://docs.bitnami.com/google/apps/discourse/ open for a few days on my browser. I used them to set my forum up until I ran into the issue. But as I said, I have removed those edits because your 1st suggestion was very close to what I did.

To answer your fist question, I did set https up using auto-configure a Let’s Encrypt SSL certificate procedure so I didn't do the procedure described in Enable HTTPS Support With Apache (https: //docs.bitnami.com/google/apps/discourse/administration/enable-https-ssl-apache/) page.
But I was puzzled by your Enable SSL In Discourse (https: //docs.bitnami.com/google/apps/discourse/administration/enable-ssl/) page.
And this morning, I just did the Force HTTPS Redirection With Apache (https ://docs.bitnami.com/google/apps/discourse/administration/force-https-apache/) procedure but it doesn't seems to work.

About the application's conf files, I did some changes there:
- Added

security:
force_https:
default: true

to site_settings.yml as told in Enable SSL In Discourse (https: //docs.bitnami.com/google/apps/discourse/administration/enable-ssl/) page.
- Added my SMTP credentials to discourse.conf as told in Configure SMTP For Outbound Emails (https: //docs.bitnami.com/google/apps/discourse/configuration/configure-smtp/).
- I changed the admin email as told in Modify The Default Administrator Email Address (https: //docs.bitnami.com/google/apps/discourse/configuration/change-default-email/).
That's all, no fancy things.

Of course, I want to use a default configuration but also use all the pro options of your solution: https, analytics, SN logins, spam & ads plugins. My aim is to replace a G+ community.
As for now, I didn't enter that much content, so I don't mind if some or all of the system is reset to default if it can solve my issue faster.

May I link this post inside meta.discourse.org ?

I also wonder : in my DNS ludgef.com is set with an A record when www. ludgef.com is set with a CNAME record. But I'm using www. ludgef.com as my default. Can it be an issue?
When I received your answer, I was checking the firewall in GCP, but everything seems fine there and I'm using 35.187.45.184 as static IPv4 adresse.

I hope to solve this quickly so don't hesitate to ask me for more information or even access.
Best regards
-- François

tchoa91 2019-03-12 12:17:21 UTC #7

I just checked meta ... I have already posted there at the end of this post.

Answer was:

I’m sorry but we don’t support Bitnami installs. You will have to ask their support.

tchoa91 2019-03-13 08:44:51 UTC #8

Hello @jota

It has been another 24h without any directive, lead or try.
I am more and more willing to erase the VM and start it over on a fresh install while you didn't tell me about a whole reset in CL.

You mentioned that the http version doesn't work. I said I wasn't able to set the two version (http & https) as domains for Discourse. To perform that, I used your manuel Update The IP Address Or Hostname (https: //docs.bitnami.com/google/apps/discourse/administration/update-ip-hostname/). Then I noticed that if I do

sudo /opt/bitnami/apps/discourse/bnconfig --machine_hostname http://www.ludgef.com

the https version doesn't work, and if I do

sudo /opt/bitnami/apps/discourse/bnconfig --machine_hostname https://www.ludgef.com

then the http version doesn't work.Is it normal or did I do something wrong there.
I guess I cannot use that commande as I renamed it as told in the manuel, but I can reverse that.

Please, don't let me hanging without instructions or something to try.

Thank you very much for your care.

Best regards
-- François

jota 2019-03-13 10:32:30 UTC #9

Hi @tchoa91,

Yes, it seems that the changes you included in the configuration files of Apache or Discourse broke the application. I just launched a fresh instance and "forced https" using the Discourse admin panel and everything continued working after that, I only needed to use https:// when accessing the website

If you don't have much more information there, I think it'd be easier if you launch a new instance and remove this one. Please note all the changes you make in the instance so we can evaluate and reproduce all of them in case something goes wrong during this first configuration.

Let us know if you have any questions

tchoa91 2019-03-13 11:48:28 UTC #10

Ok @jota I guess it's the best move as nothing evolved for 2 days

And indeed, I have plenty of questions referring to your guide:

a/ About "Getting Started" docs.bitnami.com/google/apps/discourse/get-started/
Do I need to need to connect to phpPgAdmin, postgresql and redis as I don't want to access that level?

b/ Do I need to install plugins before everything else, as in "Configuration" docs.bitnami.com/google/apps/discourse/configuration/ ?

c/ Same page, do I need to do all the Apache, php, phppgadmin, postgresql and redis configuration? I don't know all those modules and stuff, which are mandatory?

d/ Same question for the php, phppgadmin, postgresql and redis pages of "Administration" docs.bitnami.com/google/apps/discourse/administration/ , which are mandatory?

e1/ In "Update The IP Address Or Hostname" docs.bitnami.com/google/apps/discourse/administration/update-ip-hostname/ ,do I need to set it both with the bnconfig tool and the hosts file?

e2/ If I use the bnconfig tool, is it ok to enter

sudo /opt/bitnami/apps/discourse/bnconfig --machine_hostname www .ludgef.com

without http or https? (added a space because I cannot post links)

f1/ I saw my current Discourse version is v2.2.2-dirty. don't you use stable version for production?

f2/ I also saw there a new version 2.3.0.beta4? (still not stable) Shall I update before anything else or after?

g1/ Do I need to do both procedures in "Enable SSL In Discourse" docs.bitnami.com/google/apps/discourse/administration/enable-ssl/ AND in "Enable HTTPS Support With Apache" docs.bitnami.com/google/apps/discourse/administration/enable-https-ssl-apache/ pages? In what order?

g2/ In "Enable SSL In Discourse" docs.bitnami.com/google/apps/discourse/administration/enable-ssl/ , do I need to "Update the HTTPS port entry in the database" as I use default?

g3/ In the same page "Enable SSL In Discourse", I don't understand the phrase "Then, force HTTPS for all Discourse links using one of the following options:" as the following looks more like steps and not options.

h/ Do you think I can remove my current MV in GCP, redo an install and be able to link the new VM to my current fixed external IP, or should I close and keep the old VM until the new one is up and running?

Sorry for this mountain of questions, but I like when I understand

My wish list for this forum is : https only, SN logins, analytics (incl), PWA (incl), Spam & Ads plugins, PageSpeed (opt).

I will proceed in a few hours, leaving some time to answer and I need to do other work now.
I will note my doings as I go.

Thanks again for your precious help

jsalmeron 2019-03-14 17:09:30 UTC #11

First of all, thank you for detailed feedback of our documentation system. It will be very helpful for us to improve

No, you do not have to access phpPgAdmin if you do not need it. It is in the getting started section because several users asked about this kind of access

We are sorry for the misunderstanding. The section is not meant to be a guide where you need to complete all the section. It contains a list of common administration tasks. You should use them when you have the specific need. For example, if you need to install a plugin, then you would enter that specific section.

You need to use the hosts file if you didn't purchase a DNS record.

You do not need to use http or https, it is just for configuring the application domain name.

We use the stable version. I will double check the reason of the -dirty but I guess it is fruit of how we obtained the sources (from their git repository)

I would first have a running discourse with everything you need, then make a backup, and afterwards do the upgrade

As mentioned in the guide

First, configure Apache to enable SSL connections. Then, force HTTPS for all Discourse links using one of the following options:

From the guide

Execute the following SQL command, replacing the NEW_PORT placeholder with the number of the SSL port. If the SSL port is 443, leave the NEW_PORT placeholder empty.

Yes, you are right. They look like steps to me. I will forward this to the documentation team.

I do not know if you had data in the old one. Therefore, my advice would be to remove the old once you are sure that you have everything running in the new one.

Hope it helps, and thanks again for the feedback

Best regards,

Javier J. Salmerón

Was my answer helpful? Click on

tchoa91 2019-03-15 09:54:07 UTC #12

Hello @jsalmeron

I thank you very much for this long and comprehensive answer leaving very little blurry areas.
I was graduate for computing 30 yo, so I started with the open source spirit and never dropped it since. For the majority of my carrier I was a web front-end integrator/developer, and so I always was inbetween the users and the devs. Today I have mostly switch to the users' side. That means I am very happy if I can help you improve your documentation.

For your products, I would have loved to see:
a/ A simple step by step mandatory procedure everyone must do to have the system running
b/ A set of optional "usage aimed" procedures with a short description of the usefulness for every option (eg: set https, apache modules)
c/ A set of "power users" tips that are not needed for normal usage, the majority of your documentation

Your current documentation is great: detailed and illustrated, but it is organized for devs who are familiar with every aspects of the system. I am sure there are other users of your products who are like me: want full control of my publication system, don't want to pay for a lame management, want an open source modern updated system that can be set up technically in about two hours by non specialists. And you are very close to that...

I still didn't have time to do the second install, but I will keep you informed

Thanks again for your support!
I wish a very nice day to you and the Bitnami team
-- François Bacconnet

tchoa91 2019-03-16 13:42:35 UTC #13

Hello, I'm back on business.
It took me a little less than three hours to carefully set all the tech points up. Here are my notes:

Deploy Bitnami Discourse on GCP

1st ID : user MDP : [redacted]

attribute previous static IP to new VM

Install spam & ads plugins w/ docs.bitnami.com/google/apps/discourse/configuration/install-plugins/ w/ errors removing files + long process

added SMTP for Gmail

Modify The Default Administrator Email Address

Auto-Configure A Let's Encrypt Certificate

Force HTTPS Redirection With Apache as the option to Enable SSL In Discourse (then restarted the server)

at this point https: //ludgef.com/ does not display anything because Refused to load the script 'https://ludgef.com/assets/locales/en-86760bbe0e1d4c89b9aae4a321461fdc71c3fc83c271a85c2209d7d1139829c7.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'report-sample' http: //www.ludgef.com/logs/ http: //www.ludgef.com/sidekiq/ [..] http: //www.ludgef.com/svg-sprite/". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

So I have to force www. ludgef.com over ludgef.com

Followed Redirect Custom Domains To The Apache Server manual (doubt about the SSL directives there)

Error at apache restart, comment SSL in httpd-vhosts.conf, restart apache OK

First login attempt OK but redirected to http w/o S !!!

Change UserName & Name & Profile pic + Change PW (link not in httpS)

Send me to setup wizard (still unsecured), done

Site working w/o https !!!

Now, I need to set up SN logins + Analytics + Root content

But I am not happy that the site can work without htpps, that the login page doesn't redirect to https not the change your password email. This is not secure!
I won't touch anything anymore about security in the fear to break it again, but I count on you @jota or @jsalmeron to help me fix this

Cheers

tchoa91 2019-03-18 09:45:07 UTC #14

Hello guys,

Here is the following for my notes on installing Discourse by Bitnami

Stop old VM

Configuring Google login for Discourse

Configuring Twitter login (and rich embeds) for Discourse - not finished (twitter dev account pending) https: //meta.discourse.org/t/configuring-twitter-login-and-rich-embeds-for-discourse/13395

https: //meta.discourse.org/t/configuring-facebook-login-for-discourse/13394 (to do, or not cause instabilities)

akismet api key free subscription requires non-commercial use ~~~

add GTM id

Added https: //www.google-analytics.com in content security policy script src in security admin page

Discourse version still v2.2.3-dirty to be updated by v2.3.0-beta5 (doesn't look very stable)

Remove The Bitnami Banner

Still have "Mixed Content" errors in console

Finished Twitter login

Translate FAQ

Add more content & translations

Correction to really force htpps: add rewrite in same file as force www (*)

Correction for Google Login : callback url must not have https

(*) I am really not happy with that:
"Redirect Custom Domains To The Apache Server" manual page breaks the things done in "Force HTTPS Redirection With Apache" manual page. The https is not forced anymore. So I included the "force https" code before the "force www" code in /opt/bitnami/apps/discourse/conf/httpd-vhosts.conf as shown below:

<VirtualHost *:80>
   ServerName www.ludgef.com
   ServerAlias ludgef.com
   RewriteEngine On
   RewriteCond %{HTTPS} !=on
   RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
   RewriteCond %{HTTP_HOST} !^www\. [NC]
   RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
   DocumentRoot "/opt/bitnami/apps/discourse/htdocs/public"
     
   Include "/opt/bitnami/apps/discourse/conf/httpd-app.conf"
  </VirtualHost>
  <VirtualHost *:443>
    ServerName www.ludgef.com
    ServerAlias ludgef.com
    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
 
    DocumentRoot "/opt/bitnami/apps/discourse/htdocs/public"
#    SSLEngine on
#    SSLCertificateFile "/opt/bitnami/apps/discourse/conf/certs/server.crt"
#    SSLCertificateKeyFile "/opt/bitnami/apps/discourse/conf/certs/server.key"
    
    Include "/opt/bitnami/apps/discourse/conf/httpd-app.conf"
</VirtualHost>

It almost works because I still have Chrome console errors like:

Mixed Content: The page at 'https://www.ludgef.com/latest' was loaded over HTTPS, but requested an insecure favicon 'http://www.ludgef.com/uploads/default/original/1X/d090b29989fc566b8ad45cce6cce02d138d19814.png'. This request has been blocked; the content must be served over HTTPS.

You can check those errors live, the site is online.
I want to set AdSense up today, and all I'll have to do after that is to reset the SMTP server to something else than Gmail...

What I would like you come back to me about:
- Clear all errors (so my users don't complain about the site not showing a favicon)
- Clear the "not stable" (dirty) version installed issue
- Acknowledge and fix your manual to be more friendly with non-technicians, more linear and without contradiction (like the "force www" removing the things done by "force https")

I thank you very much for your patience and your care.

Have a nice day!
-- François

jsalmeron 2019-03-18 14:19:37 UTC #15

Hi,

Trying to reproduce the issue, I saw that you need to set force_https = true in /opt/bitnami/apps/discourse/htdocs/config/discourse.conf. Then you need to restart Apache.

sudo /opt/bitnami/ctlscript restart

Hope it helps

Best regards,

Javier J. Salmerón

Was my answer helpful? Click on

tchoa91 2019-03-18 17:41:08 UTC #16

Hello @jsalmeron

Are you sure I need to set this in discourse.conf file rather than in site_settings.yml file as recommended in the Enable SSL In Discourse page?

Also, I fear to do that because I think that this is what has triggered the initial 403 errors.

All the best
-- François

jsalmeron 2019-03-20 16:32:33 UTC #17

Hi,

You enabled it in site_settings.xml but you said it didn't work, right? That's the reason I want you to try in that file. In case it triggers the 404 error, it should be a matter of rolling back. If any case, please make a backup first.

Best regards,

Javier J. Salmerón

Was my answer helpful? Click on

tchoa91 2019-03-20 17:28:12 UTC #18

No, I did not. I wrote:

That means that in "Enable SSL In Discourse"page, I did only the option to "Force HTTPS Redirection With Apache", not the other ones. But this was useless because the "Followed Redirect Custom Domains To The Apache Server" procedure voids the previous one, as stated here:

So I didn't touch site_settings.yml. The only thing I did to force HTPPS was in httpd-vhosts.conf file.

Shall I try first to add force_https = true in site_settings.yml or in discourse.conf?
And do I need to do the Update the HTTPS port entry in the database step? (y/n)

Then, I did a backup inside Discourse and downloaded the archive file OK, but do I need to make a snapshot of the VM in GCP?

BTW, I tried to set the adsense plugin up, and I had a ton of errors loading and running the google ads script that were not in the security policy... the ads did not display

Cheers!

jsalmeron 2019-03-21 15:53:41 UTC #19

Hi,

Let us go step by step. Try enabling force_https in the site and let me know if you find any issues.

Best regards,

Javier J. Salmerón

Was my answer helpful? Click on

tchoa91 2019-03-22 00:42:47 UTC #20

OK @jota & @jsalmeron

I am very very unhappy!

Here are my notes:

Added force_https=true to /opt/bitnami/apps/discourse/htdocs/config/site_settings.yml

Favicon ok

No loggin Error 403 !!! and Google loggin also fails

POST https: //www.ludgef.com/session 403 (Forbidden)

Added SetEnvIf x-forwarded-proto https HTTPS=on as 1st line and 2nd line of /opt/bitnami/apps/discourse/conf/httpd-app.conf

Didn't work

Change back force_https to false => success loggins but favicon back NOk

I've managed to make to Google Adsense Ads run by setting all CSP off but I still have errors and warnings on Chrome.

Still, force_https inside Discourse system is bad for me.
Please, give me another solution way, we know this one doesn't work.
Maybe I can change the favicon url in DB to put the https there? or in template?

But please understand I am tired: this is my second install with the same symptoms. I have reproduced the bug, the fault is not on my side. Plus, I gave you my entire procedure.

My site is up and running with a few beta testers and many work done on documentation translations.
I'd like it to be clean (w/ favicon w/o any warning) but can not have loggins issues.

Do you need a new bnsupport dump?

Regards,

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!