403 Forbidden on Logins

jsalmeron 2019-03-22 08:57:04 UTC #21

Hi,

We are very sorry for your frustration. Indeed, the bnsupport dump would be helpful to continue understanding the cause of the issue. This is strange as the forbidden issue did not appear when forcing https on my side. However, we will continue finding what the issue is

Best regards,

Javier J. Salmerón

Was my answer helpful? Click on

tchoa91 2019-03-22 10:00:54 UTC #22

Hi there!

Thanks!

I did a new bnsupport-tool dump this morning. It has ID 1680b9fa-7b4c-7088-2306-ee7d130e43f4

I'm looking forward to a better solution

Have a nice day
-- François

jsalmeron 2019-03-25 09:07:59 UTC #23

Hi,

Regarding the 403 Forbidden error, I've seen this in the logs:

...
Can't verify CSRF token authenticity.
  Rendering text template
  Rendered text template (0.0ms)
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 403 Forbidden in 2ms (Views: 0.6ms | ActiveRecord: 0.0ms)

This error has been reported in the Discourse forums, and this solution worked for nginx https://meta.discourse.org/t/403-forbidden-on-logins-started-after-update-to-latest-version/52800/6

I see that you set used this directive

SetEnvIf x-forwarded-proto https HTTPS=on

Could you try with this instead? (do not forget to set force_https=true to /opt/bitnami/apps/discourse/htdocs/config/site_settings.yml

)

RequestHeader set X_FORWARDED_PROTO 'https' env=HTTPS

Do not forget to restart Apache.

If this still does not work, then I will try reproducing your whole environment. You said that you installed Discourse along with these features:

Google Login
Ad-sense plugin

Right?

Best regards,

Javier J. Salmerón

Was my answer helpful? Click on

tchoa91 2019-03-25 10:42:06 UTC #24

Hello Javier,

I really appreciate you don't give up on me!

But I'm sorry to tell this morning suggestion failed. Too bad, the site is almost error free w/ force_https=true but the 403.

I've edited /opt/bitnami/apps/discourse/conf/httpd-app.conf this way, is it OK?

RequestHeader set X_FORWARDED_PROTO 'https' env=HTTPS
<Directory "/opt/bitnami/apps/discourse/htdocs/public">
#    SetEnvIf x-forwarded-proto https HTTPS=on
    Options -MultiViews
    AllowOverride All
    <IfVersion < 2.3 >
        Order allow,deny
        Allow from all
    </IfVersion>
    <IfVersion >= 2.3>
        Require all granted
    </IfVersion>
...

Then, if you are to reproduce my environment, I gave you all my notes in post #13 & #14 of this topic.
Be careful, some parts are tricky because I've followed your manual but also did corrections to this procedure as in the "Redirect to www" (commenting SSL in httpd-vhosts.conf) and as the last correction I did to "Force https at Apache level" (editing /opt/bitnami/apps/discourse/conf/httpd-vhosts.conf , see post #14). So the force_https=true in discourse settings is the third code added to do the same thing in the procedure I followed...

To summarize, it is a Bitnami Discourse from the GCP Marketplace + akismet & ads plugins + google & twitter logins + force www & https + GTM. Not that fancy, but rocky install.

Also, I will open new topics for the side issues (dirty version & PWA errors) to keep this topic on the 403 issue.

Wish you have a nice day.

jsalmeron 2019-03-26 09:48:49 UTC #25

Hi,

Thanks for the information. I am afraid that it will take me some time to fully replicate your environment. I will let you know as soon as I have more information.

Best regards,

Javier J. Salmerón

Was my answer helpful? Click on

jsalmeron 2019-04-08 15:56:58 UTC #26

Hi,

Ok, I finally got time to dedicate to this case. This is what I've done so far.

Have www and https redirection
Have Google login

I think that should be enough for your use case. Let me go step by step with what I have done (and if it is different from what the documentation says, we will work on improving it)

First I configured the domain using bnconfig

sudo /opt/bitnami/apps/discourse/bnconfig --machine_hostname www.35.204.232.152.nip.io

Then I edited the file /opt/bitnami/apps/discourse/conf/httpd-app.conf

<Directory "/opt/bitnami/apps/discourse/htdocs/public">
    Options -MultiViews
    AllowOverride All
    <IfVersion < 2.3 >
        Order allow,deny
        Allow from all
    </IfVersion>
    <IfVersion >= 2.3>
        Require all granted
    </IfVersion>




   RewriteEngine On
   RewriteCond %{HTTPS} !=on
   RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
   RewriteCond %{HTTP_HOST} !^www\. [NC]
   RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
    PassengerEnabled on
    
    PassengerAppRoot "/opt/bitnami/apps/discourse/htdocs/"
    <IfModule pagespeed_module>
        ModPagespeedDisallow "*"
    </IfModule>
    SetEnv RUBY_GC_MALLOC_LIMIT "90000000"
    #
    # Uncomment the lines below if you are using a CDN:
    #  - https://docs.bitnami.com/aws/apps/discourse/troubleshooting/use-cdn/
    #




    #<FilesMatch "\.(ttf|otf|eot|woff|font.css)$">
    #    <IfModule mod_headers.c>
    #        Header set Access-Control-Allow-Origin "*"
    #    </IfModule>
    #</FilesMatch>








    Include "/opt/bitnami/apps/discourse/conf/banner.conf"
</Directory>
PassengerPreStart http://127.0.0.1:80

Then I configured Let's Encrypt with a valid certificate

sudo ./generate-certificate.sh -m fake_mail@bitnami.com -d www.35.204.232.152.nip.io

Then I checked that https is working

As you can see, the favicon works.

Regular login also works

Then I followed the instructions to set Google OAuth2 here: https://meta.discourse.org/t/configuring-google-login-for-discourse/15858
As you can see here, it also works

All the steps were done in a fresh instance. Could you try following them as well?

Best regards,

Javier J. Salmerón

Was my answer helpful? Click on

tchoa91 2019-04-09 09:36:56 UTC #27

Hello @jsalmeron

I am very disappointed with your message because this is not what you told me:

Here, you give me another short install procedure that doesn't fix my current state issue.
If I follow you, I should make a third install attempt while I don't know if I can nor how to transfert the current data of the forum to a new one (is the archive file enough?)
Meanwhile, I've learnt that the upgrade of the Bitnami Discourse version is far more complexe than a one button push.

With all that I wonder that is the benefice of your version versus the original official repo.
If I need to block (and loose) time to do another install and transfert the data, I think I'm going to give a try to the original developers' procedure.

I am sorry to write you that because you were very kind to me. But I choose your solution to spare me work at install and updates, and it looks that it's not the case. Plus, it is obvious that your documentation leaded me to failure (twice).

I will provide followup here anyway.
Best regards,
-- François

jsalmeron 2019-04-11 08:45:11 UTC #28

Hi,

We are very sorry that you didn't have a good experience with the stack. We strive to improve the user experience in every release of the stack, but from this case we can see that there are things that we should improve. I didn't go that far in the installation because I could see that, in the configuration for HTTPS and www we did different things and that probably caused the issue that you were experiencing. We are very grateful from all your feedback, and if there is anything we can do to help, please let us know.

Best regards,

Javier J. Salmerón

Was my answer helpful? Click on

system 2019-04-25 08:45:17 UTC #29

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!