This is also what I thought. I have searched the whole nginx etc directory for 403 and deny
/etc/nginx# grep -r '403' .
and the results I got are these snippets:
# Deny bad Referers
if ($http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen)) {
return 403;
}
...
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\. { access_log off; log_not_found off; deny all; }
# Wordpress uses the robots.txt
location = /robots.txt { access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
location ~ ~$ { access_log off; log_not_found off; deny all; }
...
The apps are several, they all follow the "index.php is the controller" paradygm.
# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
location ~* \.(engine|inc|ini|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
deny all;
}
location ~ /config.php {
deny all;
}
It's not the UFW firewall as well, because the error shows up even with UFW disabled. So the potential culprit may be php-fpm or some weird nginx option. Here's the master conf file, the others don't specify anything but location