Welcome! Log In Create A New Profile


X-Accel-Redirect and "access forbidden by rule"

December 02, 2011 08:55AM
I'm having an issue with turning on support for the X-Accel-Redirect header in DokuWiki, a php-based wiki application. The server in question is an Ubuntu 11.10 box with Nginx 1.0.10 and PHP-FPM 5.3.6-13. I posted a request for assistance on the DokuWiki forums, since obviously they're the best suited to help if the problem is with their application, but I wanted to also try the mailing list and see if the Nginx community could suggest a direction I could go in.

DokuWiki has a configuration option to enable serving static content using either X-Sendfile or X-Accel-Redirect, and since the site has more than a few images, I wanted to toggle it on. When I do this and reload a page, I get a page without any CSS or images, and the nginx error.log file shows lots of "access forbidden by rule" errors, both for the CSS file and for the various image files, like this:

2011/11/08 21:01:23 [error] 6693#0: *12 access forbidden by rule, client:, server: www.bigdinosaur.org, request: "GET /mcwiki/lib/exe/css.php?t=vector&tseed=1320807658 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.soc:", host: "www.bigdinosaur.org", referrer: "http://www.bigdinosaur.org/mcwiki/wiki:genesis_base"


2011/11/08 21:01:23 [error] 6693#0: *12 access forbidden by rule, client:, server: www.bigdinosaur.org, request: "GET /mcwiki/_media/wiki:gb:gb-entrance.jpg?w=500 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.soc:", host: "www.bigdinosaur.org", referrer: "http://www.bigdinosaur.org/mcwiki/wiki:genesis_base"

When I look at the headers being sent by the server for each request, I don't see anything about X-Accel-Redirect, but that might be because the content isn't being served in the first place. Here's what the headers for each request look like:

GET /mcwiki/_media/wiki:gb:gb-entry.jpg?w=300 HTTP/1.1
Host: www.bigdinosaur.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Connection: keep-alive
Referer: http://www.bigdinosaur.org/mcwiki/wiki:genesis_base
Cookie: (redacted)
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Nov 2011 03:04:26 GMT
Content-Type: text/html
Last-Modified: Mon, 07 Nov 2011 23:50:45 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 10 Nov 2011 03:04:26 GMT
Cache-Control: public, proxy-revalidate, no-transform, max-age=86400
Content-Disposition: inline; filename="1d2bb3508bcd870b387232726c81cd22.media.300x169.jpg";
Content-Encoding: gzip

I've read through the X-Accel docs as best as I can, and I think that the problem might be that I have no explicitly defined "location" setting for the specific directories that the images and css files are stored in, since they are in subdirectories underneath the main Dokuwiki root (which does have a location definition).

I also can't understand from the docs if X-Accel can only be used on files whose location is explicitly marked "internal"--the page on the nginx wiki says they "should" be, and various other pages on the web offer contradictory advice.

Making the issue more complex: one of the URIs referenced in the two requests above, "/mcwiki/_media/", is being rewritten to make it look prettier. Here's the relevant rewrite rule:

rewrite ^/mcwiki/_media/(.*) /mcwiki/lib/exe/fetch.php?media=$1 last;

Dokuwiki resizes and caches images in a cache directory, and the "fetch.php" file includes some logic to tell Dokuwiki if the image it's being asked to serve needs to be sent from the main images directory, or from the cache directory. That's why in the header traffic I pasted above the filename looks nothing like what's being asked for in the GET request.

My first thought was that the rewrite rules were somehow screwing things up, so I removed all of them. However, the "access forbidden" problem remained, with the error messages simply changing to show the non-rewritten URI instead of the prettier one:

2011/11/08 17:11:57 [error] 5124#0: *130 access forbidden by rule, client:, server: www.bigdinosaur.org, request: "GET /mcwiki/lib/exe/fetch.php?w=300&media=wiki:gb:gb-sublevel.png HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.soc:", host: "www.bigdinosaur.org", referrer: "http://www.bigdinosaur.org/mcwiki/doku.php?id=wiki:grande_grinder"

I then thought that perhaps the problem is that there's no explicit location definition for the "/mcwiki/lib/exe" directory or for the "/mcwiki/_media" rewritten location, so I added them into the site config along with a "root" entry for each, and flagged them as "internal" in case X-Accel-Redirect requires that. However, this just caused every request to return a 404 response. Removing the "internal" flag led to more 404s, so I removed the definitions.

Sorry for the long-winded message, but I wanted to get as much info in as possible. Things are working just fine without X-Accel turned on, so worst case I could just leave it off and continue on. However, I'd like to enable it, as there are quite a few images on the wiki and serving them directly out rather than making php-fpm do it could speed things up. Any assistance would be appreciated!
Subject Author Posted

X-Accel-Redirect and "access forbidden by rule"

pokrface December 02, 2011 08:55AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 112
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready