Return custom 403 error page with nginx
Asked Answered
R

4

16

Im trying to display the error page in /temp/www/error403.html whenever a 403 error occurs.

This should be whenever a user tries to access the site via https (ssl) and it's IP is in the blovkips.conf file, but at the moment it still shows nginx's default error page. I have the same code for my other server (without any blocking) and it works.

Is it blocking the IP from accessing the custom 403 page? If so how do I get it to work?

server  {
    # ssl
    listen               443;
    ssl                  on;
    ssl_certificate      /etc/nginx/ssl/site.in.crt;
    ssl_certificate_key  /etc/nginx/ssl/site.in.key;
    keepalive_timeout    70;

    server_name localhost;


    location / {
            root   /temp/www;
            index  index.html index.htm;
}

# redirect server error pages to the static page
error_page   403  /error403.html;
# location = /error403.html {
#         root   /temp/www;
# }

    # add trailing slash if missing
    if (-f $document_root/$host$uri) {
            rewrite ^(.*[^/])$ $1/ permanent;
    }      

    # list of IPs to block
    include blockips.conf;
}

Edit: Corrected error_page code from 504 to 403 but I still have the same issue

Rarely answered 25/6, 2010 at 15:9 Comment(0)
R
23

I did heaps of googling before coming here but did some more just now, within 5 minutes I had my answer :P

Seems I'm not the only person to have this issue:

error_page 403 /e403.html;
  location = /e403.html {
  root   html;
  allow all;
}

http://www.cyberciti.biz/faq/unix-linux-nginx-custom-error-403-page-configuration/

Seems that I was right in thinking that access to my error page was getting blocked.

Rarely answered 1/7, 2010 at 1:8 Comment(0)
V
3

The problem might be that you're trying to server a 403 "Forbidden" error from a webserver that they are forbidden from accessing. Nginx treats the error_page directive as an internal redirect. So it is trying to server https://example.com/error403.html which is also forbidden.

So you need to make the error page not served out of https like this:

error_page  403   http://example.com/error403.html

or add the necessary "access allowed" options to the location for the error page path. The way to test this is to access the /error403.html page directly. If you can't accesses that way, it isn't going to work when someone gets an actual 403 error.

Violante answered 1/7, 2010 at 18:56 Comment(0)
C
2

I had the same issue... The point is that i've implemented ip whitelist at server context level (or vhost level if you prefer), so every locations will have this as well (basicaly /403.html won't be accessible) :

server {
  listen       *:443 ssl;
  server_name  mydomain.com ;
  error_page 403 /403.html;
  .....
  if ($exclusion = 0) { return 403; } #implemented in another conf.d files (see below)
  location ~ \.php$ {
    root          /var/www/vhosts/mydomain.com/httpdocs;
    include       /etc/nginx/fastcgi_par
    fastcgi_pass  127.0.0.1:9000;
    fastcgi_connect_timeout 3m;
    fastcgi_read_timeout 3m;
    fastcgi_send_timeout 3m;
  }
  location /403.html {
    root      /usr/share/nginx/html;
    allow all;
  }

  ...
}

Exclusion conf.d file sample:

geo $exclusion {
  default 0;
  10.0.0.0/8  Local network
  80.23.120.23 Some_ip
  ...
}

To fix that simply do your return 403 at location level (context):

server {
  listen       *:443 ssl;
  server_name  mydomain.com ;
  error_page 403 /403.html;
  .....
  location ~ \.php$ {
    if ($exclusion = 0) { return 403; } 
    root          /var/www/vhosts/mydomain.com/httpdocs;
    include       /etc/nginx/fastcgi_par
    fastcgi_pass  127.0.0.1:9000;
    fastcgi_connect_timeout 3m;
    fastcgi_read_timeout 3m;
    fastcgi_send_timeout 3m;
  }
  location /403.html {
    root      /usr/share/nginx/html;
    allow all;
  }

  ...
}

Works for me.

Corymb answered 22/7, 2016 at 13:41 Comment(0)
S
0

It looks like there's a boo-boo in the listed configuration, as it is only sending error code 503 ("service unavailable") to the custom page, so for 403 ("forbidden") you probably want to use:

error_page 403 /error403.html
Sotos answered 30/6, 2010 at 19:26 Comment(4)
(Here I'm assuming that the blockips.conf file is valid, with each lines like deny 1.2.3.4;.)Sotos
Yes the blockips.conf is correct as far as I know, I only have this uncommented: deny all; (for testing)Rarely
Ok, I edited the config file with 403 not 503 now, done a reboot and I still get default '403 Forbidden nginx' any other ideas?Rarely
I just tried putting all the error codes (400-599 ex 499) and I still get the default nginx error page.Rarely

© 2022 - 2024 — McMap. All rights reserved.