NGINX Revers Proxy - 403 Forbidden PUT requests - can't edit anything when accessing Mapstore via Reverse Proxy

113 views
Skip to first unread message
Assigned to lorenzo...@geosolutionsgroup.com by me

rususo...@gmail.com

unread,
Sep 10, 2024, 8:44:53 AM9/10/24
to mapstore-developers
Hi everyone, 

My mapstore is hosted at http://iasipesteiasi.go.ro/mapstore , hosted on a Debian 23.x system, deployed in a Tomcat 9 webserver, with a PostgreSQL 14 database backend. 
I have tested this behavior using the built-in admin, as well as with a newly created admin user.

Access to the mapstore is provided via NGINX, with the following default sites_enabled configuration:
nginx_configuration.png

If I access the portal from localhost:8080/mapstore_version everything works perfectly fine, the admin user can edit everything as expected. When I try to access Mapstore via the nginx location, it fails to updated anything (existing maps, item details, existing users, existing groups).
updating_elements_403_forbidden.png

I can however create new resources, via POST requests items/maps/users from the NGINX accesed mapstore, but not the attributes. Comparing the two ways of accessing the application, I see that PUT requests are being rejected with 403 forbidden 
updating_elements_403_forbidden_02.png
creating_new_map.png

Any help on how to configure NGINX or Tomcat, or Mapstore to accept my put requests would be great!

Sorin RUSU

unread,
Sep 10, 2024, 5:35:45 PM9/10/24
to mapstore-...@googlegroups.com
Just a small update there is no http, only https access to the site




--
You received this message because you are subscribed to the Google Groups "mapstore-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mapstore-develo...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/334adb3b-d162-441a-81f7-eb1f75a5e1b3n%40googlegroups.com.

Lorenzo Natali

unread,
Sep 11, 2024, 12:38:59 PM9/11/24
to mapstore-developers
Hi,
I don't know why your configuration do not work in this way. We have several installation with nginx that are working with a similar configruation.
Maybe the auth header is not correctly forwarded or blocked by a firewall or something?
It is strange that you can login (so authorized GET requests work) and the others are not working. 
I found some configurations that can help you, but I should check the log on MapStore to see if it receives the requests and what happens.

rususo...@gmail.com

unread,
Sep 12, 2024, 4:57:13 AM9/12/24
to mapstore-developers
Hi Lorenzo, 

Thanks for reaching out. I have done the following test setup
- stop tomcat; clean the existing logs;
- start tomcat again and try only the following (GMT+2):
    11:46 - access as guest from NGINX
    11:47 - login using 'administrator'
    11:48 - try to edit the properties of an item (resource ID = 17) - 403 Forbidden
    11:48 - logout
    
    11:51 - access as guest from localhost
    11:52 - login using 'administrator'
    11:52 - try to edit the properties of an item (resource ID = 17) - Success
    11:53 - logout

rususo...@gmail.com

unread,
Sep 12, 2024, 4:58:14 AM9/12/24
to mapstore-developers
Here are the logs in my /opt/tomcat/logs with the above test scenario.
Hope this helps?
tomcat_logs.zip

Lorenzo Natali

unread,
Sep 12, 2024, 8:46:53 AM9/12/24
to mapstore-...@googlegroups.com
Hi,
From the log and the timing you gave me, the requests do not seem to reach MapStore.
I should check if there is a firewall or a configuration of nginx that denies put, patch and delete requests through the proxy pass.


To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/213e7d76-c370-4486-8ef5-8ff23cbf53d7n%40googlegroups.com.

rususo...@gmail.com

unread,
Sep 12, 2024, 11:21:59 AM9/12/24
to mapstore-developers
Hi Lorenzo,

I don't believe there is any firewalll/nginx restrictions. 
I have created a temporary upload folder in /var/www/html/upload that allows PUT requests perfectly (this means no firewall getting in the way).

This works perfectly: curl -X PUT -d "THIS is some Text" https://iasipesteiasi.go.ro/upload/some_other_text 

Then I can get the file with a get request https://iasipesteiasi.go.ro/upload/some_other_text , also visible in the browser

The same predicates for location /upload I have added them to the /mapstore location, but no luck - i still get 403 Forbidden for put requests to 

I have also added user www-data to the tomcat group, since I don't want to keep DAC_ACCESS as RW for all but still no use. 
Could it be that the Apache Tomcat is the one rejecting the PUT requests?
Seems they can go through NGINX, but not reaching the actual application. 
put_requests_working.png

Lorenzo Natali

unread,
Sep 19, 2024, 5:18:18 AM9/19/24
to mapstore-...@googlegroups.com
Sorry,
I see that in /mapstore entry you use WebDAV rules that are a lot suspicious

dav_methods put 
dav_access ...

I think they may deny access or conflict with the MapStore authentication system. I should remove them.


To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/750ded6a-33c9-4299-a1fd-ac70f4ff0396n%40googlegroups.com.

Lorenzo Natali

unread,
Sep 20, 2024, 4:46:46 AM9/20/24
to mapstore-developers
Hi,
Another thing that you could look at is the body of the 403 Forbidden response. 
Depending of the component that replied, you may see if it is nginx, tomcat or MapStore responding wrongly. 
This could allow you to determine which of this component is denying the access.

Hope it helps.
Reply all
Reply to author
Forward
0 new messages