openSUSE admin

Thanks for the report!

The strange thing is - I just tested, and both work and redirect me to https://www.opensuse.org/
Maybe it was just a temporary problem.

Can you please check again?
If it's still broken for you, please also provide the output of host opensuse.org

Of course:

opensuse.org has address 130.57.66.19

opensuse.org has IPv6 address 2620:113:80c0:8::19
opensuse.org mail is handled by 42 mx1.suse.de.
opensuse.org mail is handled by 42 mx2.suse.de.

The problem is still there…

acb@appel ~ % curl http://opensuse.org

403 Forbidden

403 Forbidden
nginx

thal

Am 22. März 2020 bei 14:28:14, admin@opensuse.org (admin@opensuse.org(mailto:admin@opensuse.org)) schrieb:

[openSUSE Tracker]
Issue #64722 has been updated by cboltz.

Thanks for the report!

The strange thing is - I just tested, and both work and redirect me to https://www.opensuse.org/
Maybe it was just a temporary problem.

Can you please check again?
If it's still broken for you, please also provide the output of host opensuse.org

---

tickets #64722: http://opensuse.org + https://opensuse.org -> 403 Forbidden
https://progress.opensuse.org/issues/64722#change-286953

• Author: alex@bihlmaier.at
• Status: New
• Priority: Normal
• Assignee:
• Category:

* Target version:¶

Hi!

Currently:
http://opensuse.org + https://opensuse.org results in a "403 Forbidden“

thal

--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://progress.opensuse.org/my/account

Interesting[tm].

I get exactly the same output for host opensuse.org, which means we can rule out DNS issues.

However, for curl I get different results (also tested with curl -4 and curl -6 to cover IPv6 and IPv6):

curl http://opensuse.org
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.opensuse.org/">here</a>.</p>
<hr>
<address>Apache Server at opensuse.org Port 80</address>
</body></html>

Besides the obvious difference that I get a redirect instead of a forbidden, also note that I got Apache Server while you see nginx.

Part of the problem is that this domain/redirect is still hosted by MF-IT, which means that I don't have much insight to the technical details (for example, if there are multiple servers behind this IP). It also makes it very hard to get anything clarified or fixed :-(

wget -S http://opensuse.org

--2020-03-22 15:31:38--  http://opensuse.org/
Resolving opensuse.org (opensuse.org)... 2620:113:80c0:8::19, 130.57.66.19
Connecting to opensuse.org (opensuse.org)|2620:113:80c0:8::19|:80... connected.
HTTP request sent, awaiting response... 
HTTP/1.1 403 Forbidden
server: nginx
date: Sun, 22 Mar 2020 14:31:38 GMT
content-type: text/html
content-length: 162
2020-03-22 15:31:38 ERROR 403: Forbidden.

wget -4 -S http://opensuse.org

--2020-03-22 15:31:56--  http://opensuse.org/
Resolving opensuse.org (opensuse.org)... 130.57.66.19
Connecting to opensuse.org (opensuse.org)|130.57.66.19|:80... connected.
HTTP request sent, awaiting response... 
HTTP/1.1 301 Moved Permanently
Date: Sun, 22 Mar 2020 14:31:57 GMT
Server: Apache
Location: http://www.opensuse.org/
Content-Length: 294
Keep-Alive: timeout=15, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Location: http://www.opensuse.org/ [following]

So it looks like a poor nginx config for ipv6.

pjessen wrote:

So it looks like a poor nginx config for ipv6.

Agreed. I think the reason is Provo...: IPv6 in Provo handled as secondary citizen since years.

I see two possible solutions for the problem:
1) Open a ticket with MF-IT and ask to fix the real problem
2) remove the IPv6 entry on our DNS side and wait until we can/want to move over the www.opensuse.org part.

2 is IMHO the easiest solution - and we might even be able to add a DNS entry pointing to the haproxy in Nuremberg to handle IPv6 traffic, while the backend is configured to re-route all traffic to Provo.

To make it less problematic, we can even go with the following approach:
a) configure the Nuremberg proxy to handle opensuse.org and www.opensuse.org
b) change the IPv6 DNS entry (only IPv6, not IPv4!) to point to proxy-nue.opensuse.org

Once this shows no problem, we might even move the IPv4 entry as well and start looking into correct forwarding rules for authentication and other stuff on the heroes side.

What do you think?

Christian, your fix doesn't seem to have done much for IPv6 ? I see o.o resolve:

host opensuse.org
opensuse.org has address 195.135.221.140
opensuse.org has IPv6 address 2620:113:80c0:8::16

But I still get a 403 from nginx.