Project

General

Profile

tickets #64722

http://opensuse.org + https://opensuse.org -> 403 Forbidden

Added by alex@bihlmaier.at over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

 
Hi!

Currently:
http://opensuse.org + https://opensuse.org results in a "403 Forbidden“

thal

History

#1 Updated by cboltz over 1 year ago

Thanks for the report!

The strange thing is - I just tested, and both work and redirect me to https://www.opensuse.org/
Maybe it was just a temporary problem.

Can you please check again?
If it's still broken for you, please also provide the output of host opensuse.org

#2 Updated by alex@bihlmaier.at over 1 year ago

Of course:

opensuse.org has address 130.57.66.19

opensuse.org has IPv6 address 2620:113:80c0:8::19
opensuse.org mail is handled by 42 mx1.suse.de.
opensuse.org mail is handled by 42 mx2.suse.de.

The problem is still there…

acb@appel ~ % curl http://opensuse.org

403 Forbidden

403 Forbidden
nginx

thal

Am 22. März 2020 bei 14:28:14, admin@opensuse.org (admin@opensuse.org(mailto:admin@opensuse.org)) schrieb:

[openSUSE Tracker]
Issue #64722 has been updated by cboltz.

Thanks for the report!

The strange thing is - I just tested, and both work and redirect me to https://www.opensuse.org/
Maybe it was just a temporary problem.

Can you please check again?
If it's still broken for you, please also provide the output of host opensuse.org


tickets #64722: http://opensuse.org + https://opensuse.org -> 403 Forbidden
https://progress.opensuse.org/issues/64722#change-286953

* Target version:

Hi!

Currently:
http://opensuse.org + https://opensuse.org results in a "403 Forbidden“

thal

--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://progress.opensuse.org/my/account

#3 Updated by pjessen over 1 year ago

  • Private changed from Yes to No

I can confirm, I also see a 403 from nginx.

#4 Updated by cboltz over 1 year ago

Interesting[tm].

I get exactly the same output for host opensuse.org, which means we can rule out DNS issues.

However, for curl I get different results (also tested with curl -4 and curl -6 to cover IPv6 and IPv6):

curl http://opensuse.org
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.opensuse.org/">here</a>.</p>
<hr>
<address>Apache Server at opensuse.org Port 80</address>
</body></html>

Besides the obvious difference that I get a redirect instead of a forbidden, also note that I got Apache Server while you see nginx.

Part of the problem is that this domain/redirect is still hosted by MF-IT, which means that I don't have much insight to the technical details (for example, if there are multiple servers behind this IP). It also makes it very hard to get anything clarified or fixed :-(

#5 Updated by pjessen over 1 year ago

wget -S http://opensuse.org

--2020-03-22 15:31:38--  http://opensuse.org/
Resolving opensuse.org (opensuse.org)... 2620:113:80c0:8::19, 130.57.66.19
Connecting to opensuse.org (opensuse.org)|2620:113:80c0:8::19|:80... connected.
HTTP request sent, awaiting response... 
HTTP/1.1 403 Forbidden
server: nginx
date: Sun, 22 Mar 2020 14:31:38 GMT
content-type: text/html
content-length: 162
2020-03-22 15:31:38 ERROR 403: Forbidden.

wget -4 -S http://opensuse.org

--2020-03-22 15:31:56--  http://opensuse.org/
Resolving opensuse.org (opensuse.org)... 130.57.66.19
Connecting to opensuse.org (opensuse.org)|130.57.66.19|:80... connected.
HTTP request sent, awaiting response... 
HTTP/1.1 301 Moved Permanently
Date: Sun, 22 Mar 2020 14:31:57 GMT
Server: Apache
Location: http://www.opensuse.org/
Content-Length: 294
Keep-Alive: timeout=15, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Location: http://www.opensuse.org/ [following]

So it looks like a poor nginx config for ipv6.

#6 Updated by cboltz over 1 year ago

  • Status changed from New to Resolved

Indeed, another test also gave me the 403 for IPv6.

I just took the quick route and changed the DNS entry - the opensuse.org redirect now gets done by anna/elsa in Nuremberg. This should fix the problem.

Possible risk: /openid - but according to the IRC discussion, that risk should be quite small. And even if I broke it, it would still be better than having http://opensuse.org broken ;-)

Before:

# host opensuse.org
opensuse.org has address 130.57.66.19
opensuse.org has IPv6 address 2620:113:80c0:8::19
opensuse.org mail is handled by 42 mx1.suse.de.
opensuse.org mail is handled by 42 mx2.suse.de.

After:

# host opensuse.org
opensuse.org has address 195.135.221.140
opensuse.org has IPv6 address 2620:113:80c0:8::16
opensuse.org mail is handled by 42 mx2.suse.de.
opensuse.org mail is handled by 42 mx1.suse.de.

The IPs are those of proxy.o.o/redirector.o.o - CNAME doesn't allow other entries, and we need the MX entries.

#7 Updated by lrupp over 1 year ago

pjessen wrote:

So it looks like a poor nginx config for ipv6.

Agreed. I think the reason is Provo...: IPv6 in Provo handled as secondary citizen since years.

I see two possible solutions for the problem:
1) Open a ticket with MF-IT and ask to fix the real problem
2) remove the IPv6 entry on our DNS side and wait until we can/want to move over the www.opensuse.org part.

2 is IMHO the easiest solution - and we might even be able to add a DNS entry pointing to the haproxy in Nuremberg to handle IPv6 traffic, while the backend is configured to re-route all traffic to Provo.

To make it less problematic, we can even go with the following approach:
a) configure the Nuremberg proxy to handle opensuse.org and www.opensuse.org
b) change the IPv6 DNS entry (only IPv6, not IPv4!) to point to proxy-nue.opensuse.org

Once this shows no problem, we might even move the IPv4 entry as well and start looking into correct forwarding rules for authentication and other stuff on the heroes side.

What do you think?

#8 Updated by pjessen over 1 year ago

  • Status changed from Resolved to New

I vote for option 2.

#9 Updated by pjessen over 1 year ago

Christian, your fix doesn't seem to have done much for IPv6 ? I see o.o resolve:

host opensuse.org
opensuse.org has address 195.135.221.140
opensuse.org has IPv6 address 2620:113:80c0:8::16

But I still get a 403 from nginx.

#10 Updated by cboltz over 1 year ago

  • Status changed from New to Resolved

I found two reasons:

a) there were two conflicting rules in the haproxy config, I removed the wrong one (but then, it worked for IPv4, so maybe the right one had already "won")

b) even after fixing that, I still got the 403. It turned out that nscd was playing games and gave an outdated IP to curl (check curl -v, especially the Trying $IP line)- restarting nscd finally "fixed" it. Note: host already gave me the new IP.

lrupp: given the length of this ticket - would it be better to move handling of www.o.o to a new ticket?

Also available in: Atom PDF