Laravel / Nginx: 403 forbidden on middleware routes

1
votes

I am having a very frustrating error. I am trying to move my local environment up to a server. It is working fine on my localhost, but I get a 403 forbidden error on all routes that require to be logged in. I can get to /login and login, but accessing the middleware routes spits out the 403.

Sidenote: I am using the same database from local as I am doing on production (Direct IP address instead of localhost). The database is hosted on the same server as production env.

Steps I have taken to move to the production environment:

  • git clone the repo
  • adjust the .env file to reflect production environment (debug false, env production)
  • composer install
  • php artisan storage:link (required for images)
  • setup nginx to the domain

Here are some relevant files:

routes/web.php:

Auth::routes(['register' => false]);

Route::prefix('cms')->middleware('auth')->group(function() {
    Route::get('/', 'Cms\CmsController@index')->name('cms.index');

    Route::post('/upload', 'Cms\PhotoController@storeMedia')->name('photo.storeMedia');

    Route::resource('projects', 'Cms\ProjectController', ['except' => ['store', 'show']]);
    Route::resource('customers', 'Cms\CustomerController', ['except' => ['store']]);
    Route::resource('users', 'Cms\UserController', ['except' => ['store', 'show']]);
});

Route::get('/over-ons', 'Site\SiteController@about')->name('site.about');
Route::get('/portfolio/{id}/{slug}', 'Site\SiteController@project')->name('site.project');
Route::get('/portfolio', 'Site\SiteController@projects')->name('site.projects');
Route::get('/diensten', 'Site\SiteController@services')->name('site.services');
Route::get('/klanten', 'Site\SiteController@customers')->name('site.customers');
Route::get('/contact', 'Site\SiteController@contact')->name('site.contact');
Route::get('/', 'Site\SiteController@index')->name('site.index');

Nginx subblock:

server {
    listen 80;
    root /sites/mediafox/public;
    index index.php index.html index.htm index.nginx-debian.html;

    server_name [removed for privacy];

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
    #   fastcgi_pass 127.0.0.1:9000;
    }

    location ~ /\.ht {
        deny all;
    }
}

ls -l on root (permissions): 

drwxrwxr-x  2 niels    niels      4096 Nov 16 16:44 _dev
drwxrwxr-x  6 niels    niels      4096 Nov 16 16:44 app
-rw-rw-r--  1 niels    niels      1686 Nov 16 16:44 artisan
drwxrwxr-x  3 niels    niels      4096 Nov 16 16:44 bootstrap
-rw-rw-r--  1 niels    niels      1716 Nov 16 16:44 composer.json
-rw-rw-r--  1 niels    niels    208784 Nov 16 16:44 composer.lock
drwxrwxr-x  2 niels    niels      4096 Nov 16 16:44 config
drwxrwxr-x  5 niels    niels      4096 Nov 16 16:44 database
-rw-rw-r--  1 niels    niels    432338 Nov 16 16:44 package-lock.json
-rw-rw-r--  1 niels    niels      1307 Nov 16 16:44 package.json
-rw-rw-r--  1 niels    niels      1297 Nov 16 16:44 phpunit.xml
drwxrwxr-x  6 niels    niels      4096 Nov 16 17:01 public
drwxrwxr-x  6 niels    niels      4096 Nov 16 16:44 resources
drwxrwxr-x  2 niels    niels      4096 Nov 16 16:44 routes
-rw-rw-r--  1 niels    niels       563 Nov 16 16:44 server.php
drwxrwxr-x  6 www-data www-data   4096 Nov 16 16:44 storage
drwxrwxr-x  4 niels    niels      4096 Nov 16 16:44 tests
drwxrwxr-x 49 niels    niels      4096 Nov 16 16:46 vendor
-rw-rw-r--  1 niels    niels       724 Nov 16 16:44 webpack.mix.js

So to conclude: My routes that don't require to be logged in are working fine. The problem arises when I try to visit an url which requires middleware 'auth'.

Any help would be much appreciated.

-- UPDATE 1 --

Seems to be related to Nginx. I have this in my Nginx logs:

2019/11/17 14:40:09 [error] 1525#1525: *335 directory index of "/sites/mediafox/public/cms/" is forbidden, client: [ip removed], server: www.mediafox.*****.nl, request: "GET /cms/ HTTP/1.1", host: "mediafox.******.nl"
1
phplaravelnginx
what´s your session driver? Try setting it to "database". With what you're saying it sounds like session driver is set to "file" and that file could not be written to. - Pavel Lint
if you add the auth middleware to your site.contact route, do you also get the 403? - lagbox
@PavelLint It is on "file", but that's not different than from my local environment. I have tried database, which gives me a 500 server error. - nepp95
@lagbox Tried. Works fine. I also tried /logout before visiting that route. I get the "Whoops, something went wrong" window on that url. - nepp95
@nepp95 for database sessions to work, you need to run php artisan session:table and then php artisan migrate. That should solve your issue - Pavel Lint

1 Answers

1
votes

The problem was having a folder in my public root called 'cms'. This only contained my assets (js/css) but conflicted with the Nginx configuration.

Solution 1 (preferred): Rename this to something that isn't in my routes.

Solution 2: Rename my route

ls -l public/
total 48
drwxr-xr-x  14 niels  staff   448 Nov 18 10:59 .
drwxr-xr-x  29 niels  staff   928 Nov 16 13:51 ..
-rw-r--r--@  1 niels  staff  6148 Oct 31 15:19 .DS_Store
-rw-r--r--   1 niels  staff   593 Oct 31 09:59 .htaccess
drwxr-xr-x   4 niels  staff   128 Nov 11 21:45 cms
-rw-r--r--   1 niels  staff     0 Oct 31 09:59 favicon.ico
drwxr-xr-x  13 niels  staff   416 Nov 13 11:48 fonts
drwxr-xr-x   7 niels  staff   224 Nov 18 10:59 images
-rw-r--r--   1 niels  staff  1823 Oct 31 09:59 index.php
drwxr-xr-x   3 niels  staff    96 Oct 31 14:41 media
-rw-r--r--   1 niels  staff   225 Nov 18 11:50 mix-manifest.json
-rw-r--r--   1 niels  staff    24 Oct 31 09:59 robots.txt
drwxr-xr-x   4 niels  staff   128 Nov 11 21:45 site
lrwxr-xr-x   1 niels  staff    61 Nov 14 09:30 storage -> /Users/niels/Eppostudios/mediafox/mediafox/storage/app/public