Why is there a 403 error in some images ?

[sergei-kh]

Hello, please tell me.
When I go through a browser to a site page, all product images (in .webp format) are displayed. But when we start checking the site for 404-403 errors, see that for some images a 403 error occurs.

For example:

• /images/cache/uploads/263x283/user_files/461/262x262xbludo-bormioli-rocco-toledo-2.jpg.pagespeed.ic.-Wrafstj_2.webp - path to the picture when going through the browser get a response 200.
• /images/cache/uploads/263x283/user_files/461/262x262xbludo-bormioli-rocco-toledo-2.jpg.pagespeed.ic.sheU75_Rnh.jpg - this path to the same picture only when checking for errors 404-403. I get a 403 error along this path.

Or if I just make a GET request to the server (not via browser) in the received html code will be the path to the image by which I get error 403.

Please tell me why this is happening ? Thank you in advance for your response.

[Lofesa]

Hi
A 403 error sounds more a config error other than a pagespeed issue. If the response was a 404 is more likely a pagespeed issue, most of the cases a ssl misconfiguration....
Can you post nginx and pagespeed config? or share a url for testing?

[sergei-kh]

No, sorry, unfortunately I can't post

[Lofesa]

Not even with anonimized data? for the config files I'll say.
Well... you can try thi https://yourdomain.com/?PageSpeedFilters=+debug
And then take a look to the html code of the page. This url param inject debug messages in the html and maybe you can see some clue.
But my bet is some nginx rule that forbid some url from your site.
Take a look at the nginx log files too

[sergei-kh]

conf.txt
Yes, with anonymous data I can throw it off.
If I add the PageSpeedFilters parameter, a redirect occurs.

[Lofesa]

Hi @SergeyKhlopov
At a first glance you need to enable pagespeed https fecht:

pagespeed FetchHttps enable;
pagespeed SslCertDirectory directory;
pagespeed SslCertFile file;

If the distro is Ubuntu/Debian only SslCertDirectory mus be set, if Centos/RedHat bot, directory and file
These diretory/file are NOT your certificates files (those you configures in SSL nginx directives) but system certificate chain files (think in pagespeed as a web client), normally:
For Ubunty/Debian /etc/ssl/certs
For Centos/RedHat /etc/pki/tls/certs and /etc/pki/tls/cert.pem

Alternativelly you can configure LoadFromFile. https://www.modpagespeed.com/doc/https_support#load_from_file

You use an include file (include includes/deny-files.conf;). What directives do you have here?

I can´t find any reason for the redirect when you use the url parameter for debug. To where you get redirected?

[sergei-kh]

Hi @Lofesa
in includes/deny-files.conf;

location ~ \.(sh|hta|htp|sql|git|env) {
     deny  all;
}

If in CamelCase then redirects.
If like this - https://domain.com/?pagespeedfilters=+debug it's just that there is no debug information in the html

[Lofesa]

location ~ \.(sh|hta|htp|sql|git|env) {
     deny  all;
}

/images/cache/uploads/263x283/user_files/461/262x262xbludo-bormioli-rocco-toledo-2.jpg.pagespeed.ic.sheU75_Rnh.jpg

In the url there is a ".sh" string, maybe this is the origin for the 403?
Can you try to comment the include includes/deny-files.conf; and try if the url works?

I don´t know why the redirection is here, but for sure is a nginx config issue not a pagespeed one.
The url param must be as is it: PageSpeedFilters=+debug, if in lower case it don´t work

Suggestions:

Change ~ .(sh|hta|htp|sql|git|env) to ~ .(sh|hta|htp|sql|git|env)$ The $ sing denotes the end of string.
Change try_files $uri $uri/ /index.php?$args; to try_files $uri $uri/ /index.php?$is_args$args;
Change all return 301 https://domain.com$uri; to return 301 https://domain.com$request_uri;

[sergei-kh]

Thanks a lot =)
now there is no 403 error for pictures

location ~ \.(sh|hta|htp|sql|git|env)$ {
	deny  all;
}

try_files and return haven't edited yet, i don’t understand yet what the difference is, if it’s not difficult for you, could you explain. I will close the question since the problem is solved =)

[sergei-kh]

@Lofesa Can you please tell me.
This is a slightly different question.
For some reason a 302 redirect occurs from pages with a trailing slash to without a slash.
This is a redirect in the config somewhere ? Or need to look elsewhere.

Thank you for your reply.

[Lofesa]

Hi @SergeyKhlopov
Maybe the issue is in the return 301 https://domain.com$uri;
$uri can be "transformed" by nginx, the url can be encoded (f.e. white spaces converted to %20), double slash converted to single and so on, is the "normalized" uri, $request_uri is the "original" uri w/o any change (includes arguments)

[sergei-kh]

Hi @Lofesa
Thanks for the help =)
It turned out that a 302 redirect occurs in the site's script =)
And $uri change on $request_uri