1. Overview
When working with Web servers, we might often come across a limiting 403 Forbidden error. It usually occurs while looking for a specific resource on the Internet. A Web server commonly returns this error when trying to access a resource for which we don’t have permission. Apart from this, there can be other reasons for its occurrence as well.
In this tutorial, we’ll learn what a 403 Forbidden error is, why it occurs, and how we can fix it as server administrators. These solutions apply to any Web server on Linux, such as Apache and Nginx.
2. What Is 403 Forbidden Error?
The 403 Forbidden error is an HTTP status code that informs us that the Web server understands what we’re looking for but we’re not authorized to access that path or resource. Although it’s a client-side error, it’s not always the client that’s necessarily at fault. The problem can also occur because of the server side.
2.1. Variants of the 403 Forbidden Error
Now, let’s discuss some variants of this error. We may not always encounter a 403 Forbidden error message on a Web server. Instead, we might observe any of the following variants of the 403 Forbidden error:
- HTTP Error 403 – Forbidden
- Error 403 – Forbidden
- HTTP 403
- Error 403
- Access Denied
- Forbidden
- 403 Forbidden – Access to this resource on the server is denied
- 403 Forbidden request forbidden by administrative rules
These were some of the variants of the 403 error.
Furthermore, there are also custom error pages on some websites. The sole purpose of customizing error pages is to provide a better user experience.
2.2. Why Resolving Error 403 Is Crucial
Although the 403 error isn’t usually fatal, it can be crucial for Web administrators to identify and resolve it as soon as possible. Failure to address this error can negatively impact user experience and may harm the site’s reputation.
Resolving the issue in a timely manner should ensure that users have access to the resources they need and maintain the overall integrity of the website.
3. When 403 Forbidden Error Occurs
As mentioned earlier, the 403 Forbidden error can occur due to issues on both the client side and the server side.
So, let’s compile a list of some reasons that can lead to the occurrence of a Forbidden error while attempting to reach a Web server in Linux:
- Incorrect URL: typo in the URL or an outdated URL for accessing the resource
- Incorrect IP Address: sometimes, we can type an incorrect URL which may lead us to another site preventing public access can trigger the 403 error
- Updated Link of Resource: accessing a frequently visited Web server resource, which may indicate that an old link is used
- Incorrect File or Directory Permissions: incorrect filesystem setup on the server side
- Broken Plugins: Web server and Web application plugins can impact access to certain directories
- Missing Index Page: server cannot find the index page or if the default page isn’t named properly
- Misconfiguration of .htaccess File: since they can grant and deny access, due to corruption or misconfiguration, .htaccess files can be the source of a problematic path access
- Misconfiguration of Server Configuration Files: general server configuration files can block access when all other settings are correct
- Invalid Credentials: trying to access the Web server using incorrect or old login credentials
- Limitation of Firewall Rules: trying to access the resource on the Web server via a blocked IP address
While this is a non-comprehensive list, it aims to show the most common causes that can trigger a 403 Forbidden error.
4. How to Resolve 403 Forbidden Error
Let’s discuss some solutions that can resolve the 403 error. In particular, we try to figure out what’s actually causing the issue and then implement a solution to resolve that. However, if we can’t determine the cause, we should implement all the solutions provided below to see what works:
Before implementing server-side solutions, it’s considered good practice to check whether the error can be resolved by implementing a client-side fix, as the error mostly shows up on the client’s end.
4.1. Check for Typos in URL or IP Address
We should double-check the URL or IP address for any typo to ensure we’re trying to access the resource at the correct destination.
If the URL or IP address is correct, we can also try another Web browser to see if the browser was causing the error.
4.2. Clear Browser Cache and Cookies
Web browsers store cache to enhance the loading speed of frequently visited websites and cookies to save user preferences for personalization. However, sometimes the URL or credentials of a resource change, and these caches and cookies may try to access it with the old information, which can result in a Forbidden error. In such cases, clearing the cookies and cache of the web browsers to see if it fixes the error.
4.3. Adjust Permissions and Ownership for Files and Directories
As mentioned earlier, the most common cause of the 403 error is incorrect file and directory permissions.
In particular, for files on the Linux Web server, we need to set read and write permissions for the owner and only read permissions for others (644). On the other hand, for directories, we should set read, write, and execute permissions for the owner and read and execute permissions for others (755).
For instance, we can use the chmod command to change the file permissions of the index.html file of the Nginx web server in Linux:
$ sudo chmod 644 /var/www/html/index.html
In the case of the whole Web root directory of Nginx, we can run another chmod command:
$ sudo chmod 755 /var/www/html
We can also change the permissions of all files present in a specific directory of a Web server by using the find command. However, depending on the current requirements, this command can damage the Web server’s functionality by setting incorrect permissions. We should only run it when sure of the result and the consequences:
$ sudo find /path/to/directory -type f -exec chmod 644 {} \;
In addition, we can adjust the command above to change the permissions of all subdirectories present inside a directory.
To modify the file or directory ownership, we can also use the chown command.
Finally, we restart the server to implement any changes.
4.4. Deactivate Plugins
Sometimes, Web server plugins or plugins of the hosted application can interrupt the function of the site. When possible, we should try to access the problematic resource with all or most plugins deactivated to rule out this cause.
If the error is resolved, then it’s confirmed that the problem lies with the plugins. In this case, try reactivating the plugins one by one to identify which one was causing the error. Once identified, remove it and reinstall it.
4.5. Upload an Index Page
In most situations and environments, we should have the main page for a given path named index.html, index.php, or something similar. However, if this isn’t the case, it can be a cause that triggers the error.
To resolve this, we might need to rename the main page file to index. If we prefer not to do so, we should create an index page and redirect it to the current main page.
4.6. Enter Valid Credentials
If the error is occurring on a login page, we might try to enter valid login credentials manually instead of relying on browser-saved credentials. It might be the case that a browser has old credentials or that they’ve been tampered with in some way. We can also update the password of an existing user on the Web server in Linux.
For instance, to modify the password of an existing user for Apache, we can use the htpasswd command:
$ htpasswd /path/to/.htpasswd username
In the case of an Nginx Web server, we can again use this htpasswd command to change the password of an existing user:
$ htpasswd /etc/nginx/.htpasswd username
This can only be the cause of a 403 error if the page we’re trying to access requires credentials. However, there are cases when a page unexpectedly prompts for credentials.
4.7. Adjust Directives in Server Configuration File
If the error persists, the next step is to analyze the server configuration files to determine if any directives responsible for controlling access to resources are configured incorrectly.
For example, in Apache, we can check the Require directive to understand its access settings. In Nginx, we might review the auth_basic and auth_basic_user_file directives to ensure they’re properly configured.
4.8. Check .htaccess File
Moving forward, we check the .htaccess file which controls various server settings. If misconfigured, missing, or generally corrupt, we might need to apply fixes and reload the server configuration.
4.9. Update Firewall Rules
Lastly, we try accessing the resource after temporarily disabling the firewall. This may resolve the 403 error, as sometimes improperly configured firewall rules can restrict certain IP addresses.
To disable the firewall in many Linux environments, we can use ufw:
$ sudo ufw disable
Of course, there are other implementations with their specific commands as well.
If disabling the firewall helps, it’s important to enable it again and seek out the specific rules that prevent access.
5. Conclusion
The 403 Forbidden error is a common HTTP Status code. There are many causes for this error, including inappropriate file and directory permissions and ownership.
In this article, we’ve also discussed many troubleshooting steps for resolving the 403 Forbidden error.