$ cat post/the-swap-filled-at-last-/-a-port-scan-echoes-back-now-/-the-log-is-silent.md

04APR05

the swap filled at last / a port scan echoes back now / the log is silent

Debugging the Great 403 Forbidden

April 4, 2005. A Tuesday morning, and I’ve been staring at this log for nearly an hour. The server is throwing a 403 Forbidden error on every request to /api/v1/user/profile, but it worked just fine yesterday. How the heck did it suddenly break?

I’m sitting in front of my trusty desktop running Fedora Core 3, with XFree86 4.2.99 and an nVidia card giving me a nice 1024x768 resolution. The terminal is filled with logs from tail -f /var/log/httpd/error_log while I run through the checklist of things to check.

First, permissions on /etc/httpd/conf/httpd.conf. They’re fine; everyone in the group has read and execute rights. Next, user and group ownership on /usr/local/apache2/htdocs/api/v1/user/profile/index.php. Nope, that’s right—ownership is apache:apache, so there’s no permission issue.

What about PHP? I run php -v just to be sure, and it spits out the version 4.3.9. Sweet, nothing wrong with that either. The script itself has all the necessary permissions and isn’t being blocked by any of my custom Apache modules.

Hmm… Could this be an issue with caching? I remember we implemented a simple memcached backend to speed things up, but disabling it shouldn’t affect access control. Yet, just for kicks, I kill off memcached—no change.

This is driving me nuts! It’s got to be something subtle, right? Maybe some recent change in Apache or PHP behavior? Or perhaps… a firewall issue?

I recall we upgraded the server from old good iptables to ipchains last month. Could that have caused this? I dive into /etc/ipchains and see the rules are mostly untouched, but there is one new rule I hadn’t noticed before:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

Ah-ha! That’s it. I remove that rule, save /etc/ipchains, and then reload ipchains with service ipchains restart. No more 403s!

This is the kind of problem that can make your day feel like a never-ending nightmare. But you know what? Sometimes, fixing it feels even better than doing a successful code deployment.

Looking back, I’m reminded that sometimes the most frustrating bugs are those that require stepping outside their usual domain—perhaps where they intersect with network configurations or system services. It’s those moments when you have to think about everything beyond just your application layer.

Today taught me not only how to debug 403 errors but also the importance of keeping a broader perspective on infrastructure issues. And let’s be honest, it was kind of fun to tear apart a server log and figure out what was going on. Even if it took hours!

That’s my tale for today. Back to work!