6

Hi I'm experiencing a super weird problem.
Whenever I post links to my website on Facebook, they come up as Forbidden.
The site itself works great and I have no seen this when linking on other sites.
Could this be a server misconfiguration? Any thoughts on where to look?

here's some Info:
I have a dedicated server running WHM 11.25.0
i have 2 sites hosted here using cPanel 11.25.0

the error msg:

Forbidden

You don't have permission to access /blog/deepwater-horizon-11/ on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.offshoreinjuries.com Port 80

UPDATE:
Here is a sample link if it helps. (notice going the linked page directly works fine)
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.offshoreinjuries.com%2Fblog%2Fdeepwater-horizon-11%2F&h=834ea

UPDATE and ANSWER:
Found the issue and added a complete answer below.

filip
  • 3,036
  • 4
  • 22
  • 20
  • It's hard to see unless you give us the links. Though posting your facebook link here probably isn't a good idea. – Dominic K May 27 '10 at 23:02
  • Thanks DMan, I added a link to my post. It fails as it comes through facebooks "Be Careful!" page(you may need to be logged out of FB to see it), however the link works fine when accessed directly or when linked on any other site. – filip May 28 '10 at 01:15
  • you have posted the broken link, and what is the proper? http://www.offshoreinjuries.com/blog/deepwater-horizon-11 doesn't work neither from facebook nor directly – zerkms May 28 '10 at 03:30
  • @zerkms yes the link you posted is the proper one I am trying to link to. My results are like that of Álvaro G. Vicario where it works fine everywhere except facebook – filip May 28 '10 at 13:10

2 Answers2

7

You must have a rule somewhere that reads the HTTP_REFERER and rejects incoming links from Facebook. Seriously. This is what happens between the lines:

No referrer

telnet www.offshoreinjuries.com 80
HEAD /blog/deepwater-horizon-11/ HTTP/1.1
Host: www.offshoreinjuries.com

    HTTP/1.1 200 OK
    Date: Fri, 28 May 2010 09:19:45 GMT
    Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    X-Powered-By: PHP/5.2.12
    X-Pingback: http://www.offshoreinjuries.com/blog/xmlrpc.php
    Content-Type: text/html; charset=UTF-8

200 OK, good.

Facebook referrer

telnet www.offshoreinjuries.com 80
HEAD /blog/deepwater-horizon-11/ HTTP/1.1
Host: www.offshoreinjuries.com
Referer: http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.offshoreinjuries.com%2Fblog%2Fdeepwater-horizon-11%2F&h=834ea

    HTTP/1.1 403 Forbidden
    Date: Fri, 28 May 2010 09:21:04 GMT
    Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    Content-Type: text/html; charset=iso-8859-1

403 Forbidden, bad.

Any other referrer

telnet www.offshoreinjuries.com 80
HEAD /blog/deepwater-horizon-11/ HTTP/1.1
Host: www.offshoreinjuries.com
Referer: http://alvaro.es/

    HTTP/1.1 200 OK
    Date: Fri, 28 May 2010 09:20:36 GMT
    Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    X-Powered-By: PHP/5.2.12
    X-Pingback: http://www.offshoreinjuries.com/blog/xmlrpc.php
    Content-Type: text/html; charset=UTF-8

200 OK again.

Your server is actively rejecting visitors from Facebook.

Álvaro González
  • 142,137
  • 41
  • 261
  • 360
  • Thanks so much Álvaro. I suppose I'll contact my host, since I just migrated to this server and have pretty much not changed anything. But thank you for looking into it and if you think of somewhere I can look to change this behavior, let me know! – filip May 28 '10 at 13:39
  • Have a close look at whatever control panel they provide. You never know :) – Álvaro González May 29 '10 at 08:50
3

I was finally able to get to the bottom of this behavior.
The default mod_security settings of my host, HostGator include a set of whitelists and blacklists. Upon inspecting these I found .facebook.com/l.php blacklisted.
l.php is a wrapper page that provides a warning that you are leaving facebook. As I understand it since this can be easily exploited, HostGator chose to essentially blacklist all outbound facebook links.

I fixed my problem by removing .facebook.com/l.php from the mod_security blacklist, however I could have also just reset my mod_security settings to Default (vs the HostGator config) via a single click in WHM.

filip
  • 3,036
  • 4
  • 22
  • 20
  • Is mod_security on by default? I've got a HostGator account and have never had any problems with Facebook referrers (or so I thought). – jasonmp85 May 30 '10 at 00:37
  • See I have 2 dedicated servers with HostGator and on one, mod_security is set to "no config" and only on this more recent server am I seeing some HostGator prepared settings. But as I understand it, mod_security is on by default and should be turned on... It's just that the HostGator blacklist was a little overkill for my needs. I found the setting under "Plugins">"Mod Security">"Edit Config" in WHM. – filip May 30 '10 at 18:21
  • Updating mod_security rules worked for me. I was using centos web panel on a dedicated server and default rules caused that. – wmac Nov 05 '19 at 09:46