tags:

views:

404

answers:

2
+1  Q: 

Facebook links to my site resolve as 403 forbidden

Hi I'm experiencing a super weird problem.
Whenever I post links to my website on Facebook, they come up as Forbidden.
The site itself works great and I have no seen this when linking on other sites.
Could this be a server misconfiguration? Any thoughts on where to look?

here's some Info:
I have a dedicated server running WHM 11.25.0
i have 2 sites hosted here using cPanel 11.25.0

the error msg:

Forbidden

You don't have permission to access /blog/deepwater-horizon-11/ on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.offshoreinjuries.com Port 80

UPDATE:
Here is a sample link if it helps. (notice going the linked page directly works fine)
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.offshoreinjuries.com%2Fblog%2Fdeepwater-horizon-11%2F&h=834ea

UPDATE and ANSWER:
Found the issue and added a complete answer below.

+4  A: 

You must have a rule somewhere that reads the HTTP_REFERER and rejects incoming links from Facebook. Seriously. This is what happens between the lines:

No referrer

telnet www.offshoreinjuries.com 80
HEAD /blog/deepwater-horizon-11/ HTTP/1.1
Host: www.offshoreinjuries.com

    HTTP/1.1 200 OK
    Date: Fri, 28 May 2010 09:19:45 GMT
    Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    X-Powered-By: PHP/5.2.12
    X-Pingback: http://www.offshoreinjuries.com/blog/xmlrpc.php
    Content-Type: text/html; charset=UTF-8

200 OK, good.

Facebook referrer

telnet www.offshoreinjuries.com 80
HEAD /blog/deepwater-horizon-11/ HTTP/1.1
Host: www.offshoreinjuries.com
Referer: http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.offshoreinjuries.com%2Fblog%2Fdeepwater-horizon-11%2F&h=834ea

    HTTP/1.1 403 Forbidden
    Date: Fri, 28 May 2010 09:21:04 GMT
    Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    Content-Type: text/html; charset=iso-8859-1

403 Forbidden, bad.

Any other referrer

telnet www.offshoreinjuries.com 80
HEAD /blog/deepwater-horizon-11/ HTTP/1.1
Host: www.offshoreinjuries.com
Referer: http://alvaro.es/

    HTTP/1.1 200 OK
    Date: Fri, 28 May 2010 09:20:36 GMT
    Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    X-Powered-By: PHP/5.2.12
    X-Pingback: http://www.offshoreinjuries.com/blog/xmlrpc.php
    Content-Type: text/html; charset=UTF-8

200 OK again.

Your server is actively rejecting visitors from Facebook.

Álvaro G. Vicario  2010-05-28 09:23:55
Thanks so much Álvaro. I suppose I'll contact my host, since I just migrated to this server and have pretty much not changed anything. But thank you for looking into it and if you think of somewhere I can look to change this behavior, let me know!
filip  2010-05-28 13:39:38
Have a close look at whatever control panel they provide. You never know :)
Álvaro G. Vicario  2010-05-29 08:50:22
+1  A: 

I was finally able to get to the bottom of this behavior.
The default mod_security settings of my host, HostGator include a set of whitelists and blacklists. Upon inspecting these I found .facebook.com/l.php blacklisted.
l.php is a wrapper page that provides a warning that you are leaving facebook. As I understand it since this can be easily exploited, HostGator chose to essentially blacklist all outbound facebook links.

I fixed my problem by removing .facebook.com/l.php from the mod_security blacklist, however I could have also just reset my mod_security settings to Default (vs the HostGator config) via a single click in WHM.

filip  2010-05-29 17:52:21
Is mod_security on by default? I've got a HostGator account and have never had any problems with Facebook referrers (or so I thought).
jasonmp85  2010-05-30 00:37:47
See I have 2 dedicated servers with HostGator and on one, mod_security is set to "no config" and only on this more recent server am I seeing some HostGator prepared settings. But as I understand it, mod_security is on by default and should be turned on... It's just that the HostGator blacklist was a little overkill for my needs. I found the setting under "Plugins">"Mod Security">"Edit Config" in WHM.
filip  2010-05-30 18:21:32

related questions

Does the Facebook REST API allow you to get a friend's phone number?
Hosting a Facebook Application?
My Facebook application's Javascript doesn't work in Google Chrome
Successful sites using Asp.NET and the Facebook API
How do you remove the "box head" in a Facebook application?
Render Self-Closing Tag in ASP.NET custom control derived from Control
What does the new Facebook Connect platform offer over a traditional Facebook App?
I need help creating a modding system in a Facebook Application
New Facebook app - FBML or iFrame?
how much does facebook denormalize their databases to break things up by network and therefore shrink the tables and speed the system?
using a named function as the callback for $.getJSON in jQuery to satisfy Facebook request signing demands
Which Facebook .NET Library is the best to use?
In Facebook app, is there a way to link directly to "join a group"
Facebook Development vs. XNA, Which is Worth Learning?
What's a Good Resource for Learning Facebook Application/Game Development?
Example Facebook Application using TurboGears -- pyFacebook
How to authenticate in a Facebook Flash application?
Facebook RSS application
Using Merb for Facebook Application
How to start facebook app?
Is anyone developing facebook apps on Grails
How do I import facebook friends from another website
Facebook java integration
Developing and Testing a Facebook application
Anyone have a link to a technical discussion of anything akin to the Facebook news feed system?