Nginx 403 Forbidden from Webgui after 2.3.3 upgrade

bitslammer · Feb 24, 2017, 12:01 PM

I guess I should have checked to see that 2.3.3 was so new before upgrading.

I'm running an SG-2220 and can't access the webgui after the upgrade. I had to reboot twice just to get traffic passing. I need to make some GeoIP rule changes and can't now that I can't get into the GUI.

Here's what I've tried so far:

Rebooted several times.
Tried restarting webgui and PHP several times from the console.
Restored several old configs with no luck. I think it's an OS issue and not a config issue so this makes sense.

If I understand correctly my only option now is to do a clean install from image and restore my last good config I have backed up on the PC. Is that possible to do from a USB stick? I can't get into SSH so I can't transfer anything. It appears to be an authentication issue. If I do need to restore which image do I use?

This looks like the correct one since my FW has the serial port:

For a system using a serial console, please use:
netgate-memstick-serial-2.2.5-RELEASE-amd64.img.gz

jimp · Feb 24, 2017, 2:05 PM

Do not use 2.2.x on there, 2.3.3 works fine. For the 2220 you need an image that has "ADI" in the filename. If you have registered your 2220 you should be able to login to portal.pfsense.org to download the current factory firmware.

Not sure what that particular error you hit might be though, we haven't seen that happen anywhere else yet. "Forbidden" implies that something changed that prevents nginx from reading the files you requested. You mentioned GeoIP, which means what you changed must have been from a package.

If you still have console access, you might at least try something like this before blowing everything away:

pkg update -f
pkg upgrade -fa

bitslammer · Feb 24, 2017, 8:10 PM

THANK YOU!

It worked. I'll remember to grab the ADI image in the future. The README wasn't too clear on that.

As for the GeoIP change I did that weeks ago and forgot to allow a couple countries that I need. I wasn't able to to that without the GUI.

I figured there had to be some command to force an update. Yours worked fine with the exception that I did an 'pkg upgrade -f' as 'pkg upgrade -fa' gave and error. I'll remember this command in the future.

FTL_Ian · Mar 20, 2017, 5:14 AM

For what it's worth, the upgrade to 2.3.3 on my 2440 also broke as the OP described. Install seemed to go fine through the web admin, but the box never came back up. Tried power cycling a couple times and eventually after hitting the reset button the internet came back on my computers, however I could not access the web admin and was getting the 403 Forbidden. I was able to login via SSH and run:

pkg update -f
pkg upgrade -f

That seems to have me back up and running. That was pretty scary for a while there! Thanks for the helpful thread.