Simultaneous file uploads return 403 forbidden with nginx, and php-fpm

Question

I have an application that allows simultaneous file uploads via drag and drop. This application currently:

Has 3 versions of it's instance local, staging, production.
Runs php 5.6 on nginx w/php-fpm
Built on the CakePhp2.

Here is the problem I'm having:

I upload 1 image, 1 succeeds, everything works.
I upload 2 images, 1 succeeds, 403 is returned for second upload request.
I upload 3+ images, 1 succeeds, 403 is returned for all other requests, user is logged out of application (session expires)

This happens anytime there are multiple concurrent posts. They do not have to be file uploads.

This feature works on all servers except the staging server. Local dev machines and the production box do not have this issue.

Files are uploaded by drag and drop onto the page. Each file is uploaded via ajax in a separate request.

Size doesn't matter small images fail as well as larger images.

I'm looking for mis-matching config parameters between environments but the difference is not obvious yet. Any ideas what I should check?

My nginx site config:

server {
   listen       *:443 ssl;

   server_name  stagingsite.com ;

   ssl on;
   ssl_certificate           /site.crt;
   ssl_certificate_key       /site.key;
   ssl_session_cache         shared:SSL:10m;
   ssl_session_timeout       5m;
   ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers               "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-    SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384: ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-   SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-   CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:    AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!  MD5:!PSK:!RC4";
 ssl_prefer_server_ciphers on;
 client_max_body_size 256m;
 index  index.html index.htm index.php;

 access_log            /var/log/nginx/site.access.log;
 error_log             /var/log/nginx/site.error.log;

 root /var/www/site/webroot;

 location / {
    root  /site/webroot;
    try_files $uri $uri/ /index.php$is_args$args;
    autoindex off;     
    index  index.html index.htm index.php;
 }

 location ~ \.php$ {
 set $path_info $fastcgi_path_info;
 fastcgi_index index.php;
 fastcgi_split_path_info ^(.+\.php)(/.*)$;
 try_files $uri $uri/ /index.php$is_args$args;
 include /etc/nginx/fastcgi_params;
 fastcgi_pass 127.0.0.1:9000;
 fastcgi_param SCRIPT_FILENAME $request_filename;
   }

   sendfile off;
}

Can you check your `/etc/nginx/nginx.conf` and see what `client_max_body_size` is? — Darren, Aug 19 '16 at 01:45
I added the config file that sets that parameter in the question. — Layton Everson, Aug 19 '16 at 01:57
It runs perfectly on all dev boxes using it as well as the production server. — Layton Everson, Aug 19 '16 at 07:39

score 0 · Accepted Answer · edited May 23 '17 at 10:28

I discovered the answer to my question. The problem lived within CakePhp2's session configuration. The auto-regenerate option was set to true cause the application to generate a new session id for each request. After the second request came in, it didn't know the new session id. By the time the third request came in the session ID was lost all together.

Resources that led to discover of solution are here:

How to resolve "ajax 403 error forbidden in CAKEPHP 2.x"

CakePHP 403 on AJAX request

I hope this question helps the next guy that comes across something like this.

Simultaneous file uploads return 403 forbidden with nginx, and php-fpm

1 Answers1