I have a problem in trying to do a POST request in my application and I searched a lot, but I did not find the solution.
So, I have a nodeJS application and a website, and I am trying to do a POST request using a form from this site, but I always end up in this:
and in the console I see :
Uncaught TypeError: Cannot read property 'value' of null
Post "http://name.github.io/APP-example/file.html " not allowed
that is in this line of code :
file.html:
<form id="add_Emails" method ="POST" action="">
<textarea rows="5" cols="50" name="email">Put the emails here...
</textarea>
<p>
<INPUT type="submit" onclick="sendInvitation()" name='sendInvitationButton' value ='Send Invitation'/>
</p>
</form>
<script src="scripts/file.js"></script>
file.js:
function sendInvitation(){
var teammateEmail= document.getElementById("email").value;
I read many post and a documentation of cross domain but it did not work.
research source 1:http://enable-cors.org/server.html
research source 2: http://www.w3.org/TR/2013/CR-cors-20130129/#http-access-control-max-age
What I am doing now:
I am trying to POST from a different domain of my server :
POST REQUEST : http://name.github.io/APP-example/file.html , github repository
POST LISTENER : «http://xxx.xxx.x.xx:9000/email , server localhost ( x-> my ip address)
So, I had the same problem in other files, but I fixed it putting this code in the begginning of each route:
var express = require('express');
var sha1 = require('sha1');
var router = express.Router();
var sessionOBJ = require('./session');
var teams = {}
var teamPlayers = []
router.all('*', function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Headers", "X-Requested-With");
res.header("Access-Control-Allow-Methods", "PUT, GET,POST");
next();
});
and I fixed it doing it.
Now, I am having the same problem, but in this file the only difference is that I deal with SMTP and emails, so I post an email and send an Email to this email I received in the POST request.
THe code is working totally fine with POSTMAN, so, when I test with POSTMAN it works and I can post.
I included this code below instead of the first one I showed but it did not work as well:
router.all('*', function(req, res, next){
res.header("Access-Control-Allow-Origin", "*")
res.header("Access-Control-Allow-Methods", "POST, GET, OPTIONS")
res.header("Access-Control-Allow-Headers", "Origin, Content-Type, Accept")
res.header("Access-Control-Max-Age", "1728000")
next();
});
Does someone know how to solve it?
Thank you.
If someone comes across an error page on your site, there’s a good chance they’ll get annoyed and leave. This can result in plenty of lost engagement and sales. One particularly common error to be aware of is the “405 Method Not Allowed” message.
This error can be tricky to navigate, as it indicates that something has gone wrong without telling you why it occurred. Fortunately, with a little effort and patience, you can be back up and running before long.
In this post, we’ll explain what a 405 error is and show you the different ways it can appear. We’ll then talk you through some of the ways you can fix this error on your WordPress site. Let’s get to it!
What Is the 405 Method Not Allowed Error?
When you manage a website, it’s almost guaranteed that you’ll run into some kind of common issue eventually. Websites go down, links break, and pages load a little too slowly. Although these occurrences are common, leaving them unattended is likely to result in a poor user experience.
Unfortunately, some problems are more difficult to fix than others. Consider the 405 Method Not Allowed error message, for example. This is an HTTP response status indicating that a web browser has requested access to one of your site’s pages.
In this scenario, your web server has received and recognized the request, but has rejected the specific HTTP method it’s using. In practical terms, this means that the browser can’t access the page it requested. Your site’s visitors will see an error page, rather than the content they were looking for:
Google Chrome
Safari
Firefox
Microsoft Edge
The 405 Method Not Allowed error shouldn’t be confused with the 404 Not Found error. A 404 tells you that the requested URL couldn’t be found or that it was entered incorrectly. A 405 error message, on the other hand, confirms that the requested page does exist (and the URL was input correctly), but an unacceptable HTTP method was used to make the initial request.
405 Method Not Allowed (Short Definition):
The 405 Method Not Allowed error occurs when the web server is configured in a way that does not allow you to perform a specific action for a particular URL. It’s an HTTP response status code that indicates that the request method is known by the server but is not supported by the target resource.
Check Out Our Video Guide to the 405 Method Not Allowed Error
Variations on the 405 Method Not Allowed Error
Although the 405 error message most commonly appears in the form we showed above, various web servers, operating systems, and browsers can present it in numerous ways. The actual cause of the issue is also likely to differ slightly from server to server, which can affect the way the error appears.
Here are just a few of the many different variations you might run across:
- 405 Not Allowed
- Method Not Allowed
- HTTP 405 Error
- HTTP Error 405 – Method Not Allowed
- HTTP 405 Method Not Allowed
Regardless of how they appear, the trouble with 405 errors is that they can be difficult to solve. This is because they let you know that something has gone wrong, but they don’t tell you what the cause of the problem is. In most cases, it’s up to you to find the root cause and repair it if possible.
Are you getting the 405 Method Not Allowed Error with your #WordPress site? Here are 7 ideas to easily fix it! 💡Click to Tweet
How to fix the 405 Method Not Allowed Error on Your WordPress Site (7 Possible Solutions)?
Before we start discussing the possible solutions, you’ll want to create a backup of your site. This will give you something to fall back on if you make a mistake. Many web hosting providers include regular site backups as a part of their plans. If you have a hosting plan here at Kinsta, creating a backup is simple.
Once that’s out of the way, it’s time to begin the troubleshooting process. The methods we’ve outlined below are organized from most likely to fix the problem to least likely, so start from the top and work your way down to achieve the best results.
Without further ado, let’s get started with one of the easier steps on our list.
1. Check to See If You’ve Input the Correct URL
It may sound a little too simple but the most common cause of a 405 Method Not Allowed error is entering the wrong URL. Most web servers are tightly secured and designed to disallow access to improper URLs to prevent users from visiting the wrong pages (or trying to access pages that don’t exist).
Before going any further, therefore, double-check to ensure that you’ve entered the URL of the site you wish to visit correctly. It’s easier than you might think to make mistakes – such as forgetting a letter or misspelling a word. You may also find that simply refreshing the page could prompt it to load correctly.
2. Roll Back Any Recent WordPress Updates
Updates are wonderful things. They typically bring a wealth of exciting new features and can help to fix any ongoing bugs and patch security holes. However, despite their good intentions, updates can occasionally cause some issues.
If you updated WordPress just before the 405 Method Not Allowed error message started to appear, the new code could be the root of the problem. This also applies to any extensions or themes you may have recently upgraded – although we’ll focus more on that aspect in the next section.
If you feel that an update might be at fault, it’s worth reverting back to the previous version of WordPress. As we’ve already touched on, make sure you have a full site backup ready before doing this – you don’t want to make any irreversible changes.
While you can do this manually, the easiest way to roll back WordPress updates is to use a plugin. There are many available options, although WP Downgrade is particularly effective. This plugin will largely automate the process, meaning that you’re less likely to make mistakes.
Having a tool like this in your arsenal also means that you can prevent similar issues from happening in the future. Of course, if rolling back the latest update doesn’t fix the problem, remember to re-update your site or restore your backup.
3. Uninstall New Plugins and Themes
Plugins are an essential part of any WordPress website. They enable you to add a wealth of new features, and can even automate more complex processes. Themes are equally as important. Without them, you’d need a lot of complex coding (or an expensive developer) to create an aesthetically-pleasing site.
Unfortunately, just as with software updates, these extensions can sometimes create problems. This is because adding functionality to your site on any level completely changes the way it operates. There may be an issue with the plugin or theme you’re using, or a specific extension might conflict with another part of your site (or even your WordPress version).
As a result, you may find that uninstalling certain plugins or themes could help to fix the 405 Method Not Allowed error. To begin this process, you’ll need to navigate to the Plugins section of your WordPress dashboard. On this page, you should be able to see a complete list of all the plugins you have installed:
From here, you can begin to uninstall your plugins one at a time. After uninstalling each one, check your website to see if the error has been resolved. This process may take some time to complete, but it will enable you to pinpoint exactly which plugin is causing the problem (if any of them are at fault):
Once you’ve checked over your plugins, you can repeat this process with your active theme. If your theme or one of your plugins turns out to be the issue, you’ll want to either contact the developers, remove the plugin or theme, or look for a replacement. Here’s our guide on how to install a new WordPress theme.
4. Check for Any Unexpected Database Changes
Although the above step should resolve any plugin- or theme-related issues, it doesn’t guarantee that all changes made by your extensions have been fully reverted. This is especially true for many WordPress plugins. They are often given complete access to your database as soon as you hit Install, meaning that their changes go deeper than you might initially think.
Unless the developer explicitly codes against it, a plugin may be able to modify database records that don’t “belong” to it but are instead managed by WordPress itself. In this scenario, the plugin may not know how to revert those alterations to database records, so it will ignore them during the uninstallation process.
Diagnosing this particular problem can be difficult, but if you still suspect that a plugin or theme is the cause of the 405 Method Not Allowed error, checking your database directly is your best course of action. To do that, you’ll need to open your site’s database, and manually look through the tables and records modified by the extension. If you’re not sure what to look for, getting in touch with your developer is a smart idea at this point (as well as for the remaining steps on this list).
5. Confirm Your Server’s Configuration
Your website likely runs on a server that uses one of the two most popular server software options – Apache or Nginx. In fact, together they power 84% of the world’s web servers. Checking your web server software’s configuration files for any unintentional handling instructions may help to determine the root cause of the 405 Method Not Allowed error.
To determine which application your web server is using, you’ll want to look out for a key file. For example, if your web server is running Apache, you should be able to find an .htaccess file within the root directory of your website’s file system.
When your application is on a shared host, you’ll likely have a username associated with your particular account. If that’s the case, the application root directory can typically be found by following this path:
/home/public_html/
Therefore, the .htaccess file would be found at:
/home/public_html/.htaccess
Once you’ve located the .htaccess file, open it up in a text editor and look for lines that use Rewrite directives. These are part of the mod_rewrite module in Apache and define a text-based pattern that will be matched against all entered URLs. If a matching URL is requested by a visitor to your site, the RewriteRule will redirect the visitor appropriately.
To better demonstrate this, here is a simple RewriteRule that matches all incoming requests to https://kinsta.com and responds with a 405 Method Not Allowed error code:
As you can probably see, there’s a flag at the end of the rule marked R=405. This explicitly states that the response code should be 405, indicating to the user that the resource exists, but the provided HTTP method was not allowed. If you find any strange Rewrite directives in the .htaccess file that contain a similar instruction, try temporarily commenting them out using the # character prefix. You can then restart your web server, to see if your change has resolved the issue.
Remember, if you’re a client at Kinsta, we use Nginx servers, not Apache. You can reach out to our support team if you think something might be wrong with your Nginx config.
6. Look Through the Server-Side Logs
Nearly every web application keeps some kind of server-side logs. Application logs usually comprise the complete history of everything the software has done – from the pages it’s requested, to the database results it provides.
Server logs are slightly different, as they’re related to the actual hardware that runs the application. They will often provide details about the health and status of all connected services, or even just the server itself.
To find your WordPress server logs, you’ll want to connect to your site via Secure File Transfer Protocol (SFTP). In the root directory, you will see a folder called logs. Within this folder are your access logs, and your WordPress error logs. They should look a little something like this:
- Access.log
- Error.log
From there, you can begin to follow a similar process to that outlined in the previous step. Look through the logs and take note of anything that looks out of place (or ask your developer to do so). You can also refer to the codex for additional debugging information in WordPress.
7. Debug Your Application Code or Scripts
If none of the previous steps have done the trick, it may be a sign that there’s an issue with some custom code in your WordPress installation. The only way of determining whether this is the cause of the 405 Method Not Allowed error is to debug it.
Ideally, you’ll want to make a copy of the entire installation to an online or local development area – such as a staging site. From there, you can begin to conduct a step-by-step debugging process, which will vary depending on your site and its attached software.
Unfortunately, there’s no quick fix here. You’ll have to be prepared to put in the time to comb each section of your site for anything that looks out of place. Remember, however, that a fully-operational site is worth the hassle.
What to Do if None of These Solutions Work
If you’re still reading, it probably means that the solutions we’ve outlined above still haven’t fixed the 405 Method Not Allowed error. This is usually an indication that a more complex issue has occurred, and is unlikely to be something you can fix personally unless you’re a seasoned developer.
In this scenario, the best thing you can do is often to contact your hosting provider directly. You should have access to 24/7 customer support through a live chat or ticketing service. You may also be able to reach out to your host via email or phone, although opting for live chat is likely to offer a faster solution.
Summary
No matter how carefully-optimized your website might be, it’s nearly inevitable that you’ll encounter at least one error message at some point. It’s important to resolve the issue quickly when this happens, to keep visitors interested in your site. Fortunately, although the 405 Method Not Allowed error can be confusing, it’s often possible to fix it with a little troubleshooting.
Let’s recap the seven methods you can try in order to fix a 405 error on your WordPress site:
- Check to ensure that you’ve entered the correct URL into the address bar.
- Roll back any recent WordPress updates, to distinguish whether that’s causing the issue.
- Uninstall any new plugins or themes one at a time.
- Ensure that there haven’t been any unexpected database changes.
- Confirm your server’s configuration.
- Look through the server-side logs stored by WordPress.
- Attempt to debug your application code or scripts.
Do you have any further questions about the 405 Method Not Allowed error? Or is there another commonly-encountered error message you’d like us to cover? Let us know in the comments section below!
Jun 8, 2022 10:44:17 AM |
405 Method Not Allowed: What It Is and How to Fix It
An overview of what a 405 Method Not Allowed response is, including troubleshooting tips to help you resolve this error in your own application.
The 405 Method Not Allowed is an HTTP response status code indicating that the server received and recognized the specified request HTTP method, but the server rejected that particular method for the requested resource. This code response confirms that the requested resource is valid and exists, but the client has used an unacceptable HTTP method during the request.
Like most HTTP response codes — especially for those that indicate an error — it can be challenging to find the cause of a 405 Method Not Allowed response.
In this article, we’ll examine the 405 Method Not Allowed in more detail. We’ll look at what might cause this message, along with a handful of tips for diagnosing and debugging the appearance of this error within your application. We’ll also examine popular content management systems (CMSs) for potential problem areas that could cause an unexpected 405 Method Not Allowed.
Server- or Client-Side?
All HTTP response status codes in the 4xx category are client error responses. This category contrasts with 5xx classification errors, such as the 503 Service Unavailable Error. These are server error responses. That said, the appearance of a 4xx error doesn’t necessarily mean the issue is on the client-side, where the “client” is the web browser or device being used to access the application.
If you’re trying to diagnose an issue within your application, you can ignore most client-side code and components, such as HTML, cascading style sheets (CSS), client-side JavaScript, etc. This doesn’t apply solely to websites, either. Standard web applications power many smartphone apps that implement a modern-looking user interface.
On the other hand, this doesn’t entirely rule out the server as the actual cause of a 405 error. In some cases, the server may be mishandling requests. This could result in 405 code responses and other problematic traffic routing issues. We’ll explore some of these scenarios (and potential solutions) below. Be aware that, even though the 405 Method Not Allowed is considered a client error response, it doesn’t inherently mean we can rule out the client or the server as the culprit.
Start With a Thorough Application Backup
It is critical that you perform a complete backup of your application before attempting any fixes to the system.
Even better, create a complete copy of the application onto a secondary staging server that isn’t active. This will give you a clean testing ground to test all potential fixes without threatening your live application.
Diagnosing a 405 Method Not Allowed
As discussed in the introduction, a 405 Method Not Allowed indicates that the user agent (the web browser, in most cases) has requested a valid resource using an invalid HTTP method.
This could happen in a few different circumstances:
- The user agent accidentally sent an incorrect HTTP method
- The server is expecting only a handful of valid HTTP methods for the requested resource
Currently, there are nine possible HTTP methods, though some of them are far more prevalent than others. For example, the GET method handles most requests made on the Internet to retrieve data (i.e. “get” a page or resource). The POST method is the second-most common, and it’s typically used to send data to the server (such as login credentials).
Since each possible HTTP method has its own intended uses, it often doesn’t make sense for a server to accept requests using specific methods for particular resources. For example, a resource might exist at the URL https://airbrake.io/users/create, where the server creates a new user when valid credentials are sent via a POST HTTP method request. Therefore, it makes no sense for the server to accept a GET request at that resource/URL, so it may respond with a 405 Method Not Allowed code.
Troubleshooting on the Client-Side
Since the 405 response is a client error response code, it’s best to start troubleshooting any potential client-side issues. Here are a handful of tips to try on the browser or device giving you problems.
Check the Requested URL
The most common cause of a 405 Method Not Allowed is simply inputting an incorrect URL. As discussed before, many web servers will disallow access to improper URLs.
This could be anything from trying to access a file directory via a URL to gaining access to a private page meant for other users. Double-check the exact URL returning the 405 Method Not Allowed error.
Debugging Common Platforms
If you’re running common software packages on the server responding with the 405 Method Not Allowed, you may want to look into the stability and functionality of those platforms.
The most common content management systems (CMSs) — like WordPress, Joomla!, and Drupal — are typically well-tested. Once you start making modifications to the underlying extensions or PHP code, it’s easy to cause unforeseen issues resulting in a 405 error.
Troubleshoot some of these popular software platforms using the tips below.
Rollback Recent Upgrades
Suppose you recently updated the content management system before the 405 Method Not Allowed appeared. You may want to consider rolling back to the previous version you had installed when things were working fine.
Similarly, any extensions or modules you may have recently upgraded can also cause server-side issues, so reverting to previous versions may also help.
Simply Google “downgrade [PLATFORM_NAME] for assistance with this task.” In some cases, however, certain CMSs don’t provide a version downgrade capability, which indicates that they consider the base application and each new version released to be stable and bug-free.
Uninstall New Extensions, Modules, or Plugins
New extensions, modules, and plugins within your CMS all serve the same purpose across every system: improving the capabilities and features of the platform beyond what it’s typically capable of out of the box.
A word of caution: such extensions can take complete control of the system and make virtually any changes. As such, it may be wise to uninstall any new extensions if you suddenly see a 405 error.
Check for Unexpected Database Changes
It’s worth noting that, even if you uninstall an extension through the CMS dashboard, this doesn’t guarantee that changes made by the extension will fully revert. This is particularly true for many WordPress extensions. Some of these extensions are given carte blanche within the application, including full access rights to the database.
For example, some extensions modify database records that don’t “belong” to the extension itself but are instead created and managed by other extensions (or even the base CMS itself). The extension may not know how to revert alterations to database records, so it will ignore such things during uninstallation.
Your best course of action is to open the database and manually look through records that the extension modified.
Troubleshooting on the Server-Side
If you aren’t running a CMS application — or even if you are, but you’re confident the 405 Method Not Allowed error isn’t related to that — here are some additional tips to help you troubleshoot what might be causing the issue on the server-side of things.
Confirm Your Server Configuration
Your application is likely running on a server using one of these three popular webserver software: Apache, nginx, or Cloudflare. At the time of publication, these web servers make up over 86% of the world’s web server software! Check your configuration files for your web server software for unintentional redirect or request handling instructions.
Apache
To determine which web server your application uses, look for a key file. If your web server is Apache, look for an .htaccess file within the root directory of your website file system.
For example, if your application is on a shared host, you’ll likely have a username associated with the hosting account. You can find the application root directory at the path of /home/<username>/public_html/, so the .htaccess file would be at /home/<username>/public_html/.htaccess.
Once you’ve located the .htaccess file, open it in a text editor. Look for lines that use RewriteXXX directives, which are part of the mod rewrite module in Apache. Covering exactly how these rules work is well beyond the scope of this article. However, the basic concept is that a RewriteCond directive defines a text-based pattern that is matched against entered URLs. Suppose a visitor requests a matching URL to the site. In that case, the RewriteRule directive that follows one or more RewriteCond directives is used to perform the actual redirection of the request to the appropriate URL.
For example, here is a simple RewriteRule that matches all incoming GET requests to https://airbrake.io/users/create and responds with a 405 Method Not Allowed error code:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/users/create/?.*$
RewriteCond %{REQUEST_METHOD} =GET
RewriteRule ^(.*)$ https://airbrake.io/users/new$1 [R=405,L]
Notice the R=405 flag at the end of the RewriteRule, which explicitly states that the response code should be 405. This indicates to user agents that the resource exists, but the provided HTTP method is not allowed. If you find any strange RewriteCond or RewriteRuledirectives in the .htaccess file that doesn’t belong, try temporarily commenting them out (using the # character prefix) and restarting your web server to see if this resolves the issue.
nginx
On the other hand, if your server is running on nginx, you’ll need to look for a completely different configuration file. By default this file is named nginx.conf. It’s located in one of a few common directories: /usr/local/nginx/conf, /etc/nginx, or /usr/local/etc/nginx.
Once located, open nginx.conf in a text editor and look for directives that are using the 405 response code flag. For example, here is a simple block directive (i.e. a named set of directives) that configures a virtual server for airbrake.io and ensures that a POST request to https://airbrake.io/users/create fails and is responded with a 405 response code:
server {
listen 80;
listen 443 ssl;
server_name airbrake.io;
location /users/create {
if ($request_method = POST) {
return 405 https://airbrake.io/users/create$request_uri;
}
}
}
Look through your nginx.conf file for any abnormal directives or lines that include the 405 flag. Comment out any abnormalities. Once that’s done, restart the server and see if the issue is resolved.
Configuration options for each different type of web server can vary dramatically. We’ll just list a few popular ones to give you some resources to look through:
- Apache
- Nginx
- Cloudflare
- IIS
- Node.js
- Apache Tomcat
Look Through the Logs
Nearly every web application will keep some form of server-side logs. Application logs are typically the history of what the application did, such as pages requested, connected servers, database results, etc.
Server logs are related to the actual hardware running the application. Logs will often provide details about the health and status of all connected services or the server itself.
Google “logs [PLATFORM_NAME]” if you’re using a CMS, or “logs [PROGRAMMING_LANGUAGE]” and “logs [OPERATING_SYSTEM]” if you’re running a custom application to get more information on finding the logs in question.
Debug Your Application Code or Scripts
If all else fails, it may be a problem in some custom code within your application. Manually debug your application and parse through application and server logs to diagnose where the issue may be coming from. Or, you can see the error in a manner of seconds using an error monitoring tool.
Airbrake’s error and performance monitoring software provides real-time error monitoring and automatic exception reporting for all development projects. In addition to this, Airbrake integrates with all popular languages and frameworks. Plus, Airbrake makes it easy to customize exception parameters, so you only gather the errors that matter.
See why so many of the world’s best engineering teams use Airbrake to revolutionize their exception handling practices and create your free dev account today.
Note: We published this post in January 2018 and recently updated it in June 2022.
Nginx выдает ошибку 405 Not Allowed, если для доступа к файлам используется запрещенный или не поддерживаемый метод. В большинстве случаев это POST, который в Nginx запрещен для доступа к статическим файлам.
Для решения проблемы можно использовать один из двух подходов.
Обход ограничения
В простейшем случае можно заставить веб-сервер думать, что все хорошо, просто перенаправляя ошибку дальше:
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 404 /404.html;
error_page 403 /403.html;
error_page 405 =200 $uri;
# ...
}
А если Nginx работает как прокси, скажем, для Apache, то можно сделать так:
error_page 405 =200 @405;
location @405 {
root /htdocs;
proxy_pass http://localhost:8080;
}
Когда используется FastCGI
Если в Nginx используется модуль FastCGI, то в некоторых случаях веб-сервер может некорректно воспринимать скрипты, которые вызываются методом POST. Для этого запрашиваемый URL разбивается на адрес самого скрипта и запрашиваемых параметров:
location ~\.php(.*) {
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
include /etc/nginx/fastcgi_params;
}
This is the second blog post in our series on deploying NGINX Open Source and NGINX Plus as an API gateway.
-
Part 1 provides detailed configuration instructions for several use cases.
This post extends those use cases and looks at a range of safeguards that can be applied to protect and secure backend API services in production:
- Rate limiting
- Enforcing specific request methods
- Applying fine‑grained access control
- Controlling request sizes
- Validating request bodies
Originally published in 2018, this post has been updated to reflect current best practice for API configuration, using nested
locationblocks to route requests instead of rewrite rules.- Part 3 explains how to deploy NGINX Open Source and NGINX Plus as an API gateway for gRPC services.
Note: Except as noted, all information in this post applies to both NGINX Open Source and NGINX Plus. For ease of reading, the rest of the blog refers simply to “NGINX”.
Rate Limiting
Unlike browser‑based clients, individual API clients are able to place huge loads on your APIs, even to the extent of consuming such a high proportion of system resources that other API clients are effectively locked out. Not only malicious clients pose this threat: a misbehaving or buggy API client might enter a loop that overwhelms the backend. To protect against this, we apply a rate limit to ensure fair use by each client and to protect the resources of the backend services.
NGINX can apply rate limits based on any attribute of the request. The client IP address is typically used, but when authentication is enabled for the API, the authenticated client ID is a more reliable and accurate attribute.
Rate limits themselves are defined in the top‑level API gateway configuration file and can then be applied globally, on a per‑API basis, or even per URI.
In this example, the limit_req_zone directive on line 4 defines a rate limit of 10 requests per second for each client IP address ($binary_remote_addr), and the one on line 5 defines a limit of 200 requests per second for each authenticated client ID ($http_apikey). This illustrates how we can define multiple rate limits independently of where they are applied. An API may apply multiple rate limits at the same time, or apply different rate limits for different resources.
Then in the following configuration snippet we use the limit_req directive to apply the first rate limit in the policy section of the “Warehouse API” described in Part 1. By default, NGINX sends the 503 (Service Unavailable) response when the rate limit has been exceeded. However, it is helpful for API clients to know explicitly that they have exceeded their rate limit, so that they can modify their behavior. To this end we use the limit_req_status directive to send the 429 (Too Many Requests) response instead.
You can use additional parameters to the limit_req directive to fine‑tune how NGINX enforces rate limits. For example, it is possible to queue requests instead of rejecting them outright when the limit is exceeded, allowing time for the rate of requests to fall under the defined limit. For more information about fine‑tuning rate limits, see Rate Limiting with NGINX and NGINX Plus on our blog.
Enforcing Specific Request Methods
With RESTful APIs, the HTTP method (or verb) is an important part of each API call and very significant to the API definition. Take the pricing service of our Warehouse API as an example:
GET/api/warehouse/pricing/item001returns the price of item001PATCH/api/warehouse/pricing/item001changes the price of item001
We can update the URI‑routing definitions in the Warehouse API to accept only these two HTTP methods in requests to the pricing service (and only the GET method in requests to the inventory service).
With this configuration in place, requests to the pricing service using methods other than those listed on line 22 (and to the inventory service other than the one on line 13) are rejected and are not passed to the backend services. NGINX sends the 405 (Method Not Allowed) response to inform the API client of the precise nature of the error, as shown in the following console trace. Where a minimum‑disclosure security policy is required, the error_page directive can be used to convert this response into a less informative error instead, for example 400 (Bad Request).
$ curl https://api.example.com/api/warehouse/pricing/item001
{"sku":"item001","price":179.99}
$ curl -X DELETE https://api.example.com/api/warehouse/pricing/item001
{"status":405,"message":"Method not allowed"}Applying Fine-Grained Access Control
Part 1 in this series described how to protect APIs from unauthorized access by enabling authentication options such as API keys and JSON Web Tokens (JWTs). We can use the authenticated ID, or attributes of the authenticated ID, to perform fine‑grained access control.
Here we show two such examples.
- The first example controls access to a specific API resource, extending a configuration presented in Part 1 and using API key authentication to verify that a given API client is on the allowlist.
- The second example which HTTP methods a client is allowed to use. It implements the JWT authentication method mentioned in Part 1, using a custom claim to identify qualified API clients. (Note that JWT support is exclusive to NGINX Plus.)
Of course, other authentication methods are applicable to these sample uses cases, such as HTTP Basic authentication and OAuth 2.0 token introspection.
Controlling Access to Specific Resources
Let’s say we want to allow only “infrastructure clients” to access the audit resource of the Warehouse API inventory service. With API key authentication enabled, we use a map block to create an allowlist of infrastructure client names so that the variable $is_infrastructure evaluates to 1 when a corresponding API key is used.
In the definition of the Warehouse API, we add a location block for the inventory audit resource (lines 15–20). The if block ensures that only infrastructure clients can access the resource.
Note that the location directive on line 15 uses the = (equals sign) modifier to make an exact match on the audit resource. Exact matches take precedence over the default path‑prefix definitions used for the other resources. The following trace shows how with this configuration in place a client that isn’t on the allowlist is unable to access the inventory audit resource. The API key shown belongs to client_two (as defined in Part 1).
$ curl -H "apikey: QzVV6y1EmQFbbxOfRCwyJs35" https://api.example.com/api/warehouse/inventory/audit
{"status":403,"message":"Forbidden"}Controlling Access to Specific Methods
As defined above, the pricing service accepts the GET and PATCH methods, which respectively enable clients to obtain and modify the price of a specific item. (We could also choose to allow the POST and DELETE methods, to provide full lifecycle management of pricing data.) In this section, we expand that use case to control which methods specific users can issue. With JWT authentication enabled for the Warehouse API, the permissions for each client are encoded as custom claims. The JWTs issued to administrators who are authorized to make changes to pricing data include the claim "admin":true. We now extend our access control logic so that only administrators can make changes.
This map block, added to the bottom of api_gateway.conf, takes the request method ($request_method) as input and produces a new variable, $admin_permitted_method. Read‑only methods are always permitted (lines 62–64) but access to write operations depends on the value of the admin claim in the JWT (line 65). We now extend our Warehouse API configuration to ensure that only administrators can make pricing changes.
The Warehouse API requires all clients to present a valid JWT (line 7). We also check that write operations are permitted by evaluating the $admin_permitted_method variable (line 25). Note again that JWT authentication is exclusive to NGINX Plus.
Controlling Request Sizes
HTTP APIs commonly use the request body to contain instructions and data for the backend API service to process. This is true of XML/SOAP APIs as well as JSON/REST APIs. Consequently, the request body can pose an attack vector to the backend API services, which may be vulnerable to buffer overflow attacks when processing very large request bodies.
By default, NGINX rejects requests with bodies larger than 1 MB. This can be increased for APIs that specifically deal with large payloads such as image processing, but for most APIs we set a lower value.
The client_max_body_size directive on line 7 limits the size of the request body. With this configuration in place, we can compare the behavior of the API gateway upon receiving two different PATCH requests to the pricing service. The first curl command sends a small piece of JSON data, whereas the second command attempts to send the contents of a large file (/etc/services).
$ curl -iX PATCH -d '{"price":199.99}' https://api.example.com/api/warehouse/pricing/item001
HTTP/1.1 204 No Content
Server: nginx/1.19.5
Connection: keep-alive
$ curl -iX PATCH -d@/etc/services https://api.example.com/api/warehouse/pricing/item001
HTTP/1.1 413 Request Entity Too Large
Server: nginx/1.19.5
Content-Type: application/json
Content-Length: 45
Connection: close
{"status":413,"message":"Payload too large"}Validating Request Bodies
[Editor – The following use case is one of several for the NGINX JavaScript module. For a complete list, see Use Cases for the NGINX JavaScript Module.]
In addition to being vulnerable to buffer overflow attacks with large request bodies, backend API services can be susceptible to bodies that contain invalid or unexpected data. For applications that require correctly formatted JSON in the request body, we can use the NGINX JavaScript module to verify that JSON data is parsed without error before proxying it to the backend API service.
With the JavaScript module installed, we use the js_import directive to reference the file containing the JavaScript code for the function that validates JSON data.
The js_set directive defines a new variable, $json_validated, which is evaluated by calling the parseRequestBody function.
The parseRequestBody function attempts to parse the request body using the JSON.parse method (line 6). If parsing succeeds, the name of the intended upstream group for this request is returned (line 8). If the request body cannot be parsed (causing an exception), a local server address is returned (line 11). The return directive populates the $json_validated variable so that we can use it to determine where to send the request.
In the URI routing section of the Warehouse API, we modify the proxy_pass directive on line 22. It passes the request to the backend API service as in the Warehouse API configurations discussed in previous sections, but now uses the $json_validated variable as the destination address. If the client body was successfully parsed as JSON then we proxy to the upstream group defined on line 15. If, however, there was an exception, we use the returned value of 127.0.0.1:10415 to send an error response to the client.
When requests are proxied to this virtual server, NGINX sends the 415 (Unsupported Media Type) response to the client.
With this complete configuration in place, NGINX proxies requests to the backend API service only if they have correctly formatted JSON bodies.
$ curl -iX POST -d '{"sku":"item002","price":85.00}' https://api.example.com/api/warehouse/pricing
HTTP/1.1 201 Created
Server: nginx/1.19.5
Location: /api/warehouse/pricing/item002
$ curl -X POST -d 'item002=85.00' https://api.example.com/api/warehouse/pricing
{"status":415,"message":"Unsupported media type"}A Note about the $request_body Variable
The JavaScript function parseRequestBody uses the $request_body variable to perform JSON parsing. However, NGINX does not populate this variable by default, and simply streams the request body to the backend without making intermediate copies. By using the mirror directive inside the URI routing section (line 16) we create a copy of the client request, and consequently populate the $request_body variable.
The directives on lines 17 and 19 control how NGINX handles the request body internally. We set client_body_buffer_size to the same size as client_max_body_size so that the request body is not written to disk. This improves overall performance by minimizing disk I/O operations, but at the expense of additional memory utilization. For most API gateway use cases with small request bodies this is a good compromise.
As mentioned, the mirror directive creates a copy of the client request. Other than populating $request_body, we have no need for this copy so we send it to a “dead end” location (/_get_request_body) that we define in the server block in the top‑level API gateway configuration.
This location does nothing more than send the 204 (No Content) response. Because this response is related to a mirrored request, it is ignored and so adds negligible overhead to the processing of the original client request.
Summary
In this second blog post of our series about deploying NGINX Open Source and NGINX Plus as an API gateway, we focused on the challenge of protecting backend API services in a production environment from malicious and misbehaving clients. NGINX uses the same technology for managing API traffic that is used to power and protect the busiest sites on the Internet today.
Check out the other post in this series:
- Part 1 explains how to configure NGINX in some essential API gateway use cases.
- Part 3 explains how to deploy NGINX as an API gateway for gRPC services.
To try NGINX Plus as an API gateway, start your free 30-day trial today or contact us to discuss your use cases. During your trial, use the complete set of configuration files from our GitHub Gist repo.