1

This is my example.conf's nginx config file:

server {
  listen 80;
  server_name api.example.net;
  return 301 https://api.example.net$request_uri;
  access_log off;
  error_log /dev/stderr;
}

server {
  listen 443 ssl;
  root /var/www/example_api/public;
  server_name api.example.net;
  ssl_certificate /etc/letsencrypt/live/api.example.net/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/api.example.net/privkey.pem;

  location / {
    # try to serve file directly, fallback to index.php
    try_files $uri /index.php$is_args$args;
    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE, PATCH";
    add_header Access-control-Allow-Headers "Content-Range, Authorization,X-Requested-With, counter, id_token, Keep-Alive, User-Agent, Cache-Control, Content-Type, MyApp-Handle-Errors-Generically";
    add_header Access-Control-Expose-Headers "Content-Range, Authorization, id_token, Keep-Alive, User-Agent, Cache-Control, Content-Type, MyApp-Handle-Errors-Generically";
    add_header Access-Control-Max-Age "31536000";
}

  #location ~ ^/index\.php(/|$) {
  # https://stackoverflow.com/questions/68350978/nginx-serving-only-but-not-any-other-files
  location ~ \.php(/|$) {
    try_files $uri $uri/ /index.php?$query_string;
    fastcgi_pass api:9000;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;
    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE, PATCH";
    add_header Access-control-Allow-Headers "Content-Range, Authorization,X-Requested-With, counter, id_token, Keep-Alive, User-Agent, Cache-Control, Content-Type, MyApp-Handle-Errors-Generically";
    add_header Access-Control-Expose-Headers "Content-Range, Authorization, id_token, Keep-Alive, User-Agent, Cache-Control, Content-Type, MyApp-Handle-Errors-Generically";
    add_header Access-Control-Max-Age "31536000";
  }

  location ~ \.php$ {
    return 404;
  }

  access_log off;
  error_log /dev/stderr;
}

The issue is when I send a POST request from POSTMAN in http, I get this error:

api.example.net/api/user/register/checkuser?phone=0123456789

<!DOCTYPE html>
<html>

<head>
    <meta charset="UTF-8" />
    <meta name="robots" content="noindex,nofollow,noarchive" />
    <title>An Error Occurred: Method Not Allowed</title>
...

But if change URL to https, there's no issue:

https://api.example.net/api/user/register/checkuser?phone=0123456789

{"data":{"status":1},"meta":[]}

Am I doing anything wrong?

I should mention that we had a migration from old server Caddy web server to current one nginx, and both are Dockerized (extra info only).

Saeed
  • 381
  • 4
  • 16
  • 1
    Use return 307 or 308 instead of 301, otherwise the POST is changed to a GET by the browser. – Richard Smith Aug 22 '21 at 08:07
  • @RichardSmith thanks, it's resolved now. I saw `GET` instead of `POST` in access_log and that was strange for me:) Could you please write this as answer so that I can vote you up for this favor? And if possible, provide docs or write please the reason why I should use 307/308. – Saeed Aug 22 '21 at 08:45

1 Answers1

2

From RFC 7231 section 6.4.2, regarding the 301 Moved Permanently status code:

Note: For historical reasons, a user agent MAY change the request method from POST to GET for the subsequent request. If this behavior is undesired, the 307 (Temporary Redirect) status code can be used instead.

Richard Smith
  • 1,157
  • 1
  • 9
  • 11
  • Thanks for the RFC. I have a question: As I see https://www.drlinkcheck.com/blog/http-redirects-301-302-303-307-308, code 308 is not supported by some relative old browsers like IE11, then can I have an `if` block that `if request is POST, then use return 308`? I do not think users use IE11, but that's a question in my mind. – Saeed Aug 23 '21 at 17:48
  • 1
    There are probably many features on your website that will not work with very old browsers. You need to decide how much backwards compatibility you need to support. – Richard Smith Aug 23 '21 at 18:35