SUJET :

Hi,

Guests & I see all these 403's instead of the images, but the image does show when clicked on that 403.

Example: genealogy.meulie.net/tree/meulie.ged/ind...obus-Petrus-de-Groot

Do I need to make a change in my (nginx) server config?

If you look at the HTTP response headers for the image, it has the message

X-Signature-Exception.

The URL for the image contains a "digital signaure" - the "s" parameter.

This prevents people from requesting images that they should not see - for example, images without watermarks.
It also prevents attackers from making "resize attacks", where they request the image resized to every possible height/width combination.

Not 100% sure why you are getting a mismatch error.
Perhaps your URLs are being truncated?

Can you look in the database. In the table wt_site_setting is an entry for "glide-key".
This should be lots of random characters.
You could try deleting this entry - it should be recreated automatically.
Alternatively, try setting your own random entry.

I don't think the URL's get truncated. They're not _that_ long...

When I delete glide-key from wt_site_setting it does indeed get recreated. It doesn't solve the problem though.

> I don't think the URL's get truncated.

The problem is that your webserver truncates the URL before passing it to PHP.

So, PHP only sees the first part of the URL.

It is a well-known problem. Some webservers have quite low defaults for max-url-length.

What webserver do you use?

I use nginx, version 1.21

I cannot think what is causing this.

Are you a PHP programmer. I could tell you where to add debug code, etc.

I'm not a PHP programmer, but I do know my way around programming languages etc, so I'd love to give it a try.

How can I start debugging this?

Look at the function MediaFile::signature()

URLs for media files contain various parameters, such as width and height.

We must prevent the client from modifying these. Otherwise a malicious user might try to request every possible combination of height/width, which could lead to a DoS attack.

We do this by adding a "signature" parameter ("s") to the URL. This is a simple MD5 hash of the parameters, plus a secret one ("glide-key").

When we process the URL to generate the image, we check this signature.

For you, the signature in the URL isn't matching the one that we calculate.

The assumption is that the URL has been modified - hence my ealier guesses about truncated URLs. Maybe your sever is adding additional parameters?

So, I'd start by reviewing the parameters passed to the signature() function - both when the URL is generated, and again when it is processed.