Recently banged my head against this issue for ages until someone with nginx knowledge pointed out it wasn't nginx but a sinatra/unicorn issue.

Basically the symtoms were after setting up my Sinatra application, with Unicorn as the webserver and Nginx as the SSL proxy (redirecting http to https for the domain) anytime the application received a post request on my login screen it responded with "forbidden" (403). Get requests for the login screen worked fine.

Initially I thought the error came from Nginx, but it turned out it came from Rack (running via Unicorn). The issue was as part of the login post sinatra-authentication was redirecting to http, not https. Nginx then redirected the client to https but lost the auth details, so Rack gave the forbidden response (with no helpful debug).

To fix this all I had to do was add the following to the nginx conf at the proxy settings:

proxy_set_header X-Forwarded-Ssl on;

 

That told Rack it was working via an ssl proxy and changed the redirects to use https. No clue why I needed to do this, but in future I'll use something like rack-ssl-enforcer and handle the redirects in the application itself rather than nginx conf.

Links: