Dave Perrett

'405 Not Allowed' Error Serving Facebook Apps With Nginx

facebook, linux, nginx, programming

I’ve spent the last couple of evenings playing around with some Hello World-type stuff for Facebook app development in preparation for an up-coming Facebook/Rails gig.

After creating a new app on Facebook, you are presented with the code for a basic starter-page for the app:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:fb="http://www.facebook.com/2008/fbml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <title>Hello World!</title>
  </head>
  <body>
    <h1>Hello World!</h1>
    <p><fb:login-button autologoutlink="true"></fb:login-button></p>
    <p><fb:like></fb:like></p>

    <div id="fb-root"></div>
    <script>
      window.fbAsyncInit = function() {
        FB.init({appId: 'xxxxxxxxxxxxxxx', status: true, cookie: true,
                 xfbml: true});
      };
      (function() {
        var e = document.createElement('script');
        e.type = 'text/javascript';
        e.src = document.location.protocol +
          '//connect.facebook.net/en_US/all.js';
        e.async = true;
        document.getElementById('fb-root').appendChild(e);
      }());
    </script>
  </body>
</html>

While I’m not quite sure what all of that does yet, I threw it up on a server as index.html just for kicks, added a quick subdomain to Nginx:

1
2
3
4
5
6
7
8
9
server {
    listen       80;
    server_name  facebook.recursive-design.com;

    # Main location
    location / {
         root /var/www/facebook.recursive-design.com;
    }
}

…and lo-and-behold we have our Hello World:

While everything is fine-and-dandy so far, accessing this from within Facebook is another story:

After triple-checking the Nginx config (and there’s not much that could go wrong there) I was none the wiser what was triggering the 405 Not Allowed.

A bit of googling turned up a post on the Nginx forums that shed some light on the matter:

News to me. Since everything that comes from Facebook appears to be a POST, we’re not going to get anywhere with this static index.html app of ours.

As mentioned in the thread, Igor has posted a workaround, or alternatively you can proxy the page to apache or something upstream which doesn’t complain. I went the upstream apache root (though in hindsight the workaround seems like less work), and voila:

I’d love to know the motivation behind this restriction - I can’t think of any security issues that posting to a static file would cause, but then again i’m no Igor Sysoev :)

Any ideas?