I’ve spent the last couple of evenings playing around with some Hello World-type stuff for Facebook app development in preparation for an up-coming Facebook/Rails gig.

After creating a new app on Facebook, you are presented with the code for a basic starter-page for the app:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <title>Hello World!</title>
    <h1>Hello World!</h1>
    <p><fb:login-button autologoutlink="true"></fb:login-button></p>

    <div id="fb-root"></div>
      window.fbAsyncInit = function() {
        FB.init({appId: 'xxxxxxxxxxxxxxx', status: true, cookie: true,
                 xfbml: true});
      (function() {
        var e = document.createElement('script');
        e.type = 'text/javascript';
        e.src = document.location.protocol +
        e.async = true;

While I’m not quite sure what all of that does yet, I threw it up on a server as index.html just for kicks, added a quick subdomain to Nginx:

server {
    listen       80;
    server_name  facebook.recursive-design.com;

    # Main location
    location / {
         root /var/www/facebook.recursive-design.com;

…and lo-and-behold we have our Hello World:

Hello World

While everything is fine-and-dandy so far, accessing this from within Facebook is another story:

405 Not Allowed

After triple-checking the Nginx config (and there’s not much that could go wrong there) I was none the wiser what was triggering the 405 Not Allowed.

A bit of googling turned up a post on the Nginx forums that shed some light on the matter:

Static Content

News to me. Since everything that comes from Facebook appears to be a POST, we’re not going to get anywhere with this static index.html app of ours.

As mentioned in the thread, Igor has posted a workaround, or alternatively you can proxy the page to apache or something upstream which doesn’t complain. I went the upstream apache root (though in hindsight the workaround seems like less work), and voila:


I’d love to know the motivation behind this restriction - I can’t think of any security issues that posting to a static file would cause, but then again i’m no Igor Sysoev :)

Any ideas?