GitHub user dosubot[bot] added a comment to the discussion: Launch Superset from existing sub domain
<!-- Answer --> A 403 Forbidden error after updating your Apache config for Superset under a subpath usually means either a permissions issue at the Apache level or Superset is denying access due to missing or misconfigured proxy headers, CSRF, or authentication. Here’s what to check and try next: 1. **Superset version**: Subpath support is only reliable in Superset 6.0+; older versions have known bugs that cause 403/404 errors even with correct config. Please confirm your Superset version—if it’s below 6.0, upgrade is strongly recommended for subpath deployment to work reliably ([source](https://github.com/apache/superset/issues/34896)). 2. **Apache config**: Make sure there are no restrictive `<Directory>` or `<Location>` blocks for `/analytics` or your Superset static files that could cause a 403. Also, check file and directory permissions for the Superset app and static assets. 3. **Proxy headers**: Ensure all required headers are set exactly once (not duplicated): ``` RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Host "%{Host}s" RequestHeader set X-Forwarded-Port "443" RequestHeader set X-Forwarded-Prefix "/analytics" ``` Remove any `BASE_URL` config from Superset—only use `SUPERSET_APP_ROOT`, `APPLICATION_ROOT`, and `STATIC_ASSETS_PREFIX` ([source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/app.py#L43-L108)). 4. **Superset config**: In `superset_config.py`, add: ```python ENABLE_PROXY_FIX = True PROXY_FIX_CONFIG = {"x_for": 1, "x_proto": 1, "x_host": 1, "x_port": 1, "x_prefix": 1} ``` This ensures Superset trusts all the forwarded headers ([source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/initialization/__init__.py#L58-L756)). 5. **CSRF**: If you see 403s on POST requests or after login, it could be CSRF protection. By default, `WTF_CSRF_ENABLED = True`—make sure your browser is sending cookies and CSRF tokens correctly, and try clearing your browser cache. 6. **Logs**: Check both your Apache error log and the Superset logs for details when the 403 occurs. The error message will help pinpoint if it’s an Apache permissions issue or a Superset security/CSRF/role issue. 7. **SELinux/AppArmor**: If enabled, check for denials in audit logs. 8. **Static assets**: If static files (JS, CSS, images) are failing with 403, make sure Apache allows unauthenticated access to `/analytics/static/` ([source](https://github.com/apache/superset/discussions/35055#discussioncomment-14339773)). If you’re still stuck, please share: - Your exact Superset version - Any relevant error messages from Apache and Superset logs when the 403 occurs - Any extra Apache `<Directory>` or `<Location>` blocks for `/analytics` or static files This will help narrow down whether the 403 is coming from Apache or Superset’s internal security checks. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/78c49d19-f72e-4f88-90d8-5d5625b0e3b1?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/78c49d19-f72e-4f88-90d8-5d5625b0e3b1?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/78c49d19-f72e-4f88-90d8-5d5625b0e3b1?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/78c49d19-f72e-4f88-90d8-5d5625b0e3b1?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/78c49d19-f72e-4f88-90d8-5d5625b0e3b1?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/78c49d19-f72e-4f88-90d8-5d5625b0e3b1?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/78c49d19-f72e-4f88-90d8-5d5625b0e3b1?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=A%20403%20Forbidden%20error%20after%20updating%20your%20Apache%20config%20for%20Superset%20under%20a%20subpath%20usually%20means%20either%20a%20permissions%20issue%20at%20the%20Apache%20level%20or%20Superset%20is%20denying%20access%20due%20to%20missing%20or%20misconfigured%20proxy%20headers%2C%20CSRF%2C%20or%20authentication.%0A%0AHere%E2%80%99s%20what%20to%20check%20and%20try%20next%3A%0A%0A1.%20%2A%2ASuperset%20version%2A%2A%3A%20Subpath%20support%20is%20only%20reliable%20in%20Superset%206.0%2B%3B%20older%20versions%20have%20known%20bugs%20that%20cause%20403/404%20errors%20even%20with%20correct%20config.%20Please%20confirm%20your%20Superset%20version%E2%80%94if%20it%E2%80%99s%20below%206.0%2C%20upgrade%20is%20strongly%20recommended%20for%20subpath%2 0deployment%20to%20work%20reliably%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/issues/34896%29%29.%0A%0A2.%20%2A%2AApache%20config%2A%2A%3A%20Make%20sure%20there%20are%20no%20restrictive%20%60%3CDirectory%3E%60%20or%20%60%3CLocation%3E%60%20blocks%20for%20%60/analytics%60%20or%20your%20Superset%20static%20files%20that%20could%20cause%20a%20403.%20Also%2C%20check%20file%20and%20directory%20permissions%20for%20the%20Superset%20app%20and%20static%20assets.%0A%0A3.%20%2A%2AProxy%20headers%2A%2A%3A%20Ensure%20all%20required%20headers%20are%20set%20exactly%20once%20%28not%20duplicated%29%3A%20%20%0A%20%20%20%60%60%60%0A%20%20%20RequestHeader%20set%20X-Forwarded-Proto%20%22https%22%0A%20%20%20RequestHeader%20set%20X-Forwarded-Host%20%22%25%7BHost%7Ds%22%0A%20%20%20RequestHeader%20set%20X-Forwarded-Port%20%22443%22%0A%20%20%20RequestHeader%20set%20X-Forwarded-Prefix%20%22/analytics%22%0A%20%20%20%60%60%60%0A%20%20%20Remove%20any%20%60BASE_URL%60%20config%20from%20Superset%E2%80 %94only%20use%20%60SUPERSET_APP_ROOT%60%2C%20%60APPLICATION_ROOT%60%2C%20and%20%60STATIC_ASSETS_PREFIX%60%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/app.py%23L43-L108%29%29.%0A%0A4.%20%2A%2ASuperset%20config%2A%2A%3A%20In%20%60superset_config.py%60%2C%20add%3A%0A%20%20%20%60%60%60python%0A%20%20%20ENABLE_PROXY_FIX%20%3D%20True%0A%20%20%20PROXY_FIX_CONFIG%20%3D%20%7B%22x_for%22%3A%201%2C%20%22x_proto%22%3A%201%2C%20%22x_host%22%3A%201%2C%20%22x_port%22%3A%201%2C%20%22x_prefix%22%3A%201%7D%0A%20%20%20%60%60%60%0A%20%20%20This%20ensures%20Superset%20trusts%20all%20the%20forwarded%20headers%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/initialization/__init__.py%23L58-L756%29%29.%0A%0A5.%20%2A%2ACSRF%2A%2A%3A%20If%20you%20see%20403s%20on%20POST%20requests%20or%20after%20login%2C%20it%20could%20be%20CSRF%20protection.%20By%20default%2C%20%60WTF_CSRF_ENABL ED%20%3D%20True%60%E2%80%94make%20sure%20your%20browser%20is%20sending%20cookies%20and%20CSRF%20tokens%20correctly%2C%20and%20try%20clearing%20your%20browser%20cache.%0A%0A6.%20%2A%2ALogs%2A%2A%3A%20Check%20both%20your%20Apache%20error%20log%20and%20the%20Superset%20logs%20for%20details%20when%20the%20403%20occurs.%20The%20error%20message%20will%20help%20pinpoint%20if%20it%E2%80%99s%20an%20Apache%20permissions%20issue%20or%20a%20Superset%20security/CSRF/role%20issue.%0A%0A7.%20%2A%2ASELinux/AppArmor%2A%2A%3A%20If%20enabled%2C%20check%20for%20denials%20in%20audit%20logs.%0A%0A8.%20%2A%2AStatic%20assets%2A%2A%3A%20If%20static%20files%20%28JS%2C%20CSS%2C%20images%29%20are%20failing%20with%20403%2C%20make%20sure%20Apache%20allows%20unauthenticated%20access%20to%20%60/analytics/static/%60%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/35055%23discussioncomment-14339773%29%29.%0A%0AIf%20you%E2%80%99re%20still%20stuck%2C%20please%20share%3A%0A-%20Your%20exact%20Supers et%20version%0A-%20Any%20relevant%20error%20messages%20from%20Apache%20and%20Superset%20logs%20when%20the%20403%20occurs%0A-%20Any%20extra%20Apache%20%60%3CDirectory%3E%60%20or%20%60%3CLocation%3E%60%20blocks%20for%20%60/analytics%60%20or%20static%20files%0A%0AThis%20will%20help%20narrow%20down%20whether%20the%20403%20is%20coming%20from%20Apache%20or%20Superset%E2%80%99s%20internal%20security%20checks.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36453) GitHub link: https://github.com/apache/superset/discussions/36453#discussioncomment-15215656 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
