I'm having two separate issues that I believe have one cause, except that I'm not sure what it is (obviously). First is that our internal ajax calls are suddenly being seen as cross-domain. So if I do a javascript ajax call with an absolute URL to my own server, the browser blocks it. Second is that suddenly our Facebook login is failing because our Facebook app doesn't recognize our URLs, even though the URLs in our app settings are the same they've always been, and do match our domain.

I searched about the ajax problem and couldn't find anything, so I just ended up making the ajax calls with relative URLs. I also searched about the Facebook login problem, but all I found were posts about something I had already done, and it's still not working.

I thought this might be a nameserver problem, but those are correct. We have an EC2 Amazon Linux instance, using Route 53 nameservers. I checked our domain registrar (godaddy), and the nameservers match up. Plus, people can navigate to the site without any problems. So, it doesn't seem to be a nameserver problem, which leads me to think it might be a problem with the server itself, but I have no idea what that would be.

Does this behavior sound familiar to anyone?

I do have an .htaccess file on the server, but I don't think that's the issue. All I have in there now is the following:

RewriteEngine on
RewriteRule ^(.*)\.[\d]{10}\.(css|js)$ $1.$2 [L]

# Block Bad Bots & Scrapers
SetEnvIfNoCase User-Agent "Aboundex" bad_bot
SetEnvIfNoCase User-Agent "80legs" bad_bot
SetEnvIfNoCase User-Agent "360Spider" bad_bot
...

<Limit GET POST HEAD>
Order Allow,Deny
Allow from all

# Cyveillance
deny from 38.100.19.8/29
deny from 38.100.21.0/24
deny from 38.100.41.64/26
deny from 38.105.71.0/25
deny from 38.105.83.0/27
deny from 38.112.21.140/30
deny from 38.118.42.32/29
deny from 65.213.208.128/27
deny from 65.222.176.96/27
deny from 65.222.185.72/29

Deny from env=bad_bot
</Limit>

Much more likely to be your web server config rather than .htaccess

Check your ServerName and ServerAlias directives for your website and ensure that the domain name isn't being redirected or rewritten anywhere.

I checked the httpd.conf file, and UseCanonicalName was set to Off, so it looks like ServerName isn't going to be used, according to the documentation there. I scrolled through and didn't see ServerAlias set anywhere.

To update this, I tried an absolute URL ajax call again yesterday and it worked. Not sure why it started working again (which bugs me), but the Facebook login is still broken, so these things appear to be unrelated after all. Since the issue is just with the Facebook login, it seems a lot less likely to be a server issue.

I'm not sure what to do with the thread in this case. Do I mark it as solved since it's no longer relevant to this forum?

You could leave it open and hope for more relevant advice

OK, I have more information now. The URL not permitted error was happening because of the IP whitelist in the app settings. I had the IP address of the server filled in here, but I had a suggestion to remove it, which I did, and it worked. I also removed the list of valid return URIs. Funny that in some posts I've seen, adding the return URIs actually fixes the Facebook problem.

Anyway, now I have another issue that I actually thought was related to the first but it appears not. The Facebook login is caught in an endless redirect, so the code tries to get the Facebook user ID, gets 0, goes to Facebook to log in, sees that the user is logged in, comes back and still gets 0 for the Facebook user ID.

The funny thing is that I used the exact same login code on a different server with a newly created app, so that all that was changed was the app ID and the app secret, and the login worked fine. I also set up this other server to try to log in with my original app, and it worked fine. I also created a third app and tried to log in to that with the original server, and that went into a loop. So this does appear to be something about my server, but not sure what still.

The issue turned out to be caused by a bad curl library. Once that was recompiled, the Facebook login started working again.