CODEWITHSUNDEEP
nginxinstallationhttp-status-code-403
Adam Pearlman
Adam Pearlman

Reputation: 1001

Why does Nginx return a 403 even though all permissions are set properly?

I have Nginx setup and displaying the test page properly. If I try to change the root path, I get a 403 Forbidden error, even though all permissions are identical. Additionally, the nginx user exists.

nginx.conf:

user nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log;

pid        /run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    index   index.html index.htm;

    server {
        listen       80;
        server_name  localhost;
        root         /var/www/html; #changed from the default /usr/share/nginx/html
    }
}

namei -om /usr/share/nginx/html/index.html

f: /usr/share/nginx/html/index.html
dr-xr-xr-x root root /
drwxr-xr-x root root usr
drwxr-xr-x root root share
drwxr-xr-x root root nginx
drwxr-xr-x root root html
-rw-r--r-- root root index.html

namei -om /var/www/html/index.html

f: /var/www/html/index.html
dr-xr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root www
drwxr-xr-x root root html
-rw-r--r-- root root index.html

error log

2014/03/23 12:45:08 [error] 5490#0: *13 open() "/var/www/html/index.html" failed (13: Permission denied), client: XXX.XX.XXX.XXX, server: localhost, request: "GET /index.html HTTP/1.1", host: "ec2-XXX-XX-XXX-XXX.compute-1.amazonaws.com"

Upvotes: 78

Views: 92723

Answers (16)

NormanOu
NormanOu

Reputation: 75

i meet another issue(don't know why yet, but it might be useful for someone else)

i first put the folder under my /home/my_name/www/site_name, and change the owner and change the permission. then check the selinux stuff.

all the above doesn't solve my problem. finally, i change the folder to /srv/www/site_name, all is good now.

Upvotes: 0

animo3991
animo3991

Reputation: 311

The folks using the /home/{user} directory to serve their website need to provide a chmod 755 access on their /home/{user} directory to make this work .

Also , if SELinux is enabled on the server please use the below mentioned commands :-

  1. sudo setsebool -P httpd_can_network_connect on
  2. chcon -Rt httpd_sys_content_t /path/to/www

Upvotes: 3

Ashfaq
Ashfaq

Reputation: 1259

Another possible reason (NOT IN THIS CASE) is a symlink for index.html file pointing to another directory.

ls -lrt /usr/share/nginx/html/

enter image description here

rsync files to that particular directory will easily solve the problem.

or disable symlinks in nginx.conf

http {
    disable_symlinks off;
}

Upvotes: 0

Makara Set
Makara Set

Reputation: 371

Work fine for me on nginx

semanage permissive -a httpd_t

Upvotes: 2

Terry Lam
Terry Lam

Reputation: 1085

First of all you have to run following command to allow nginx to access filesystem

sudo setsebool -P httpd_read_user_content 1

You can check if the files or directory with following command:

ls -Z

If it is still not accessible, you can try changing the SELinux property of the files and folder with following command:

chcon -Rt httpd_sys_content_t /path/to/www

However, above command cannot apply to files under FUSE or NFS system.

To enable serving files from FUSE mounts, you can use:

setsebool httpd_use_fusefs 1

To enable serving files from NFS mounts, you can use:

setsebool httpd_use_nfs 1

Upvotes: 12

Cyker
Cyker

Reputation: 10894

There are 2 possible reasons for denied access:

  1. Access is denied by DAC. Double check user, group and file permissions. Make sure the nginx process, when running as the user specified in its config file, can access the new html root path.

  2. Access is denied by MAC. The most widely used of such is SELinux. To check whether it caused the problem, you can stop the nginx process and run this command:

    setenforce Permissive

    Then start nginx again to see if access is granted.

    Alternatively, you can check the file context:

    setenforce Enforcing
ls -Zd /usr/share/nginx/html /var/www/html

    If the two contexts differ, you may need to change the context for the new html root path:

    chcon -R -t httpd_sys_content_t /var/www/html

    Restart nginx and see if it works fine. If so, you can make the change permanent:

    semanage fcontext -a -t httpd_sys_content_t '/var/www/html(/.*)?'
restorecon -Rv /var/www/html

    Some of these commands need to be run as root.

Upvotes: 5

zhuoming
zhuoming

Reputation: 17

Modify the file nginx.conf, change the user name to your account name, and restart nginx.it work !

Upvotes: -1

Michael Ma
Michael Ma

Reputation: 922

Remember you need to allow other users to read the entire path. Also remember Dropbox will set 700 to its root directory. So chmod 755 ~/Dropbox solved my problem.

Upvotes: 3

loszer
loszer

Reputation: 21

I have met this problem when I added a new user with a folder /home/new_user as a new virtual host. Make sure these folders (/home, /home/new_user, /home/new_user/xxx...) are 755 so that it resolved my problem. At last, I found my problem were correctly according to the /var/log/nginx/error.log file.

Upvotes: 2

Bryan Macías
Bryan Macías

Reputation: 81

I ran into the same problem. If you're using Fedora/RedHat/CentOS, this might help you:

  • According to SELinux: setsebool -P httpd_read_user_content 1

Hope this helps.

Upvotes: 8

mauva
mauva

Reputation: 1

this solved the same problem:

restart Nginx and try again. If it fails, check again the logs. This worked for me

Upvotes: -11

dougB
dougB

Reputation: 509

I ran into the same problem:

  • Checked nginx.conf to verify the user
  • Permissions were set properly
  • Made sure "x" right was set for the entire path

Did a restart from the command line (I'd been using Webmin all this time) and noticed this error:

 aed@aed:/var/www/test.local$ sudo service nginx restart
 * Restarting nginx nginx 
nginx: [warn] conflicting server name "test.local" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "test.local" on 0.0.0.0:80, ignored

Apparently there was a duplicate definition and thus my attempt to access "test.local" failed.

Upvotes: 1

rassi
rassi

Reputation: 385

This is an addition to Prowlas answer but I dont have enough reputation to commment: If the /path/to/www is a home directory of a user. You should try:

setsebool -P httpd_enable_homedirs=1

This solved my problem

Source: http://forums.fedoraforum.org/archive/index.php/t-250779.html

Upvotes: 4

Kurt
Kurt

Reputation: 7212

I experienced the same problem and it was due to SELinux.

To check if SELinux is running:

# getenforce

To disable SELinux until next reboot:

# setenforce Permissive

Restart Nginx and see if the problem persists. If you would like to permanently alter the settings you can edit /etc/sysconfig/selinux

If SELinux is your problem you can run the following to allow nginx to serve your www directory (make sure you turn SELinux back on before testing this. i.e, # setenforce Enforcing)

# chcon -Rt httpd_sys_content_t /path/to/www

If you're still having issues take a look at the boolean flags in getsebool -a, in particular you may need to turn on httpd_can_network_connect for network access

# setsebool -P httpd_can_network_connect on

For me it was enough to allow http to serve my www directory.

Upvotes: 246

Adam Pearlman
Adam Pearlman

Reputation: 1001

I was using:

sudo service nginx start

If I use:

sudo nginx

...everything works fine. Can anyone explain the difference between these two?

Upvotes: 1

Mohammad AbuShady
Mohammad AbuShady

Reputation: 42789

well seems logical, all files are root user, try changing it to nginx user, just wanted to make sure it's not a listing permission denied first.

sudo chown -R nginx:nginx /var/www/html

Upvotes: 1

Related Questions