Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
nginx 403 forbidden error when server static file under user home directory

nginx 403 Forbidden Error hosting in User Home Directory

resources

runtime environment

nginx -v
nginx version: nginx/1.0.15
uname -a
Linux ampedservice 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
cat /proc/version 
Linux version 2.6.32-279.el6.x86_64 (mockbuild@c6b9.bsys.dev.centos.org) (gcc version 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC) ) #1 SMP Fri Jun 22 12:19:21 UTC 2012
rake about
MANUAL_GC is enable ...
About your application's environment
Ruby version              1.9.3 (x86_64-linux)
RubyGems version          1.8.25
Rack version              1.4
Rails version             3.2.14
Action Pack version       3.2.14
Active Resource version   3.2.14
Action Mailer version     3.2.14
Active Support version    3.2.14
Application root          /home/gxdevelop/dev/ampedservice

how I config the application

$ cat /etc/nginx/nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user              nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    
    # Load config files from the /etc/nginx/conf.d directory
    # The default server is in conf.d/default.conf
    include /etc/nginx/conf.d/*.conf;

}

ampedservice.conf

upstream ampedservice_unicorn {
  server unix:/tmp/unicorn.ampedservice.sock fail_timeout=0;
  # server localhost:8888 max_fails=3 fail_timeout=5 weight=3;
  #server localhost:9999 max_fails=3 fail_timeout=5;
}

server {
  listen 80;# default deferred;
  server_name amped.guanxi.me;

  root /home/gxdevelop/dev/ampedservice/public;

  # individual nginx logs for this ampedservice vhost
  access_log  /var/log/nginx/ampedservice_access.log;
  error_log   /var/log/nginx/ampedservice_error.log;

  location ^~ /assets|ampedservice_assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }


  try_files $uri/index.html $uri @unicorn;

  location @unicorn {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://ampedservice_unicorn;
  }

  error_page 500 502 503 504 /500.html;
  client_max_body_size 4G;
  keepalive_timeout 10;
}

My first suspicion was that this was a permissisons problem. However, when I run ls -lha public/aboutuscn.html I see

-rw-rw-r-- 1 gxdevelop gxdevelop 1.8K Aug 10 18:12 /home/gxdevelop/dev/ampedservice/public/aboutuscn.html

which looks right to me? Even running chmod 777 /home/gxdevelop/dev/ampedservice/public/aboutuscn.html so that the permissions are

-rwxrwxrwx 1 gxdevelop gxdevelop 1.8K Aug 10 18:12 public/aboutuscn.html

does not help. /etc/init.d/nginx configtest does not produce any errors either and I'm sure the symlink in /etc/

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

So I've been at this for a few hours and I'm now wondering what is so special about my user directory that I cannot serve anything inside of it? Ubuntu encrypts home directories these days? Could that be the problem? I also have this issue on an EC2 Ubuntu 12.04 instance (don't know if user directories are encrypted there)

The answer

Default User Home Directory Permissions

So it seems that the default permissions on user home directories in Ubuntu 12.04 is 700.** Nginx needs to have read permission the files that should be served AND have execute permission in each of the parent directories along the path from the root to the served files.**

You can give your user directory these permissions by running

chmod 701 user_home

You may also use 755, which is the default permission setting on the home directory on many systems.

The directories/files in your web root can belong to the www-data user or your regular personal user as long as the user/group that nginx runs as (as defined in nginx.conf) has READ permission on all files to be served and execute permission on all web root directories.

I just set all directories in my web root to be owned by my user account and have permissions 755 and I set all files to be served from the web root to have permissions 664 since these were the defaults on my machine.

Note on Converting Permission numbers to String Rep.

Ex. drwxr-x--x becomes 751.

Ignore the first character (d for directory, - for file, etc). The remaining 9 characters form a binary triplet where any non-dash character is a 1 and a dash is a 0.

So drwxr-x--x becomes rwxr-x--x 
becomes 111 101 001 
which is converted to a decimal 751

I needed a refresher on this when I was dealing with permissions.

@timrogers

This comment has been minimized.

Show comment
Hide comment
@timrogers

timrogers Dec 28, 2013

You are my hero. This saved me!

You are my hero. This saved me!

@mgoszcz2

This comment has been minimized.

Show comment
Hide comment
@mgoszcz2

mgoszcz2 Mar 12, 2014

Thank you so much!

Thank you so much!

@shivanshuag

This comment has been minimized.

Show comment
Hide comment
@shivanshuag

shivanshuag Mar 27, 2014

This helped me save a lot of time. Thank you

This helped me save a lot of time. Thank you

@kizashi1122

This comment has been minimized.

Show comment
Hide comment
@kizashi1122

kizashi1122 Apr 23, 2014

This helps me a lot.
It took a couple of hours already :-)

This helps me a lot.
It took a couple of hours already :-)

@shubhendusaurabh

This comment has been minimized.

Show comment
Hide comment
@shubhendusaurabh

shubhendusaurabh Sep 3, 2014

saved the day for me

saved the day for me

@crazyyi

This comment has been minimized.

Show comment
Hide comment
@crazyyi

crazyyi Dec 2, 2014

I have spent hours on this and I am so tired. But your article, out of so many other bullshits on Google results, finally gets me out of the darkness. Thank you so much!

crazyyi commented Dec 2, 2014

I have spent hours on this and I am so tired. But your article, out of so many other bullshits on Google results, finally gets me out of the darkness. Thank you so much!

@tiagoluzpoa

This comment has been minimized.

Show comment
Hide comment
@tiagoluzpoa

tiagoluzpoa Feb 17, 2015

Don't forget to disable SELINUX on CentOS!

vim /etc/selinux/config

and set:

SELINUX=disabled

Don't forget to disable SELINUX on CentOS!

vim /etc/selinux/config

and set:

SELINUX=disabled

@bleakwood

This comment has been minimized.

Show comment
Hide comment
@bleakwood

bleakwood Mar 2, 2015

Oh my god I almost went nuts for this. Thank you so much :)

Oh my god I almost went nuts for this. Thank you so much :)

@hanhpv

This comment has been minimized.

Show comment
Hide comment
@hanhpv

hanhpv Sep 1, 2015

Saved my day. Thanks a lot 👍 😄

hanhpv commented Sep 1, 2015

Saved my day. Thanks a lot 👍 😄

@demonshreder

This comment has been minimized.

Show comment
Hide comment

Thanks

@RyuuZaky

This comment has been minimized.

Show comment
Hide comment
@RyuuZaky

RyuuZaky Mar 21, 2016

You're my hero, thanks bro

You're my hero, thanks bro

@rashemihmih

This comment has been minimized.

Show comment
Hide comment
@rashemihmih

rashemihmih Apr 24, 2016

Thank you a lot!

Thank you a lot!

@liamzebedee

This comment has been minimized.

Show comment
Hide comment
@liamzebedee

liamzebedee Jul 7, 2016

+1 till infinity!

+1 till infinity!

@iamsebastian

This comment has been minimized.

Show comment
Hide comment
@iamsebastian

iamsebastian Aug 24, 2016

Never thought about the restricted access to the home directory. Glad, I've found this article. Thank you.

Never thought about the restricted access to the home directory. Glad, I've found this article. Thank you.

@toughrogrammer

This comment has been minimized.

Show comment
Hide comment

It's good!

@Adidi

This comment has been minimized.

Show comment
Hide comment
@Adidi

Adidi Oct 6, 2016

Thank you. very helpful !

Adidi commented Oct 6, 2016

Thank you. very helpful !

@bcahya

This comment has been minimized.

Show comment
Hide comment
@bcahya

bcahya Nov 12, 2016

Thank you. It helps us

bcahya commented Nov 12, 2016

Thank you. It helps us

@alizowghi

This comment has been minimized.

Show comment
Hide comment
@alizowghi

alizowghi Jan 9, 2017

Thank you so much :)

Thank you so much :)

@mawaldne-surge

This comment has been minimized.

Show comment
Hide comment

Thank you!

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Apr 18, 2017

You saved my day. Works like a charm! In my case chmod 755 user_home.

ghost commented Apr 18, 2017

You saved my day. Works like a charm! In my case chmod 755 user_home.

@Motordread

This comment has been minimized.

Show comment
Hide comment
@Motordread

Motordread May 15, 2017

Awesome, buddy, 4 hours of searching and answer was so easy. You also my hero :)

Awesome, buddy, 4 hours of searching and answer was so easy. You also my hero :)

@fabioam

This comment has been minimized.

Show comment
Hide comment
@fabioam

fabioam Jun 5, 2017

Thanks! Works for me also in Manjaro XFCE Edition (17.0.1)

fabioam commented Jun 5, 2017

Thanks! Works for me also in Manjaro XFCE Edition (17.0.1)

@FrankFang

This comment has been minimized.

Show comment
Hide comment
@FrankFang

FrankFang Aug 13, 2017

Life saver!

Life saver!

@lucascasotti

This comment has been minimized.

Show comment
Hide comment
@lucascasotti

lucascasotti Aug 14, 2017

thank you, i changed application folder location.

thank you, i changed application folder location.

@bsienn

This comment has been minimized.

Show comment
Hide comment
@bsienn

bsienn Sep 7, 2017

On Fedora 26 along with permison which I set to 701, I had to disable SELINUX as well with sudo setenforce 0

bsienn commented Sep 7, 2017

On Fedora 26 along with permison which I set to 701, I had to disable SELINUX as well with sudo setenforce 0

@teamlyzer

This comment has been minimized.

Show comment
Hide comment
@teamlyzer

teamlyzer Sep 30, 2017

+1 perfect

+1 perfect

@Tutorgaming

This comment has been minimized.

Show comment
Hide comment
@Tutorgaming

Tutorgaming Nov 11, 2017

This is the light !!!!
YOU SAVE ME ! :) +1

This is the light !!!!
YOU SAVE ME ! :) +1

@artakvg

This comment has been minimized.

Show comment
Hide comment
@artakvg

artakvg Feb 2, 2018

Wasted half day on this. Thx.

artakvg commented Feb 2, 2018

Wasted half day on this. Thx.

@tafid

This comment has been minimized.

Show comment
Hide comment
@tafid

tafid Feb 2, 2018

+1 thank you!

tafid commented Feb 2, 2018

+1 thank you!

@landowark

This comment has been minimized.

Show comment
Hide comment

Yup!

@scutmarx

This comment has been minimized.

Show comment
Hide comment
@scutmarx

scutmarx May 27, 2018

thank you! Don't forget to diable the selinux.

thank you! Don't forget to diable the selinux.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment