Skip to content

Instantly share code, notes, and snippets.

  • Star 95 You must be signed in to star a gist
  • Fork 20 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save jhjguxin/6208474 to your computer and use it in GitHub Desktop.
nginx 403 forbidden error when server static file under user home directory

nginx 403 Forbidden Error hosting in User Home Directory

resources

runtime environment

nginx -v
nginx version: nginx/1.0.15
uname -a
Linux ampedservice 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
cat /proc/version 
Linux version 2.6.32-279.el6.x86_64 (mockbuild@c6b9.bsys.dev.centos.org) (gcc version 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC) ) #1 SMP Fri Jun 22 12:19:21 UTC 2012
rake about
MANUAL_GC is enable ...
About your application's environment
Ruby version              1.9.3 (x86_64-linux)
RubyGems version          1.8.25
Rack version              1.4
Rails version             3.2.14
Action Pack version       3.2.14
Active Resource version   3.2.14
Action Mailer version     3.2.14
Active Support version    3.2.14
Application root          /home/gxdevelop/dev/ampedservice

how I config the application

$ cat /etc/nginx/nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user              nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    
    # Load config files from the /etc/nginx/conf.d directory
    # The default server is in conf.d/default.conf
    include /etc/nginx/conf.d/*.conf;

}

ampedservice.conf

upstream ampedservice_unicorn {
  server unix:/tmp/unicorn.ampedservice.sock fail_timeout=0;
  # server localhost:8888 max_fails=3 fail_timeout=5 weight=3;
  #server localhost:9999 max_fails=3 fail_timeout=5;
}

server {
  listen 80;# default deferred;
  server_name amped.guanxi.me;

  root /home/gxdevelop/dev/ampedservice/public;

  # individual nginx logs for this ampedservice vhost
  access_log  /var/log/nginx/ampedservice_access.log;
  error_log   /var/log/nginx/ampedservice_error.log;

  location ^~ /assets|ampedservice_assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }


  try_files $uri/index.html $uri @unicorn;

  location @unicorn {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://ampedservice_unicorn;
  }

  error_page 500 502 503 504 /500.html;
  client_max_body_size 4G;
  keepalive_timeout 10;
}

My first suspicion was that this was a permissisons problem. However, when I run ls -lha public/aboutuscn.html I see

-rw-rw-r-- 1 gxdevelop gxdevelop 1.8K Aug 10 18:12 /home/gxdevelop/dev/ampedservice/public/aboutuscn.html

which looks right to me? Even running chmod 777 /home/gxdevelop/dev/ampedservice/public/aboutuscn.html so that the permissions are

-rwxrwxrwx 1 gxdevelop gxdevelop 1.8K Aug 10 18:12 public/aboutuscn.html

does not help. /etc/init.d/nginx configtest does not produce any errors either and I'm sure the symlink in /etc/

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

So I've been at this for a few hours and I'm now wondering what is so special about my user directory that I cannot serve anything inside of it? Ubuntu encrypts home directories these days? Could that be the problem? I also have this issue on an EC2 Ubuntu 12.04 instance (don't know if user directories are encrypted there)

The answer

Default User Home Directory Permissions

So it seems that the default permissions on user home directories in Ubuntu 12.04 is 700.** Nginx needs to have read permission the files that should be served AND have execute permission in each of the parent directories along the path from the root to the served files.**

You can give your user directory these permissions by running

chmod 701 user_home

You may also use 755, which is the default permission setting on the home directory on many systems.

The directories/files in your web root can belong to the www-data user or your regular personal user as long as the user/group that nginx runs as (as defined in nginx.conf) has READ permission on all files to be served and execute permission on all web root directories.

I just set all directories in my web root to be owned by my user account and have permissions 755 and I set all files to be served from the web root to have permissions 664 since these were the defaults on my machine.

Note on Converting Permission numbers to String Rep.

Ex. drwxr-x--x becomes 751.

Ignore the first character (d for directory, - for file, etc). The remaining 9 characters form a binary triplet where any non-dash character is a 1 and a dash is a 0.

So drwxr-x--x becomes rwxr-x--x 
becomes 111 101 001 
which is converted to a decimal 751

I needed a refresher on this when I was dealing with permissions.

@MohamedHajr
Copy link

MohamedHajr commented Sep 11, 2018

bruh, thank you so much for this!

@llazzaro
Copy link

llazzaro commented Sep 19, 2018

DO NOT DISABLE SE LINUX!!

You need to use the command chcon to allow http.

the command is:

chcon -Rt httpd_sys_content_t /var/www/app/

I read the solution of the nginx return 403 error even when permission is correct here

@nanoguo
Copy link

nanoguo commented Dec 4, 2018

DO NOT DISABLE SE LINUX!!

You need to use the command chcon to allow http.

the command is:

chcon -Rt httpd_sys_content_t /var/www/app/

I read the solution of the nginx return 403 error even when permission is correct here

thanks

@YoSoyPhil
Copy link

DO NOT DISABLE SE LINUX!!

You need to use the command chcon to allow http.

the command is:

chcon -Rt httpd_sys_content_t /var/www/app/

I read the solution of the nginx return 403 error even when permission is correct here

My man, thank you!

@kamyargerami
Copy link

well done man , thank you

@roj4s
Copy link

roj4s commented Apr 10, 2019

Setting user root in nginx can be really dangerous. Having to set permissions to all file hierarchy can be cumbersome (imagine the folder's full path is under more than 10 subfolders).

What I'd do is to mirror the folder you want to share, under /usr/share/nginx/any_folder_name with permissions for nginx's configured user (usually www-data). That you can do with bindfs.

sudo bindfs -u www-data -g www-data /home/gxdevelop/dev/ampedservice/public /usr/share/nginx/gxdevelop

It will mount /home/gxdevelop/dev/ampedservice/public into /usr/share/nginx/gxdevelop with all permissions for user www-data. Now you set that path in your location block config

location /static {
autoindex on;
alias /usr/share/nginx/gxdevelop;
}

@aballah-chamakh
Copy link

thank you very much

@jefcolbi
Copy link

You saved me! Thanks

@abh006
Copy link

abh006 commented Oct 7, 2020

Setting user root in nginx can be really dangerous. Having to set permissions to all file hierarchy can be cumbersome (imagine the folder's full path is under more than 10 subfolders).

What I'd do is to mirror the folder you want to share, under /usr/share/nginx/any_folder_name with permissions for nginx's configured user (usually www-data). That you can do with bindfs.

sudo bindfs -u www-data -g www-data /home/gxdevelop/dev/ampedservice/public /usr/share/nginx/gxdevelop

It will mount /home/gxdevelop/dev/ampedservice/public into /usr/share/nginx/gxdevelop with all permissions for user www-data. Now you set that path in your location block config

location /static {
autoindex on;
alias /usr/share/nginx/gxdevelop;

It worked !!!
Thanks man

@nooralamqureshi347
Copy link

You may also use 755, which is the default permission setting on the home directory on many systems.

The directories/files in your web root can belong to the www-data user or your regular personal user as long as the user/group that nginx runs as (as defined in nginx.conf) has READ permission on all files to be served and execute permission on all web root directories.

I just set all directories in my web root to be owned by my user account and have permissions 755 and I set all files to be served from the web root to have permissions 664 since these were the defaults on my machine.403 .2021

@nooralamqureshi347
Copy link

server {
#listen 80; ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6

root /home;
index index.html index.htm;

# Make site accessible from http://localhost/
server_name localhost;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}

2021

@kanchansrivastava
Copy link

kanchansrivastava commented Feb 10, 2021

Thank you so much. You made my day.

@bekovrafik
Copy link

Hi all, still issue not helped, any suggestions? https://reezgroup.com/bv.txt

@liuhualh
Copy link

liuhualh commented Jul 1, 2021

Thanks you very much, that works for me.

@jeon-repo
Copy link

이야~
다른 사람들의 찬사가 남을만한 솔루션이다!!!
덕분에 저도 이걸로 해결했어요 ㅋㅋㅋㅋ

@netojose
Copy link

You saved my life!!!

Was just change home folder permission, unbelievable.

Thanks!

@Xerenz
Copy link

Xerenz commented Apr 19, 2022

Thanks a lot! This is exactly what I was looking for.
Tip: use sudo chmod -R a-x,u=rwX,go=rX /var/www/<projectfiles>/ to recursively set the correct file permissions on directories and files
Reference: https://stackoverflow.com/questions/17091300/linux-set-permission-only-to-directories

@indrarudianto
Copy link

Works like a charm. Thank you.

@virtualitems
Copy link

I love you all <3 thanks for the post and thanks for the answers :"D

@babamyrat1003
Copy link

thanks bro It was worked for me too

@Cachetian
Copy link

Thanks! it worked for me on CentOS Linux release 7.8.2003 (Core)

@drunkleen
Copy link

I‘ve tried to fix it and waste a day on it.
This is a life saver. Thanks mate +1

@ThePratikSah
Copy link

Almost wasted 4 hours today. Thanks man for the answer.

@Favourokerri
Copy link

thanks. i spend a day and a half on this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment