You generated some certs, some dhparams, set up cloudflare origin certs, copied all the settings below,
added some content to /var/www/
and set up your nginx.conf
, and nginx -t
says everything's fine.
Let's load some content! Nope, just kidding, nothing works.
In your browser the page doesn't load and you notice your 404 page is also not loading, but instead causing infinite
redirects according to /var/nginx/www/access.log
so you check /var/nginx/www/error.log
and you find lots of this:
2022/06/07 02:52:13 [crit] 2804#2804: *2 stat() "/var/www/404.html" failed (13: Permission denied), client: 172.68.143.217, server: numberoverzero.com, request: "GET /404 HTTP/2.0", host: "numberoverzero.com", referrer: "https://numberoverzero.com/index.html"
2022/06/07 02:52:13 [crit] 2804#2804: *2 stat() "/var/www/404.html" failed (13: Permission denied), client: 172.68.143.217, server: numberoverzero.com, request: "GET /404 HTTP/2.0", host: "numberoverzero.com", referrer: "https://numberoverzero.com/index.html"
2022/06/07 02:52:20 [crit] 2804#2804: *3 stat() "/var/www/index.html" failed (13: Permission denied), client: 172.68.133.105, server: numberoverzero.com, request: "GET /index.html HTTP/2.0", host: "numberoverzero.com"
2022/06/07 02:52:20 [crit] 2804#2804: *3 stat() "/var/www/404.html" failed (13: Permission denied), client: 172.68.133.105, server: numberoverzero.com, request: "GET /index.html HTTP/2.0", host: "numberoverzero.com"
2022/06/07 02:52:20 [crit] 2804#2804: *3 stat() "/var/www/404.html" failed (13: Permission denied), client: 172.68.133.105, server: numberoverzero.com, request: "GET /404 HTTP/2.0", host: "numberoverzero.com", referrer: "https://numberoverzero.com/index.html"
2022/06/07 02:52:20 [crit] 2804#2804: *3 stat() "/var/www/404.html" failed (13: Permission denied), client: 172.68.133.105, server: numberoverzero.com, request: "GET /404 HTTP/2.0", host: "numberoverzero.com", referrer: "https://numberoverzero.com/index.html"
2022/06/07 02:52:52 [crit] 2876#2876: *1 stat() "/var/www/index.html" failed (13: Permission denied), client: 172.68.132.128, server: numberoverzero.com, request: "GET /index.html HTTP/2.0", host: "numberoverzero.com"
2022/06/07 02:52:52 [crit] 2876#2876: *1 stat() "/var/www/404.html" failed (13: Permission denied), client: 172.68.132.128, server: numberoverzero.com, request: "GET /index.html HTTP/2.0", host: "numberoverzero.com"
You verify that your user owns the directory, but that doesn't seem to matter:
$ ls -lah /var/www/
drwxr-xr-x. 3 crossj crossj 51 Jun 7 02:08 .
drwxr-xr-x. 22 root root 4.0K Jun 7 02:43 ..
-rw-r--r--. 1 crossj crossj 270 Apr 13 2020 404.html
-rw-rw-r--. 1 crossj crossj 6 Jun 7 02:08 index.html
Before you trip down this massive sinkhole again (again), here's the problem. Again. SELinux.
There's a context httpd_sys_content_t
missing on the directory or a file within it, and SELinux prevents the read.
When things are set up correctly, it looks like this:
$ ls -Z /var/www/
-rw-r--r--. crossj crossj unconfined_u:object_r:httpd_sys_content_t:s0 404.html
-rw-rw-r--. crossj crossj unconfined_u:object_r:httpd_sys_content_t:s0 index.html
Add the context to the directory, then preserve the changes.
sudo semanage fcontext -a -t httpd_sys_content_t "/var/www(/.*)?"
sudo restorecon -R -v /var/www
You should see the /var/www
line in this SELinux config file:
$ cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Do not edit directly.
/etc/(letsencrypt|certbot)/(live|archive)(/.*)? system_u:object_r:cert_t:s0
/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0