0

I tried:

user nginx;
...
...
       location / {
           root /home/tango/www/html;
       }

Only to get 403 forbidden error. The /home/tango/www/html/index.html is generated by tango so I don't think I can put that in /var/www/html/ writing where requires root permission.

The error log confirms the permission error:

2020/07/28 11:50:12 [error] 122769#0: *533 open() "/home/tango/www/html/index.html" failed (13: Permission denied), client: XXX.YYY.ZZZ.AAA, server: , request: "GET /diagcte HTTP/1.1", host: "my.org"

However, ls -la /home/tango/www/html/index.html shows:

-rw-r--r--. 1 tango posixusers 212 Jul 28 11:33 /home/tb571/www/html/index.html

So the nginx user should have read permission.

Anyways, can you help with serving a non-root static file through nginx?

tash
  • 101
  • 1
  • 5

1 Answers1

0

The parent directory of the file nginx is trying to access must also have suitable permissions, not just the file itself. Typically a /home directory is not accessible to other users.

You'd need to do something like chgrp -R nginx /home/tango ; chmod g+rx /home/tango, but consider the security implications of this in your own setup.

Depending on your distro, SELinux could also be denying permission. Try audit2allow -a to see if that is causing an issue.

However, it may be advisable to move the root somewhere else and give tango write access there, rather than giving nginx access to the /home directory.

tater
  • 1,395
  • 2
  • 9
  • 12
  • Hi @tetech, I did the latter, moved the root to `/tmp/www/html/`. Although `index.html` exists in the new root, now the error log says `2020/07/28 12:10:30 [error] 129758#0: *538 open() "/tmp/www/html/index.html" failed (2: No such file or directory), client: XXX.YY server: , request: "GET /index.html HTTP/1.1", host: "my.org"` What can I do now? – tash Jul 28 '20 at 16:13
  • If the `nginx` config has been updated and it has been restarted, file permissions are OK, then it should work; SELinux may not apply to you but is sometimes overlooked, try `echo 0 > /selinux/enforce` to disable temporarily, then re-try. – tater Jul 28 '20 at 16:27
  • `/tmp` is also a bad choice, since different users might have their own `/tmp` directories. You should use `/var/www/html`. – Tero Kilkanen Jul 28 '20 at 19:49
  • Hi @TeroKilkanen, I already mentioned-- a non-root user does not have write permission in `/var/www/html` directory. – tash Jul 28 '20 at 19:53
  • Then you should use some other directory where you can assign appropriate permissions, but not `/tmp`. – Tero Kilkanen Jul 28 '20 at 19:56
  • Yeah, all users in my server use `/tmp` as their temporary directory. So, I don't think that is a bad choice for me. – tash Jul 28 '20 at 20:01