After a fresh installation of nginx 1.4.7 on Fedora 20 I added two additional locations to the the default location:
user neradis; # I also tried the 'root' user here and commenting this directive out, to no avail
worker_processes 1;
[...]
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
[...]
index index.html index.htm;
server {
listen 80;
server_name localhost;
root /usr/share/nginx/html;
autoindex on;
location /music/ {
root /home/neradis/audio;
autoindex on;
}
location /nginx_test/ {
root /;
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
nginx serves files from the default location /usr/share/nginx/html
without problem, but yields errors denied permissions for filesystem operations (open()
, opendir()
) for the added locations. I am aware that every parent directory must the 'executable' for the user used by nginx, so I ensured that using namei -l
:
f: /nginx_test/file.txt
drwxr-xr-x root root /
drwxrwxrwx neradis neradis nginx_test
-rwxrwxrwx neradis neradis file.txt
Nonetheless, I still get a 403 response on a wget localhost/nginx_test/file.txt
, finding this error in the logs:
[error] 6950#0: *1 open() "/nginx_test/file.txt" failed (13: Permission denied), client: 127.0.0.1, server: localhost, request: "GET /nginx_test/file.txt HTTP/1.1", host: "localhost"
I get the same errors for the /home/neradis/audio/music
. I am puzzled what the crucial difference to the working functioning default root /usr/share/nginx/html
is:
f: /usr/share/nginx/html/index.html
drwxr-xr-x root root /
drwxr-xr-x root root usr
drwxr-xr-x root root share
drwxr-xr-x root root nginx
drwxr-xr-x root root html
-rw-r-xr-x root root index.html
Any ideas what else might keep nginx from accessing the files?
edit (solution): The comments guided me in the right direction. The file permissions we're okay, but SELinux prevented reading the files in the new locations, as they had (SELinux) types of default_t
and user_home_t
, that we're forbidden for the httpd_t
. I wrote my own selinux module to allow for default_t
files and enabled access for the home files with setsebool -P http_read_user_content
.