nginx is unable to open (and thus serve) files despite proper filesystem permissions

Question

After a fresh installation of nginx 1.4.7 on Fedora 20 I added two additional locations to the the default location:

user  neradis; # I also tried the 'root' user here and commenting this directive out, to no avail
worker_processes  1;

[...]
http {

include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;

[...]

index   index.html index.htm;

server {
    listen       80;
    server_name  localhost;
    root         /usr/share/nginx/html;
autoindex    on;

    location /music/ {
        root    /home/neradis/audio;
    autoindex    on;     
}

location /nginx_test/ {
        root /;  
    autoindex on;
}


    error_page  404              /404.html;
    location = /40x.html {
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }
}
}

nginx serves files from the default location /usr/share/nginx/html without problem, but yields errors denied permissions for filesystem operations (open(), opendir()) for the added locations. I am aware that every parent directory must the 'executable' for the user used by nginx, so I ensured that using namei -l:

f: /nginx_test/file.txt
drwxr-xr-x root    root    /
drwxrwxrwx neradis neradis nginx_test
-rwxrwxrwx neradis neradis file.txt

Nonetheless, I still get a 403 response on a wget localhost/nginx_test/file.txt, finding this error in the logs:

[error] 6950#0: *1 open() "/nginx_test/file.txt" failed (13: Permission denied), client: 127.0.0.1, server: localhost, request: "GET /nginx_test/file.txt HTTP/1.1", host: "localhost"

I get the same errors for the /home/neradis/audio/music. I am puzzled what the crucial difference to the working functioning default root /usr/share/nginx/html is:

f: /usr/share/nginx/html/index.html
drwxr-xr-x root root /
drwxr-xr-x root root usr
drwxr-xr-x root root share
drwxr-xr-x root root nginx
drwxr-xr-x root root html
-rw-r-xr-x root root index.html

Any ideas what else might keep nginx from accessing the files?

edit (solution): The comments guided me in the right direction. The file permissions we're okay, but SELinux prevented reading the files in the new locations, as they had (SELinux) types of default_t and user_home_t, that we're forbidden for the httpd_t. I wrote my own selinux module to allow for default_t files and enabled access for the home files with setsebool -P http_read_user_content.

Answer 1

Are the files for /music/ location located in /home/neradis/audio/music directory? If not, then you should use alias:

location /music {
    alias /home/neradis/audio;
}

This is one of the most common pitfalls in nginx configuration, that is, one uses root directive inside locations, when alias is the proper one.

nginx adds the matched location URI after the root directory specified inside location, while with alias, the URI is stripped off.

Answer 2

The default user used by nginx is/should be the www-data user, not root. You could also create another user, and add him to the www-data.

When adding other locations, I suggest you to:

• create some others virtualhosts, and do not use the default virtualhost.
• put your data in directories readable/writeable by www-data, /var/www for example.