Forum: NGINX '403 Forbidden' error after installing nginx

6bba3d67d2435084b04407dd263b4090?d=identicon&s=25 Stefan Scott (stefanscott)
on 2008-11-28 10:31
Hello -

Yesterday everything worked fine when I installed nginx 0.6.33 at one
VPS (virtual private server) web hosting provider (xencon.net) using
Debian Etch. Today I installed nginx 0.6.34 (slightly newer) at a
different VPS web hosting provider also using Debian Etch (gandi.net),
and when I point my browser to the site at the second provider I'm
getting the error '403 Forbidden'.

Here is what the last line in file error.log in directory
/usr/local/nginx/logs/ says at the second provider:

2008/11/28 09:50:01 [error] 9156#0: *1
"/usr/local/nginx/html/index.html" is forbidden (13: Permission denied),
client: 111.222.333.444, server: localhost, request: "GET / HTTP/1.1",
host: "mydomain.com"

In both cases, I was following the steps outlined here:

http://articles.slicehost.com/2007/10/19/debian-et...
http://articles.slicehost.com/2007/10/19/debian-et...

Well - there's two things that changed from yesterday to today:
different release, and different VPS web hosting provider.

To test if if was due to the different release, I tried deleting
everything I could find from the install at the second provider (per the
instructions in the first link above, the install on Debian Etch had
been done manually, because the nginx package included with Debian Etch
is outdated) - ie I deleted the ~/sources directory and the
/usr/local/nginx directory and then installed version 0.6.33 this time
instead of 0.6.34 - but the '403' error at the second provider continued
to occur.

Maybe there's something different between these two providers. Doing 'ls
-l' on the files in /usr/local/nginx, I did see that the 'read'
permission is always YES at the first VPS provider, and always NO at the
second VPS provider:

FIRST HOSTING PROVIDER
/usr/local/nginx/html:
-rw-r--r-- 1 root staff  383 2008-11-26 20:59 50x.html
-rw-r--r-- 1 root staff  151 2008-11-26 20:59 index.html

SECOND HOSTING PROVIDER
/usr/local/nginx/html:
-rw-r----- 1 root staff 383 2008-11-28 07:42 50x.html
-rw-r----- 1 root staff 151 2008-11-28 07:42 index.html

So I used the command 'chmod a+x -R' to allow read access on all these
files and directories, but the error still occurs.

When I google 'nginx 403 forbidden' I see that this error has also
occurred for some other people (but usually in more complicated
situations involving nginx as a reverse proxy with mongrels upstream),
and people have tried either allowing read access (which never helped),
or changing the file owner (which did help in some cases, where reverse
proxying and mongrels were involved):

http://nicholasorr.com/blog/2008/07/22/nginx-engin...
http://www.ruby-forum.com/topic/147003

In my case, this is just a "hello, world" situation, where I'm
installing nginx to see if I can connect from my browser, and I can't
quite understand what the file owner permissions have to do with it, so
I'm unsure what I should do.

Any suggestions would be greatly appreciated!

Thanks.
6bba3d67d2435084b04407dd263b4090?d=identicon&s=25 Stefan Scott (stefanscott)
on 2008-11-28 10:42
TYPO:
> So I used the command 'chmod a+x -R' to allow read access on all these
> files and directories, but the error still occurs.

SHOULD READ:
> So I used the command 'chmod a+r -R' to allow read access on all these
> files and directories, but the error still occurs.

(ie - a+r NOT a+x)

Sorry!
2c6f80fff253635f12c249ef4f116796?d=identicon&s=25 Jim Ohlstein (Guest)
on 2008-11-28 16:58
(Received via mailing list)
What are the permissions for /usr/local/nginx ?
6bba3d67d2435084b04407dd263b4090?d=identicon&s=25 Stefan Scott (stefanscott)
on 2008-11-28 23:24
Jim Ohlstein wrote:
> What are the permissions for /usr/local/nginx ?

Hi -

Thanks for asking this question, because in trying to answer it I had to
carefully dig down a bit deeper into the subdirectories under
/usr/local/nginx ... and I finally fixed the problem by:

- setting 'r' and 'x' permissions on /usr/local/nginx/html for the
'world' ('other') group
- setting 'r' permission on the *.html files in that directory

using the commands:

sudo chmod o+rx /usr/local/nginx/html
sudo chmod o+r  /usr/local/nginx/html/*

Now I see "Welcome to nginx!" in my browser. Thanks.

- Stefan Scott

===========================================================================

Gory details below for anyone who might be interested...

The permissions displayed on both servers are identical when doing 'ls
-l /usr/local | grep nginx':

$ ls -l /usr/local | grep nginx
drwxr-sr-x 8 root staff 4096 2008-11-26 21:23 nginx

...but doing 'ls -l /usr/local/nginx' on both servers showed that on the
bad server the html folder was missing 'r' and 'x' permissions for the
'world' ('other') group:

BAD-SERVER $ ls -l /usr/local/nginx
total 24
drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 client_body_temp
drwxr-sr-x 2 root   staff 4096 2008-11-28 22:02 conf
drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 fastcgi_temp
drwxr-s--- 2 root   staff 4096 2008-11-28 22:02 html
drwxr-sr-x 2 root   staff 4096 2008-11-28 22:03 logs
drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 proxy_temp

GOOD-SERVER $ ls -l /usr/local/nginx
total 24
drwx--S--- 2 nobody staff 4096 2008-11-26 21:23 client_body_temp
drwxr-sr-x 2 root   staff 4096 2008-11-27 16:56 conf
drwx--S--- 2 nobody staff 4096 2008-11-26 21:23 fastcgi_temp
drwxr-sr-x 6 root   staff 4096 2008-11-27 15:11 html
drwxr-sr-x 2 root   staff 4096 2008-11-28 04:57 logs
drwx--S--- 2 nobody staff 4096 2008-11-26 21:23 proxy_temp

Then I noticed weird output from 'ls -l' on the *.html files on the
server that shows the '403' error. A bunch of '?' are displayed instead
of permissions info, apparently meaning the current user doesn't have
permission to view these files.

Going down the lowest level (to view the *.html files), doing 'ls -l
/usr/local/nginx/html' on the server showing '403' displays a bunch of
'?' instead of permissions info:

BAD-SERVER $ ls -l /usr/local/nginx/html
/usr/local/nginx/html:
total 0
?--------- ? ? ? ?                ? /usr/local/nginx/html/50x.html
?--------- ? ? ? ?                ? /usr/local/nginx/html/index.html

BAD-SERVER $ sudo ls -l html/*
-rw-r----- 1 root staff 383 2008-11-28 22:02 html/50x.html
-rw-r----- 1 root staff 151 2008-11-28 22:02 html/index.html


GOOD-SERVER $ ls -l /usr/local/nginx/html
total 8
-rw-r--r-- 1 root staff  383 2008-11-26 20:59 50x.html
-rw-r--r-- 1 root staff  151 2008-11-26 20:59 index.html

And doing 'cat /usr/local/nginx/html/*' on the "bad" server returned:

cat: /usr/local/nginx/html/50x.html: Permission denied
cat: /usr/local/nginx/html/index.html: Permission denied


I understand the basics but not the subtleties of permissions. Just now
I discovered an interesting detail about the need to set the 'r' and 'x'
permissions for the 'world' ('other') group on all directories in the
path used by the webserver to access the *.html file(s):

======================================================================

http://wiki.debian.org/Permissions

Is there ever a place where you'd want "x" on a directory but not "r"?
Yes. This is useful when you want to allow people to get at files in a
directory if they happen to know the file's name, but not to be able to
find out the names of the files. Also, it can be useful if you're
setting up an anonymous upload place, and you don't want people to be
able to see what others have uploaded until you have a chance to filter
out the undesirable files.

But the most common time you'll see an "x" on a directory without its
"r" is when a user has a web site set up in her ~/public_html directory,
but doesn't want her entire home directory to be visible to the world.
In order for Apache to get to the files in public_html, the home
directory has to be "x" (executable) for all users, and so does
public_html itself. So she might have it set up something like this:

drwxr-x--x  150 jane jane 19456 2005-03-11 10:29 /home/jane
drwxr-x--x   14 jane jane  5632 2005-02-11 08:48 /home/jane/public_html
-rw-r--r--    1 jane jane  1226 2004-11-04 10:05
/home/jane/public_html/index.html

Now, other users on the system (outside of the "jane" group) can't see
what files jane has in her home directory, and they can't see what she
has in her public_html directory, but apache can open the index.html
file. (To recap, apache needs "x" permissions on all of the directories
leading up to the index.html file, and it needs "r" permission on the
file itself, in order to open it for reading.)

======================================================================

So on the "bad" server I set the 'r' and 'x' permissions for 'world' on
directory /usr/local/nginx/html:

$ cd /usr/local/nginx
/usr/local/nginx $ sudo chmod o+rx html
/usr/local/nginx $ ls -l
total 24
drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 client_body_temp
drwxr-sr-x 2 root   staff 4096 2008-11-28 22:02 conf
drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 fastcgi_temp
drwxr-sr-x 2 root   staff 4096 2008-11-28 22:02 html   ## r-x set for
'other'
drwxr-sr-x 2 root   staff 4096 2008-11-28 22:03 logs
drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 proxy_temp

And then I went into /usr/local/nginx/html and set the 'r' permission
for 'world' ('other') on both *.html files:

/usr/local/nginx $ cd html
/usr/local/nginx/html $ ls -l
total 8
-rw-r----- 1 root staff 383 2008-11-28 22:02 50x.html
-rw-r----- 1 root staff 151 2008-11-28 22:02 index.html

/usr/local/nginx/html $ sudo chmod o+r *
/usr/local/nginx/html $ ls -l
total 8
-rw-r--r-- 1 root staff 383 2008-11-28 22:02 50x.html
-rw-r--r-- 1 root staff 151 2008-11-28 22:02 index.html

I had to use 'sudo' because I'm not the owner or in the group for these
files/directories.

Maybe this had something to do with the user I was logged in as while
doing the nginx install - or maybe the nginx install itself was not
configured to set the permissions properly - but at any rate it's
working now and I'm very happy to see "Welcome to nginx!" on my home
page.

Thanks.
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.