Hello - Yesterday everything worked fine when I installed nginx 0.6.33 at one VPS (virtual private server) web hosting provider (xencon.net) using Debian Etch. Today I installed nginx 0.6.34 (slightly newer) at a different VPS web hosting provider also using Debian Etch (gandi.net), and when I point my browser to the site at the second provider I'm getting the error '403 Forbidden'. Here is what the last line in file error.log in directory /usr/local/nginx/logs/ says at the second provider: 2008/11/28 09:50:01 [error] 9156#0: *1 "/usr/local/nginx/html/index.html" is forbidden (13: Permission denied), client: 111.222.333.444, server: localhost, request: "GET / HTTP/1.1", host: "mydomain.com" In both cases, I was following the steps outlined here: http://articles.slicehost.com/2007/10/19/debian-et... http://articles.slicehost.com/2007/10/19/debian-et... Well - there's two things that changed from yesterday to today: different release, and different VPS web hosting provider. To test if if was due to the different release, I tried deleting everything I could find from the install at the second provider (per the instructions in the first link above, the install on Debian Etch had been done manually, because the nginx package included with Debian Etch is outdated) - ie I deleted the ~/sources directory and the /usr/local/nginx directory and then installed version 0.6.33 this time instead of 0.6.34 - but the '403' error at the second provider continued to occur. Maybe there's something different between these two providers. Doing 'ls -l' on the files in /usr/local/nginx, I did see that the 'read' permission is always YES at the first VPS provider, and always NO at the second VPS provider: FIRST HOSTING PROVIDER /usr/local/nginx/html: -rw-r--r-- 1 root staff 383 2008-11-26 20:59 50x.html -rw-r--r-- 1 root staff 151 2008-11-26 20:59 index.html SECOND HOSTING PROVIDER /usr/local/nginx/html: -rw-r----- 1 root staff 383 2008-11-28 07:42 50x.html -rw-r----- 1 root staff 151 2008-11-28 07:42 index.html So I used the command 'chmod a+x -R' to allow read access on all these files and directories, but the error still occurs. When I google 'nginx 403 forbidden' I see that this error has also occurred for some other people (but usually in more complicated situations involving nginx as a reverse proxy with mongrels upstream), and people have tried either allowing read access (which never helped), or changing the file owner (which did help in some cases, where reverse proxying and mongrels were involved): http://nicholasorr.com/blog/2008/07/22/nginx-engin... http://www.ruby-forum.com/topic/147003 In my case, this is just a "hello, world" situation, where I'm installing nginx to see if I can connect from my browser, and I can't quite understand what the file owner permissions have to do with it, so I'm unsure what I should do. Any suggestions would be greatly appreciated! Thanks.
on 2008-11-28 10:31
on 2008-11-28 10:42
TYPO: > So I used the command 'chmod a+x -R' to allow read access on all these > files and directories, but the error still occurs. SHOULD READ: > So I used the command 'chmod a+r -R' to allow read access on all these > files and directories, but the error still occurs. (ie - a+r NOT a+x) Sorry!
on 2008-11-28 16:58
What are the permissions for /usr/local/nginx ?
on 2008-11-28 23:24
Jim Ohlstein wrote: > What are the permissions for /usr/local/nginx ? Hi - Thanks for asking this question, because in trying to answer it I had to carefully dig down a bit deeper into the subdirectories under /usr/local/nginx ... and I finally fixed the problem by: - setting 'r' and 'x' permissions on /usr/local/nginx/html for the 'world' ('other') group - setting 'r' permission on the *.html files in that directory using the commands: sudo chmod o+rx /usr/local/nginx/html sudo chmod o+r /usr/local/nginx/html/* Now I see "Welcome to nginx!" in my browser. Thanks. - Stefan Scott =========================================================================== Gory details below for anyone who might be interested... The permissions displayed on both servers are identical when doing 'ls -l /usr/local | grep nginx': $ ls -l /usr/local | grep nginx drwxr-sr-x 8 root staff 4096 2008-11-26 21:23 nginx ...but doing 'ls -l /usr/local/nginx' on both servers showed that on the bad server the html folder was missing 'r' and 'x' permissions for the 'world' ('other') group: BAD-SERVER $ ls -l /usr/local/nginx total 24 drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 client_body_temp drwxr-sr-x 2 root staff 4096 2008-11-28 22:02 conf drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 fastcgi_temp drwxr-s--- 2 root staff 4096 2008-11-28 22:02 html drwxr-sr-x 2 root staff 4096 2008-11-28 22:03 logs drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 proxy_temp GOOD-SERVER $ ls -l /usr/local/nginx total 24 drwx--S--- 2 nobody staff 4096 2008-11-26 21:23 client_body_temp drwxr-sr-x 2 root staff 4096 2008-11-27 16:56 conf drwx--S--- 2 nobody staff 4096 2008-11-26 21:23 fastcgi_temp drwxr-sr-x 6 root staff 4096 2008-11-27 15:11 html drwxr-sr-x 2 root staff 4096 2008-11-28 04:57 logs drwx--S--- 2 nobody staff 4096 2008-11-26 21:23 proxy_temp Then I noticed weird output from 'ls -l' on the *.html files on the server that shows the '403' error. A bunch of '?' are displayed instead of permissions info, apparently meaning the current user doesn't have permission to view these files. Going down the lowest level (to view the *.html files), doing 'ls -l /usr/local/nginx/html' on the server showing '403' displays a bunch of '?' instead of permissions info: BAD-SERVER $ ls -l /usr/local/nginx/html /usr/local/nginx/html: total 0 ?--------- ? ? ? ? ? /usr/local/nginx/html/50x.html ?--------- ? ? ? ? ? /usr/local/nginx/html/index.html BAD-SERVER $ sudo ls -l html/* -rw-r----- 1 root staff 383 2008-11-28 22:02 html/50x.html -rw-r----- 1 root staff 151 2008-11-28 22:02 html/index.html GOOD-SERVER $ ls -l /usr/local/nginx/html total 8 -rw-r--r-- 1 root staff 383 2008-11-26 20:59 50x.html -rw-r--r-- 1 root staff 151 2008-11-26 20:59 index.html And doing 'cat /usr/local/nginx/html/*' on the "bad" server returned: cat: /usr/local/nginx/html/50x.html: Permission denied cat: /usr/local/nginx/html/index.html: Permission denied I understand the basics but not the subtleties of permissions. Just now I discovered an interesting detail about the need to set the 'r' and 'x' permissions for the 'world' ('other') group on all directories in the path used by the webserver to access the *.html file(s): ====================================================================== http://wiki.debian.org/Permissions Is there ever a place where you'd want "x" on a directory but not "r"? Yes. This is useful when you want to allow people to get at files in a directory if they happen to know the file's name, but not to be able to find out the names of the files. Also, it can be useful if you're setting up an anonymous upload place, and you don't want people to be able to see what others have uploaded until you have a chance to filter out the undesirable files. But the most common time you'll see an "x" on a directory without its "r" is when a user has a web site set up in her ~/public_html directory, but doesn't want her entire home directory to be visible to the world. In order for Apache to get to the files in public_html, the home directory has to be "x" (executable) for all users, and so does public_html itself. So she might have it set up something like this: drwxr-x--x 150 jane jane 19456 2005-03-11 10:29 /home/jane drwxr-x--x 14 jane jane 5632 2005-02-11 08:48 /home/jane/public_html -rw-r--r-- 1 jane jane 1226 2004-11-04 10:05 /home/jane/public_html/index.html Now, other users on the system (outside of the "jane" group) can't see what files jane has in her home directory, and they can't see what she has in her public_html directory, but apache can open the index.html file. (To recap, apache needs "x" permissions on all of the directories leading up to the index.html file, and it needs "r" permission on the file itself, in order to open it for reading.) ====================================================================== So on the "bad" server I set the 'r' and 'x' permissions for 'world' on directory /usr/local/nginx/html: $ cd /usr/local/nginx /usr/local/nginx $ sudo chmod o+rx html /usr/local/nginx $ ls -l total 24 drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 client_body_temp drwxr-sr-x 2 root staff 4096 2008-11-28 22:02 conf drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 fastcgi_temp drwxr-sr-x 2 root staff 4096 2008-11-28 22:02 html ## r-x set for 'other' drwxr-sr-x 2 root staff 4096 2008-11-28 22:03 logs drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 proxy_temp And then I went into /usr/local/nginx/html and set the 'r' permission for 'world' ('other') on both *.html files: /usr/local/nginx $ cd html /usr/local/nginx/html $ ls -l total 8 -rw-r----- 1 root staff 383 2008-11-28 22:02 50x.html -rw-r----- 1 root staff 151 2008-11-28 22:02 index.html /usr/local/nginx/html $ sudo chmod o+r * /usr/local/nginx/html $ ls -l total 8 -rw-r--r-- 1 root staff 383 2008-11-28 22:02 50x.html -rw-r--r-- 1 root staff 151 2008-11-28 22:02 index.html I had to use 'sudo' because I'm not the owner or in the group for these files/directories. Maybe this had something to do with the user I was logged in as while doing the nginx install - or maybe the nginx install itself was not configured to set the permissions properly - but at any rate it's working now and I'm very happy to see "Welcome to nginx!" on my home page. Thanks.