Forked from jhjguxin/nginx-403-forbidden-error-hosting-in-user-home-directory.md
Last active
August 29, 2015 14:06
Revisions
-
jhjguxin created this gist
Aug 12, 2013 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,174 @@ ## nginx 403 Forbidden Error hosting in User Home Directory ### resources - http://serverfault.com/questions/416787/nginx-403-forbidden-error-hosting-in-user-home-directory - [rails deploy with rvm, capistrano, uniron, nginx](https://gist.github.com/jhjguxin/5932994) ### runtime environment ```shell nginx -v nginx version: nginx/1.0.15 uname -a Linux ampedservice 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux cat /proc/version Linux version 2.6.32-279.el6.x86_64 (mockbuild@c6b9.bsys.dev.centos.org) (gcc version 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC) ) #1 SMP Fri Jun 22 12:19:21 UTC 2012 rake about MANUAL_GC is enable ... About your application's environment Ruby version 1.9.3 (x86_64-linux) RubyGems version 1.8.25 Rack version 1.4 Rails version 3.2.14 Action Pack version 3.2.14 Active Resource version 3.2.14 Action Mailer version 3.2.14 Active Support version 3.2.14 Application root /home/gxdevelop/dev/ampedservice ``` ### how I config the application ```shell $ cat /etc/nginx/nginx.conf # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes 1; error_log /var/log/nginx/error.log; #error_log /var/log/nginx/error.log notice; #error_log /var/log/nginx/error.log info; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; # Load config files from the /etc/nginx/conf.d directory # The default server is in conf.d/default.conf include /etc/nginx/conf.d/*.conf; } ``` ampedservice.conf ```shell upstream ampedservice_unicorn { server unix:/tmp/unicorn.ampedservice.sock fail_timeout=0; # server localhost:8888 max_fails=3 fail_timeout=5 weight=3; #server localhost:9999 max_fails=3 fail_timeout=5; } server { listen 80;# default deferred; server_name amped.guanxi.me; root /home/gxdevelop/dev/ampedservice/public; # individual nginx logs for this ampedservice vhost access_log /var/log/nginx/ampedservice_access.log; error_log /var/log/nginx/ampedservice_error.log; location ^~ /assets|ampedservice_assets/ { gzip_static on; expires max; add_header Cache-Control public; } try_files $uri/index.html $uri @unicorn; location @unicorn { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://ampedservice_unicorn; } error_page 500 502 503 504 /500.html; client_max_body_size 4G; keepalive_timeout 10; } ``` My first suspicion was that this was a permissisons problem. However, when I run `ls -lha public/aboutuscn.html` I see ```shell -rw-rw-r-- 1 gxdevelop gxdevelop 1.8K Aug 10 18:12 /home/gxdevelop/dev/ampedservice/public/aboutuscn.html ``` which looks right to me? Even running `chmod 777 /home/gxdevelop/dev/ampedservice/public/aboutuscn.html` so that the permissions are ```shell -rwxrwxrwx 1 gxdevelop gxdevelop 1.8K Aug 10 18:12 public/aboutuscn.html ``` does not help. `/etc/init.d/nginx configtest` does not produce any errors either and I'm sure the symlink in `/etc/` ```shell nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful ``` **So I've been at this for a few hours and I'm now wondering what is so special about my user directory that I cannot serve anything inside of it? Ubuntu encrypts home directories these days? Could that be the problem? I also have this issue on an EC2 Ubuntu 12.04 instance (don't know if user directories are encrypted there)** The answer ------------------ ### Default User Home Directory Permissions So it seems that the default permissions on user home directories in Ubuntu 12.04 is `700`.** Nginx needs to have read permission the files that should be served AND have execute permission in each of the parent directories along the path from the root to the served files.** You can give your user directory these permissions by running ```shell chmod 701 user_home ``` You may also use `755`, which is the default permission setting on the home directory on many systems. The `directories/files` in your web root can belong to the www-data user or your regular personal user as long as the `user/group` that nginx runs as (as defined in nginx.conf) has READ permission on all files to be served and execute permission on all web root directories. I just set all directories in my web root to be owned by my user account and have permissions `755` and I set all files to be served from the web root to have permissions `664` since these were the defaults on my machine. #### Note on Converting Permission numbers to String Rep. ```shell Ex. drwxr-x--x becomes 751. ``` Ignore the first character (`d` for directory, `-` for file, etc). The remaining 9 characters form a binary triplet where any non-dash character is a 1 and a dash is a 0. ```shell So drwxr-x--x becomes rwxr-x--x becomes 111 101 001 which is converted to a decimal 751 ``` I needed a refresher on this when I was dealing with permissions.