发表新帖
发表新帖

Nginx serve static file and got 403 forbidden

后端 未结
关注
8 947
长情又很酷
长情又很酷 2020-12-04 08:36

Just want to help somebody out. yes ,you just want to serve static file using nginx, and you got everything right in nginx.conf:

location /s
相关标签:
8条回答
  • 攒了一身酷
    2020-12-04 08:38

    For me is was SElinux, I had to run the following: (RHEL/Centos on AWS)

    sudo setsebool -P httpd_can_network_connect on 
chcon -Rt httpd_sys_content_t /var/www/
    0 讨论(0)
  • 眼角桃花
    2020-12-04 08:40

    You should give nginx permissions to read the file. That means you should give the user that runs the nginx process permissions to read the file.

    This user that runs the nginx process is configurable with the user directive in the nginx config, usually located somewhere on the top of nginx.conf:

    user www-data

    http://wiki.nginx.org/CoreModule#user

    The second argument you give to user is the group, but if you don't specify it, it uses the same one as the user, so in my example the user and the group both are www-data.

    Now the files you want to serve with nginx should have the correct permissions. Nginx should have permissions to read the files. You can give the group www-data read permissions to a file like this:

    chown :www-data my-file.html

    http://linux.die.net/man/1/chown

    with chown you can change the user and group owner of a file. In this command I only change the group, if you would change the user too you would specify the username BEFORE the colon, like chown www-data:www-data my-file.html. But setting the group permissions correct should be enough for nginx to be able to read the file.

    0 讨论(0)
  • 旧巷少年郎
    2020-12-04 08:40

    Setting user root in nginx can be really dangerous. Having to set permissions to all file hierarchy can be cumbersome (imagine the folder's full path is under more than 10 subfolders).

    What I'd do is to mirror the folder you want to share, under /usr/share/nginx/any_folder_name with permissions for nginx's configured user (usually www-data). That you can do with bindfs.

    In your case I would do:

    sudo bindfs -u www-data -g www-data /root/downloads/boxes/ /usr/share/nginx/root_boxes

    It will mount /root/downloads/boxes into /usr/share/nginx/root_boxes with all permissions for user www-data. Now you set that path in your location block config

    location /static {
   autoindex on;
   alias /usr/share/nginx/root_boxes/;
  }
    0 讨论(0)
  • 失恋的感觉
    2020-12-04 08:51

    Since Nginx is handling the static files directly, it needs access to the appropriate directories. We need to give it executable permissions for our home directory.

    The safest way to do this is to add the Nginx user to our own user group. We can then add the executable permission to the group owners of our home directory, giving just enough access for Nginx to serve the files:

    CentOS / Fedora

      sudo usermod -a -G your_user nginx

  chmod 710 /home/your_user

    Set SELinux to globally permissive mode, run:

    sudo setenforce 0

    for more info, please visit https://www.nginx.com/blog/using-nginx-plus-with-selinux/

    Ubuntu / Debian

      sudo usermod -a -G your_user www-data

  sudo chown -R :www-data /path/to/your/static/folder
    0 讨论(0)
  • 逝去的感伤
    2020-12-04 08:55

    After digging into very useful answers decided to collect everything related to permissions as a recipe. Specifically, the simplest solution with maximal security (=minimal permissions).

    1. Suppose we deploy the site as user admin, that is, she owns site dir and everything within. We do not want to run nginx as this user (too many permissions). It's OK for testing, not for prod.
    2. By default Nginx runs workers as a user nginx, that is, config contains line user nginx
    3. By default user nginx is in the group with the same name: nginx.
    4. We want to give minimal permissions to user nginx without changing file ownership. This seems to be the most secure of naive options.

    5. In order to serve static files, the minimal required permissions in the folders hierarchy (see the group permissions) should be like this (use the command namei -l /home/admin/WebProject/site/static/hmenu.css):

      dr-xr-xr-x root root /
      drwxr-xr-x root root home
      drwxr-x--- admin nginx admin
      drwx--x--- admin nginx WebProject
      drwx--x--- admin nginx site
      drwx--x--- admin nginx static
      -rwxr----- admin nginx hmenu.css

    6. Next, how to get this beautiful picture? To change group ownership for dirs, we first apply sudo chown :nginx /home/admin/WebProject/site/static and then repeat the command stripping dirs from the right one-by-one.

    7. To change permissions for dirs, we apply sudo chmod g+x /home/admin/WebProject/site/static and again strip dirs.

    8. Change group for the files in the /static dir: sudo chown -R :nginx /home/admin/WebProject/site/static

    9. Finally, change permissions for the files in the /static dir: sudo chmod g+r /home/admin/WebProject/site/static/*

    (Of course one can create a dedicated group and change the user name, but this would obscure the narration with unimportant details.)

    0 讨论(0)
  • 太阳男子
    2020-12-04 08:58

    for accepted answer

    sudo chown -R :www-data static_folder

    for changing group owner of all files in that folder

    0 讨论(0)
 看不清?
提交回复
热议问题