Tuesday, 31 March 2015

Nginx forbidden

Today I learned that to serve a file with nginx, you need to satisfy (at least) two conditions.

Nginx must have read access to the file you want to serve.

Even if nginx workers are running as root, if the file is marked 000, then nginx cannot serve the file!

In most cases this can be as easy as doing

chmod o+r filename

Or finer group-level permissions depending on access control restrictions for that file.

And the second condition which had me searching the web for hours is

Every directory in the path of the file must be set as executable.

If you want to serve files in /var/www/static/css

location /css/ {
    root /var/www/static;

Then var, www, static and css directories must be executable by the nginx process.

Most web server's master process runs as root spawning worker processes as www-data or whichever user you specify. www-data or the user must have appropriate access to all the files and directories you want to serve.