I am getting 403 forbidden error when I try to access a domain using nginx. The nginx logs I get are:
[error] 13656#0: *4 "/var/www/example.com/www/index.php" is forbidden (13: Permission denied), client: 31.179.107.194, server: example.com, request: "GET / HTTP/1.1", host: "example.com"
/var/www/ has recursive 777 permissions. Sites-available config is:
#HTTP serve
#
server {
listen 80;
root /var/www/example.com/www/;
index index.php index.html index.htm;
server_name example.com;
access_log /var/log/nginx/example.com.access.log combined buffer=1024k;
error_log /var/log/nginx/example.com.error.log;
client_max_body_size 128M;
if (!-e $request_filename) {
rewrite ^/([a-zA-Z0-9]+)/([a-zA-Z0-9]+)/$ /index.php?controller=$1&action=$2 last;
}
location ~ \.php$ {
if (!-f $document_root/$fastcgi_script_name){
return 404;
}
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
proxy_connect_timeout 600s;
proxy_read_timeout 600s;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
nginx.conf contains user root; directive.
What's wrong?
One possible cause is that you are using SELinux. See Why does Nginx return a 403 even though all permissions are set properly?.
Also, setting user root is a security risk and is not recommended. Using an unprivileged user like 'www-data' or `nobody' is recommended, along with permissions that allow that user to access the minimal amount of data necessary.
Related
I am using the default config with Nginx installed on my manjaro machine. I just added some simple configurations down below.
nginx.conf:
user http;
worker_processes auto;
worker_cpu_affinity auto;
.....
http{
.....
server {
listen 9000;
server_name localhost;
root /usr/share/nginx/html/exam;
location / {
index index.php index.html index.htm;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
if (!-e $request_filename){
rewrite ^/(.+)$ /index.php?url=$1 break;
}
}
location /. {
return 404;
}
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_read_timeout 864000;
}
location ~ /\.ht {
deny all;
}
}
....
}
since the user for Nginx is http, I also changed the ownership of the folder, subfolders and files as HTTP with:
chmod -R http:http exam/
it looks like this:
1838248 lrwxrwxrwx 1 http http 42 Eyl 13 17:42 exam
but still gives 403 Forbidden on browser with this error:
2021/09/13 17:49:22 [error] 493923#493923: *4 open() "/usr/share/nginx/html/exam/index.php" failed (13: Permission denied), client: 127.0.0.1, server: localhost, request: "GET /exam HTTP/1.1", host: "localhost:9000"
I have tried every solution I found, but it did not work.
I also tried simple PHP files that runs like "phpinfo();" even they are not working.
I moved the project file under /srv/http and redirect the root in the conf file to it. Now it is working.
I have set up MeteorJs application with MongoDB backend in Digital Ocean. I am now trying to set up adminer so I can query MongoDB without opening input ports on my droplet. Everytime I try to reload the nginx settings, I get nginx: [emerg] no port in upstream "php" in /etc/nginx/sites-enabled/admin:32 error.
What am I missing?
/etc/nginx/sites-enabled/admin
server {
listen 80;
server_name 165.227.197.220;
return 301 https://$server_name$request_uri;
}
server {
server_name 165.227.197.220;
listen 443 ssl;
access_log /var/log/nginx/admin.access.log;
error_log /var/log/nginx/admin.error.log;
ssl_certificate /etc/nginx/ssl/admin.crt;
ssl_certificate_key /etc/nginx/ssl/admin.key;
root /var/www/admin;
index adminer.php;
# Get file here https://codex.wordpress.org/Nginx
include global/restrictions.conf;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd/admin;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass php;
fastcgi_index adminer.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
/etc/nginx/global/restrictions.conf
# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
You need to setup an upstream for example using wordpress that is what we have
upstream index_php_upstream {
server 127.0.0.1:8090; # NGINX Unit backend address for index.php with
# 'script' parameter
}
For more about upstream, so can view this article UpStream - Nginx
I have a PHP project, a REST API. Nginx configuration is working for the API but is not for uploaded images
Images are always returning 404 error
the project starts at /public directory, upload directory is inside public, so the image access url is something like:
DOMAIN.COM/upload/201812/20181204133821.jpg
The actual NGINX configuration is
server {
listen 80;
listen [::]:80;
set $root_path '/usr/share/nginx/html/api/public';
root $root_path;
index index.php index.html index.htm;
server_name api-eduplus.blanco-estudio.com;
#try_files $uri $uri/ #rewrite;
try_files $uri $uri/ /index.php?q=$uri&$args;
location ~* \.(jpg|jpeg|png|gif)$ {
root $root_path;
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
#error_log logs/error.log warn;
}
So the API starts at /public directory and images are uploaded into /public/upload/
Also. The nginx error log on the server says:
2018/12/04 16:35:54 [error] 17338: *1 openat() "/usr/share/nginx/html/api/public/upload/201812/20181204133821.jpg" failed (20: Not a directory), request: "GET /upload/201812/20181204133821.jpg HTTP/1.1"
Please help, I'm actually stuck
I just fixed this issue on my server. The cause of the error was a symlink.
I just encountered this (not very elucidating) error message on my server's nginx config:
"/path/to/index.html" is not found (20: Not a directory)
After some trial-and-error, I determined that the actual cause was that nginx couldn't access the site's document root because part of the path to the root included a symlink, but I had disable_symlinks on; set in my main nginx.conf file.
Commenting-out the disable_symlinks on; line or changing it to disable_symlinks off; fixes the issue.
See also:
https://nginx.org/en/docs/http/ngx_http_core_module.html#disable_symlinks
Created a virtualhost for symfony application in local system
Here is the nginx config file
server {
listen 80;
server_name local.symfony;
root /home/guest/symfony_demo/web;
rewrite ^/app\.php/?(.*)$ /$1 permanent;
try_files $uri #rewriteapp;
location #rewriteapp {
rewrite ^(.*)$ /app.php/$1 last;
}
# Deny all . files
location ~ /\. {
deny all;
}
location ~ ^/(app|app_dev)\.php(/|$) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_index app.php;
send_timeout 1800;
fastcgi_read_timeout 1800;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
# Statics
location /(bundles|media) {
access_log off;
expires 30d;
try_files $uri #rewriteapp;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
On load of app in browser its throwing an error
502 Bad Gateway Error:No input file specified.
Error caught from error.log file:
FastCGI sent in stderr: "Unable to open primary script: /home/guest/symfony_demo/web/app.php (No such file or directory)" while reading response header from upstream, client: 127.0.0.1, server: local.symfony, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "local.symfony"
Can anyone help me to configure symfony app to app_dev config file.
Any thoughts??
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
This line is the problem. If you remove it, your error disappears. You may then have Opcache problems due to Symfony using symlinks to the current project.
With $realpath_root$fastcgi_script_name, the web server looks at the "real" path for the PHP script based on the root definition in your server block. Nginx must have read permissions to the path for this to work. Your code is in /home/guest/, if nginx is running as "www-data" give it permissions to your directories, or run nginx as the "guest" user (ignoring the security implications of this).
Why don't you start with configuration from official documentation (http://symfony.com/doc/current/cookbook/configuration/web_server_configuration.html#nginx) and when that works, you can try to add your custom configuration (caching of sttaic files ...) ?
This should work:
server {
listen 80;
server_name local.symfony;
root /home/guest/symfony_demo/web;
location / {
try_files $uri /app_dev.php$is_args$args;
}
location ~ ^/(app_dev|config)\.php(/|$) {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
This error happens when nginx is not able to find the php-fpm.sock file.
Can you make sure that the php-fpm.sock file is in the path as mentioned. I had to update fastcgi_pass like below
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
as my php-fpm.sock was there
I want to setup phppgadmin, postgresql is already - done by following this article
but I have nginx,
I did so far these configs:
ln -s /usr/share/phppgadmin /var/www
and
/etc/nginx/sites-available/phppgadmin:
server{
listen 85;
server_name pgadmin.mypage.com;
root /var/www/phppgadmin;
index index.html index.html index.php;
access_log /var/log/phppgadmin/access.log;
error_log /var/log/phppgadmin/error.log;
location / {
allow my_page_IP;
deny all;
}
location ~ /\.ht {
deny all;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/phppgadmin$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
}
and
ln -s /etc/nginx/sites-available/phppgadmin /etc/nginx/sites-enabled/
and
service nginx restart
but I am getting:
403 Forbidden
the error.log says:
2015/03/21 18:06:14 [error] 16916#0: *1 access forbidden by rule, client: 188.194.97.247, server: pgadmin.mypage.com, request: "GET / HTTP/1.1", host: "my_page_IP:85"
I did:
chmod -R 775 phppgadmin/
chown -R www-data:www-data phppgadmin/
but still the same 403 message. what am I doing wrong?
Access forbidden by rule mean that the access of the desired page was dropped by rule you have put in your configuration.
Just try to remove rule on each location to see which is cause problem.