Why does Nginx return a 403 even though all permissions are set properly?

 

I have Nginx setup and displaying the test page properly. If I try to change the root path, I get a 403 Forbidden error, even though all permissions are identical. Additionally, the nginx user exists.

nginx.conf: 

user nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log;

pid        /run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    index   index.html index.htm;

    server {
        listen       80;
        server_name  localhost;
        root         /var/www/html; #changed from the default /usr/share/nginx/html
    }
}

namei -om /usr/share/nginx/html/index.html 

f: /usr/share/nginx/html/index.html
dr-xr-xr-x root root /
drwxr-xr-x root root usr
drwxr-xr-x root root share
drwxr-xr-x root root nginx
drwxr-xr-x root root html
-rw-r--r-- root root index.html

namei -om /var/www/html/index.html 

f: /var/www/html/index.html
dr-xr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root www
drwxr-xr-x root root html
-rw-r--r-- root root index.html

error log

2014/03/23 12:45:08 [error] 5490#0: *13 open() "/var/www/html/index.html" failed (13: Permission denied), client: XXX.XX.XXX.XXX, server: localhost, request: "GET /index.html HTTP/1.1", host: "ec2-XXX-XX-XXX-XXX.compute-1.amazonaws.com"

I experienced the same problem and it was due to SELinux .

To check if SELinux is running: 

# getenforce

To disable SELinux until next reboot: 

# setenforce Permissive

Restart Nginx and see if the problem persists. If you would like to permanently alter the settings you can edit /etc/sysconfig/selinux

If SELinux is your problem you can run the following to allow nginx to serve your www directory (make sure you turn SELinux back on before testing this. ie, # setenforce Enforcing ) 

# chcon -Rt httpd_sys_content_t /path/to/www

If you're still having issues take a look at the boolean flags in getsebool -a , in particular you may need to turn on httpd_can_network_connect for network access 

# setsebool -P httpd_can_network_connect on

For me it was enough to allow http to serve my www directory.

I was using: 

sudo service nginx start

If I use: 

sudo nginx

...everything works fine. Can anyone explain the difference between these two?

I ran into the same problem. If you're using Fedora/RedHat/CentOS, this might help you:

  • According to SELinux: setsebool -P httpd_read_user_content 1

    • Hope this helps.

    链接地址: http://www.djcxy.com/p/32414.html

    上一篇: 如何让Nginx虚拟主机工作? (目前出现403 Forbidden错误)

    下一篇: 为什么Nginx会返回403,即使所有权限设置正确?