403 Forbidden response on a ubuntu + nginx + passenger server

ubuntu nginx ruby-on-rails

7,751

This means you have no readable index file in /home/deploy/movieseat/current/public.

So add it by making sure nginx user has rights to read its content ... By default nginx user is nginx. And you are putting rights to user root and group deploy. So make sure nginx user is added to deploy group.

Remove this allow all; directive, it has nothing to do with your issue.

Keep configuration from first update (try_files).

7,751

Peter Boomsma

Updated on September 18, 2022

Comments

Peter Boomsma over 1 year

I'm trying to deploy my Rails app on my Digital Ocean VPS but I'm getting a 403 when I visit the IP adres.

This is the output of my errorlog:

[ 2014-11-02 04:18:12.0511 23504/7f64e6a36780 agents/Watchdog/Main.cpp:538 ]: Options: { 'analytics_log_user' => 'nobody', 'default_group' => 'nogroup', 'default_python' => 'python', 'default_ruby' => '/usr/bin/ruby', 'default_user' => 'nobody', 'log_level' => '0', 'max_pool_size' => '6', 'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', 'passenger_version' => '4.0.53', 'pool_idle_time' => '300', 'temp_dir' => '/tmp', 'union_station_gateway_address' => 'gateway.unionstationapp.com', 'union_station_gateway_port' => '443', 'user_switching' => 'true', 'web_server_passenger_version' => '4.0.53', 'web_server_pid' => '23503', 'web_server_type' => 'nginx', 'web_server_worker_gid' => '33', 'web_server_worker_uid' => '33' }
[ 2014-11-02 04:18:12.0628 23507/7f544fe55780 agents/HelperAgent/Main.cpp:650 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.23503/generation-0/request
[ 2014-11-02 04:18:12.1029 23512/7fd0a6b6b7c0 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.23503/generation-0/logging
[ 2014-11-02 04:18:12.1035 23504/7f64e6a36780 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
[ 2014-11-02 04:18:12.1191 23512/7fd0a6b6b7c0 agents/LoggingAgent/Main.cpp:289 ]: Caught signal, exiting...
[ 2014-11-02 04:18:13.1537 23534/7f9940e05780 agents/Watchdog/Main.cpp:538 ]: Options: { 'analytics_log_user' => 'nobody', 'default_group' => 'nogroup', 'default_python' => 'python', 'default_ruby' => '/usr/bin/ruby', 'default_user' => 'nobody', 'log_level' => '0', 'max_pool_size' => '6', 'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', 'passenger_version' => '4.0.53', 'pool_idle_time' => '300', 'temp_dir' => '/tmp', 'union_station_gateway_address' => 'gateway.unionstationapp.com', 'union_station_gateway_port' => '443', 'user_switching' => 'true', 'web_server_passenger_version' => '4.0.53', 'web_server_pid' => '23533', 'web_server_type' => 'nginx', 'web_server_worker_gid' => '33', 'web_server_worker_uid' => '33' }
[ 2014-11-02 04:18:13.1632 23537/7fa7dc711780 agents/HelperAgent/Main.cpp:650 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.23533/generation-0/request
[ 2014-11-02 04:18:13.1788 23542/7fd3b4c307c0 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.23533/generation-0/logging
[ 2014-11-02 04:18:13.1792 23534/7f9940e05780 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
[ 2014-11-02 04:40:54.6081 25129/7fd334fd9780 agents/Watchdog/Main.cpp:538 ]: Options: { 'analytics_log_user' => 'nobody', 'default_group' => 'nogroup', 'default_python' => 'python', 'default_ruby' => '/usr/bin/ruby', 'default_user' => 'nobody', 'log_level' => '0', 'max_pool_size' => '6', 'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', 'passenger_version' => '4.0.53', 'pool_idle_time' => '300', 'temp_dir' => '/tmp', 'union_station_gateway_address' => 'gateway.unionstationapp.com', 'union_station_gateway_port' => '443', 'user_switching' => 'true', 'web_server_passenger_version' => '4.0.53', 'web_server_pid' => '25128', 'web_server_type' => 'nginx', 'web_server_worker_gid' => '33', 'web_server_worker_uid' => '33' }
[ 2014-11-02 04:40:54.6228 25132/7fe9a63c6780 agents/HelperAgent/Main.cpp:650 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.25128/generation-0/request
[ 2014-11-02 04:40:54.6460 25137/7f157336b7c0 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.25128/generation-0/logging
[ 2014-11-02 04:40:54.6464 25129/7fd334fd9780 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
2014/11/02 04:40:55 [error] 25150#0: *1 directory index of "/home/deploy/movieseat/current/public/" is forbidden, client: 82.73.170.71, server: localhost, request: "GET / HTTP/1.1", host: "178.62.204.53"
2014/11/02 04:40:59 [error] 25150#0: *1 directory index of "/home/deploy/movieseat/current/public/" is forbidden, client: 82.73.170.71, server: localhost, request: "GET / HTTP/1.1", host: "178.62.204.53"
2014/11/02 04:41:57 [error] 25150#0: *1 directory index of "/home/deploy/movieseat/current/public/" is forbidden, client: 82.73.170.71, server: localhost, request: "GET / HTTP/1.1", host: "178.62.204.53"
2014/11/02 04:41:59 [error] 25150#0: *1 directory index of "/home/deploy/movieseat/current/public/" is forbidden, client: 82.73.170.71, server: localhost, request: "GET / HTTP/1.1", host: "178.62.204.53"
2014/11/02 04:41:59 [error] 25150#0: *1 directory index of "/home/deploy/movieseat/current/public/" is forbidden, client: 82.73.170.71, server: localhost, request: "GET / HTTP/1.1", host: "178.62.204.53"
2014/11/02 04:43:10 [error] 25150#0: *2 directory index of "/home/deploy/movieseat/current/public/" is forbidden, client: 82.73.170.71, server: localhost, request: "GET / HTTP/1.1", host: "178.62.204.53"
2014/11/02 04:43:11 [error] 25150#0: *2 directory index of "/home/deploy/movieseat/current/public/" is forbidden, client: 82.73.170.71, server: localhost, request: "GET / HTTP/1.1", host: "178.62.204.53"
2014/11/02 04:43:12 [error] 25150#0: *2 directory index of "/home/deploy/movieseat/current/public/" is forbidden, client: 82.73.170.71, server: localhost, request: "GET / HTTP/1.1", host: "178.62.204.53"
2014/11/02 04:43:12 [error] 25150#0: *2 directory index of "/home/deploy/movieseat/current/public/" is forbidden, client: 82.73.170.71, server: localhost, request: "GET / HTTP/1.1", host: "178.62.204.53"
2014/11/02 04:43:12 [error] 25150#0: *2 directory index of "/home/deploy/movieseat/current/public/" is forbidden, client: 82.73.170.71, server: localhost, request: "GET / HTTP/1.1", host: "178.62.204.53"
2014/11/02 04:43:12 [error] 25150#0: *2 directory index of "/home/deploy/movieseat/current/public/" is forbidden, client: 82.73.170.71, server: localhost, request: "GET / HTTP/1.1", host: "178.62.204.53"

So it looks like the permission to /home/deploy/movieseat/current/public/ isn't correct.

I've used sudo chown -R root:deploy public/ to change the permission. And this is the result when I check the permission now:

deploy@movieseat:~/movieseat/current$ stat public
  File: 'public'
  Size: 4096        Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d    Inode: 1200531     Links: 3
Access: (0775/drwxrwxr-x)  Uid: (    0/    root)   Gid: ( 1000/  deploy)
Access: 2014-11-02 05:01:43.317270999 -0500
Modify: 2014-11-02 04:31:30.497270999 -0500
Change: 2014-11-02 05:01:43.317270999 -0500
 Birth: -

I've restarted my NGINX but still I'm getting the 403. Could someone point out where the problem might be?

Update

sudo vim /etc/nginx/sites-enabled/default

    server {
            listen 80 default_server;
            listen [::]:80 default_server ipv6only=on;

            root /home/deploy/movieseat/current/public;
            index index.html index.htm;

            # Make site accessible from http://localhost/
            server_name localhost;

            location / {
                    # First attempt to serve request as file, then
                    # as directory, then fall back to displaying a 404.
                    try_files $uri $uri/ =404;
                    # Uncomment to enable naxsi on this location
                    # include /etc/nginx/naxsi.rules
            }

Update 2

stat current
  File: 'current' -> '/home/deploy/movieseat/releases/20141102093117'
  Size: 46          Blocks: 0          IO Block: 4096   symbolic link
Device: fd01h/64769d    Inode: 1200822     Links: 1
Access: (0777/lrwxrwxrwx)  Uid: ( 1000/  deploy)   Gid: ( 1000/  deploy)
Access: 2014-11-02 04:39:56.921270999 -0500
Modify: 2014-11-02 04:31:39.601270999 -0500
Change: 2014-11-02 04:31:39.601270999 -0500

Update 3

stat 20141102093117

deploy@movieseat:~/movieseat/releases$ stat 20141102093117
  File: '20141102093117'
  Size: 4096        Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d    Inode: 1200364     Links: 11
Access: (0775/drwxrwxr-x)  Uid: ( 1000/  deploy)   Gid: ( 1000/  deploy)
Access: 2014-11-02 04:42:58.721270999 -0500
Modify: 2014-11-02 04:31:39.537270999 -0500
Change: 2014-11-02 04:31:39.537270999 -0500
 Birth: -

Update 4

My passenger config

    ##
    # Phusion Passenger config
    ##
    # Uncomment it if you installed passenger or passenger-enterprise
    ##

    passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
    # passenger_ruby /usr/bin/ruby;
    passenger_ruby /home/deploy/.rbenv/shims/ruby;
    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

derdigge over 9 years

please show me your sites-enabled nginx config file.
Peter Boomsma over 9 years

Updated my question to show it. I think this is enough, the rest is commented out.
Navern over 9 years

please show permissions on your "current" directory. It should contain "x" permissions as well.
Peter Boomsma over 9 years

Updated my question which the results.
Navern over 9 years

Your current directory is symlink. Try put disable_symlinks off; in your server configuration. Also please stat directory /home/deploy/movieseat/releases/20141102093117.
Xavier Lucas over 9 years

@Navern It's off by default.
Peter Boomsma over 9 years

I've added the stat 20141102093117 to my question and added disable_symlinks_off and restarted nginx to no effect.
Navern over 9 years

@XavierLucas yep, i know it. I see you have already solved this one. It's great. I always forget about IndexDirectory:)

Peter Boomsma over 9 years

I've added the allow all; but it doesn't seem to do much. The 'deploy' user is running nginx.
Xavier Lucas over 9 years

Allow/Deny directives are used for ACLs, it has nothing to do with filesystem rights.
Peter Boomsma over 9 years

When I go to the folder /home/deploy/movieseat/current/public and check it's content I get 404.html 422.html 500.html assets favicon.ico robots.txt system. I'm afraid I don't quite follow you. How do I add a index file by making sure nxing user has rights to read?
Xavier Lucas over 9 years

@PeterBoomsma So you set index index.html index.htm; but you have no index file in this folder ! Also, check nginx user in your nginx.conf file and set adequate rights in this folder ... Post ls -lh output from there and your nginx.conf file content. Time to learn some basic concepts !
Peter Boomsma over 9 years

Makes sence. I guess, I thought everything would go through the Rails route file. I've added a index.html to the public folder and that gets shown, so that's awesome. But rails doesn't have a index.html file, so how would I "fix" that?
Xavier Lucas over 9 years

@PeterBoomsma To get ruby processed, you need a third party module like passenger or use nginx as a reverse proxy behind some ruby server like Thin.
Peter Boomsma over 9 years

I´ve been following this guide : gorails.com/deploy/ubuntu/14.04 which also mentions passenger. I´ve installed passenger. deploy@movieseat:~$ passenger -v Phusion Passenger version 4.0.53 I've updated the question with the nginx.conf Passenger part.
Xavier Lucas over 9 years

@PeterBoomsma Then follow the guide and open another question on what you get stuck on. You must try to get it work by yourself first. Also it's getting too chatty and we'll end up with update 153 in 10 minutes. Error cause found, question closed.
Peter Boomsma over 9 years

You're right. Thanks for helping to point out what the problem is.