Nginx 403 forbidden for all files

I have nginx installed with PHP-FPM on a CentOS 5 box, but am struggling to get it to serve any of my files - whether PHP or not.

Nginx is running as www-data:www-data, and the default "Welcome to nginx on EPEL" site (owned by root:root with 644 permissions) loads fine.

The nginx configuration file has an include directive for /etc/nginx/sites-enabled/*.conf, and I have a configuration file example.com.conf, thus:

server {
 listen 80;

 Virtual Host Name
 server_name www.example.com example.com;


 location / {
   root /home/demo/sites/example.com/public_html;
   index index.php index.htm index.html;
 }

 location ~ \.php$ {
  fastcgi_pass   127.0.0.1:9000;
  fastcgi_index  index.php;
  fastcgi_param  PATH_INFO $fastcgi_script_name;
  fastcgi_param  SCRIPT_FILENAME  /home/demo/sites/example.com/public_html$fastcgi_script_name;
  include        fastcgi_params;
 }
}

Despite public_html being owned by www-data:www-data with 2777 file permissions, this site fails to serve any content -

 [error] 4167#0: *4 open() "/home/demo/sites/example.com/public_html/index.html" failed (13: Permission denied), client: XX.XXX.XXX.XX, server: www.example.com, request: "GET /index.html HTTP/1.1", host: "www.example.com"

I've found numerous other posts with users getting 403s from nginx, but most that I have seen involve either more complex setups with Ruby/Passenger (which in the past I've actually succeeded with) or are only receiving errors when the upstream PHP-FPM is involved, so they seem to be of little help.

Have I done something silly here?

Same here. On my install of CentOS 6, /home/user dirs are set to 700 by default.

This guy talks about it too: (chmod -4 +x /mypath worked for me) nginxlibrary.com/403-forbidden-error

Can someone explain why this behavior is different than apache which does NOT require every parent directory to have "x" permissions?!?

It isn't any different. The only reason apache wouldn't also require x permission on parent directories is if it's running as root.

I ended up adding the www-data user to my personal user group and doing a chmod 710 to my root user folder. Worked like a charm. (On a debian based distro)

I couldn't figure out why whenever I started nginx it said open() "/usr/share/nginx/logs/xxxxxx.com-error_log" failed (13: Permission denied) after I checked the permissions and made sure it was being started as root. I came across this and found out SELinux was enabled. I disabled it and now it works no problem. Thanks!

Thanks! I still had an issue with permission denied for users owning their own FPM sockets so I was able to fix that one by changing the user from nginx to root in /var/nginx/nginx.conf - perhaps that will help someone else who comes across this issue. S/O to DataPsyche for the second part.

i think centos 6.6 has a bug. Selinux breaks nginx.

This tip has been useful twice so far. Thanks!

I believe this answer is better security wise than the accepted answer. You don't have to go messing around with the permissions on your home folder (which could contain sensitive information) and if you're doing development with nginx, it saves you from having to upload weird file permissions to SCM.

The added permissions on the home directory are execute, not read, thus no sensitive information is (in theory) revealed (except, in this case, perhaps to a malicious PHP script which recurses upwards and knows the location of the sensitive files within another directory accessible to www-data). You'll also notice that in the original question, my nginx was running as "www-data" - the configuration values here were already set as desired.

This is default behavior on CentOS 7 aswell.

Had to add usergroup as well: user usegroup.

Worked for me as well. I suspect this happens because even though nginx is started as root, it spawns processes under the user that is specified in the nginx.conf file, which is "user nginx;" by default. Changing the user to the user who owns your document root should also work as Anderson suggested.

Worked for me as well (just as chmodding the dir to nginx:nginx). I prefer this solution though so I can have my document root owned by another user than nginx. Thanks Anderson for pointing this out.

Mr. Anderson? No! Andron ;)

Apologies Mr. Andron ;) I can't seem to edit the previous comment anymore though...

Sure, not a problem. Now I was as Anderson :) and need to write some fairy tales...

both the permission requirement and the namei tip helped me solve my issue.

Thank you thank you. 95% Of the info on this are about permissions, but when they are all set 775, I really was pulling my hear out (all 6 of them).

Im with everybody else that commented. I was ready to throw my computer out the window. Nginx was configured properly, permissions where properly set, I even went as far to make everything 777 and still got permissions denied error.

The better SELinux command for this is: semanage fcontext -a -t httpd_sys_rw_content_t "/path/to/www(/.)?"* and restorecon -v /path/to/www this will automatically give all your files in this path the correct SELinux rights. Also when new files are added. Use httpd_sys_content_t if you only need reading rights.

On Centos 7 (SELinux enabled), the simplest fix for me was setsebool httpd_read_user_content on (For static files hosted from a home directory, chmod'ed to world-readable) - Though I guess @KapiteinWitbaard's method above is more secure.

saved my day. by the way what if the machine has multiple users and each user has his own website, how do i deal with it?

Isn't this a security issue ?

Thank you, i was looking all night for your solution, even set chown to nginx and 777 to all files in the directory but no success! You are great!

Seems that there's no way this works in RHEL 6.x (and probably centos 6). There needs some additional steps in configuring selinux and perhaps even modifying things about Red Hat itself. Give up on any attempt to try to get it working on RHEL 6, I've been looking all over.

You've just saved my life @Kurt

Thanks @jsina, this helped me a lot

That's a lifesaver. Thanks, Man!

Kurt, you saved my bacon. I've spent many hours trying to fix a 403 error, and this was the solution.

you saved my day:)

I had to add +x to a parent folder of www/ even though all the sub-folders of www/ had the x-bit set. Wow, this took a while to figure out!

While that might have fixed your problem - congrats! - that's a bit sad :-( See stopdisablingselinux.com - could you find a different workaround?

Damn, ＋1, me too.

I would like to stress this point: the user needs permissions in EVERY PARENT DIRECTORY!

autoindex on might help

This is the correct answer and it's most likely usermod -aG username www-data on most setups.

I have the right permissions for folder /var/www/html but I get a permission error. my question is after installing nginx we have a user and group nginx. we should use this user for folder owner?

I believe this is the best solution

This was my problem as well.

saved my day!this should be the best answer of the question.

It would be helpful to add an explanation as to what this command does.