Nginx from source, return 403 Forbidden
Emily Wong 
I have installed nginx with source code on Ubuntu 19.10 installed on virtual machine. iptables disabled. selinux disabled. firewalld disabled. I start the server this way:
./root/nginx-1.16.1/objs/nginxThe server is running smoothly. But if I try to reach on the ip address I get:
wget 127.0.0.1:443
--2019-10-30 07:41:27--
Connecting to 127.0.0.1:443... connected.
HTTP request sent, awaiting response... 400 Bad Request
2019-10-30 07:41:27 ERROR 400: Bad Request.
wget 192.168.136.133:443
--2019-10-30 07:42:00--
Connecting to 192.168.136.133:443... connected.
HTTP request sent, awaiting response... 400 Bad Request
2019-10-30 07:42:00 ERROR 400: Bad Request.In error.log I see:
2019/10/30 07:34:59 [error] 1325#0: *1 "/root/nginx-1.16.1/html/index.html" is forbidden (13: Permission denied), client: 192.168.136.1, server: localhost, request: "GET / HTTP/2.0", host: "192.168.136.133"
2019/10/30 07:41:18 [error] 1325#0: *2 "/root/nginx-1.16.1/html/index.html" is forbidden (13: Permission denied), client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", host: "127.0.0.1"Do you have any ideas about what the problem might be?
For information:nginx.conf:
#user nobody;
worker_processes 1;
#error_log logs/error.log debug;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events { worker_connections 1024;
}
http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; error_log logs/error.log debug; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { ######################################################## ######################################################## # Enable QUIC and HTTP/3. listen 443 quic reuseport; # Enable HTTP/2 (optional). listen 443 ssl http2; ssl_certificate cert.crt; ssl_certificate_key cert.key; # Enable all TLS versions (TLSv1.3 is required for QUIC). ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Add Alt-Svc header to negotiate HTTP/3. add_header alt-svc 'h3-23=":443"; ma=86400'; ######################################################## ######################################################## listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #}
} # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #}
}permission:
ll
total 812
drwxr-xr-x 15 1001 1001 4096 Oct 29 20:49 ./
drwx------ 14 root root 4096 Oct 30 09:49 ../
drwxr-xr-x 6 1001 1001 4096 Oct 29 18:35 auto/
-rw-r--r-- 1 1001 1001 296463 Aug 13 14:51 CHANGES
-rw-r--r-- 1 1001 1001 452171 Aug 13 14:51 CHANGES.ru
drwx------ 2 nobody root 4096 Oct 29 20:49 client_body_temp/
drwxr-xr-x 2 1001 1001 4096 Oct 29 20:49 conf/
-rwxr-xr-x 1 1001 1001 2502 Aug 13 14:51 configure*
drwxr-xr-x 4 1001 1001 4096 Oct 29 18:32 contrib/
drwx------ 2 nobody root 4096 Oct 29 20:49 fastcgi_temp/
drwxrwxrwx 2 1001 1001 4096 Oct 29 18:32 html/
-rw-r--r-- 1 1001 1001 1397 Aug 13 14:51 LICENSE
drwxr-xr-x 2 root root 4096 Oct 30 09:47 logs/
-rw-r--r-- 1 root root 384 Oct 29 18:37 Makefile
drwxr-xr-x 2 1001 1001 4096 Oct 29 18:32 man/
drwxr-xr-x 3 root root 4096 Oct 29 19:00 objs/
drwx------ 2 nobody root 4096 Oct 29 20:49 proxy_temp/
-rw-r--r-- 1 1001 1001 49 Aug 13 14:51 README
drwx------ 2 nobody root 4096 Oct 29 20:49 scgi_temp/
drwxr-xr-x 9 1001 1001 4096 Oct 29 18:32 src/
drwx------ 2 nobody root 4096 Oct 29 20:49 uwsgi_temp/Do you have any ideas about what the problem might be?
2 Answers
This typically happens when the user/group running the nginx worker process(es) (on a regular installation it's www-data) does not have permission to access/read the file used to serve the response. This could be the case that the user does not have sufficient permission to traverse the directories or could be that they simply don't have the read permission on the file.
As you're starting the nginx server manually, you need to make sure the invoking user (the user that runs ./root/nginx-1.16.1/objs/nginx) actually has permission to read /root/nginx-1.16.1/html/index.html. You can easily check that from terminal by running ls as that user:
ls /root/nginx-1.16.1/html/index.htmlThen it's a permission fixing issue mainly.
Also, whenever possible, please stick to the official packages from Ubuntu unless of course you intentionally want to compile the binaries yourself maybe to enable a compile time option that is missing in the official release. If that's the case, you can also open a request on Launchpad against that package and discuss with the maintainers about enabling the option, maybe they can add that option afterwards after discussing.
11Solution:
At the beginning of the file conf/nginx.conf
i set it:
user root;
