nginx says forbidden, user nginx at fedora - nginx

I'm confused
2014/05/12 09:36:51 [error] 25928#0: *1 open() "/home/dev/OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64/packages/test.html" failed (13: Permission denied), client: 128.68.154.57, server: localhost, request: "GET /test.html HTTP/1.1"
here is permissions
[root#vsfedora OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64]# namei -l /home/dev/OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64/packages/test.html
f: /home/dev/OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64/packages/test.html
dr-xr-xr-x root root /
drwxr-xr-x root root home
drwxrwx--- dev dev dev
drwxr-xr-x dev dev OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64
drwxr-xr-x dev dev packages
-rw-rw-r-- dev dev test.html
here is group
dev:x:1000:nginx
nginx worker process working as nginx user
[root#vsfedora ~]# ps aux|grep nginx
root 26494 0.0 0.3 111588 3796 ? Ss 11:07 0:00 nginx: master process /usr/sbin/nginx
nginx 26495 0.0 0.5 111932 5116 ? S 11:07 0:00 nginx: worker process
server section in nginx.conf:
server {
location / {
autoindex on;
root /usr/share/nginx/html;
}
symlink is also fine
lrwxrwxrwx. 1 0 0 65 May 12 10:10 packages -> /home/dev/OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64/packages

it's a SELinux issue
tail /var/log/audit/audit.log
type=AVC msg=audit(1399879586.183:2081199): avc: denied { search } for pid=26495 comm="nginx" name="dev" dev="dm-1" ino=269277 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1399879586.183:2081199): arch=c000003e syscall=2 success=no exit=-13 a0=7fdd65ed2219 a1=800 a2=0 a3=0 items=0 ppid=26494 pid=26495 auid=4294967295 uid=996 gid=1000 euid=996 suid=996 fsuid=996 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
detailed explanation and resolution can be found here

Per documentation on user directive, nginx uses group name equal to user name if you omit group name. So you have to explicitly use user nginx dev; in your nginx.conf.

Related

Nginx: Can't open error.log, cannot load certificate [how to fix permissions?]

So I have a homeserver running nginx which is serving a Nextcloud instance. The Nextcloud instance is working beautifully, but I'm getting nginx self-reported errors like such when executing
nginx -t
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2020/02/27 15:50:55 [warn] 6985#6985: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2020/02/27 15:50:55 [emerg] 6985#6985: cannot load certificate "/etc/letsencrypt/live/myserver.com/fullchain.pem": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/myserver.com/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed
not quite sure what to do about that - my google-fu is failing me for now. It seems it might have something to do with getting permissions set right, but ls -l /etc/letsencrypt/live/myserver.com outputs
lrwxrwxrwx 1 root ssl-cert 36 Jan 21 08:38 cert.pem -> ../../archive/myserver.com/cert1.pem
lrwxrwxrwx 1 root ssl-cert 37 Jan 21 08:38 chain.pem -> ../../archive/myserver.com/chain1.pem
lrwxrwxrwx 1 root ssl-cert 41 Jan 21 08:38 fullchain.pem -> ../../archive/myserver.com/fullchain1.pem
lrwxrwxrwx 1 root ssl-cert 39 Jan 21 08:38 privkey.pem -> ../../archive/myserver.com/privkey1.pem
-rw-r--r-- 1 root ssl-cert 692 Jan 21 08:38 README
ls -l -R /var/log/nginx doesn't do anything, but executing it as sudo yields:
-rwxrw-rw- 1 www-data www-data 6553 Feb 27 15:19 access.log
for every entry. Does that seem alright?
EDIT: #RichardSmith is the man, his comment below pointing out to run nginx -t as sudo did the trick. I feel slightly stupid now, so thanks man ;). sudo nginx -T now also works, allowing me to further troubleshoot another problem.
#RichardSmith's comment suggested running nginx -t as sudo, which did the trick.
sudo nginx -T now also works, allowing me to further troubleshoot another problem.

403 forbidden error with Nginx despite permissions being set

My actual problem is that Nginx is not able to render pages (403 forbidden) despite the permissions being set to 755 for nginx:nginx.
I am using the following command...
[root#wfe1 user1]# strace -p 26934 -e trace=file
Process 26934 attached
stat("/home/user1/site3/index.html", {st_mode=S_IFREG|0755, st_size=6, ...}) = 0
open("/home/user1/site3/index.html", O_RDONLY|O_NONBLOCK) = -1 EACCES (Permission denied)
The output as you can see is Permission Denied. I would like to know which user account was used to access the file? How can I dig in further?
[root#wfe1 user1]# ls -al site3
total 8
drwxr-xr-x. 2 nginx nginx 23 Mar 6 06:12 .
drwx------. 5 user1 user1 4096 Mar 6 06:12 ..
-rwxr-xr-x. 1 nginx nginx 6 Mar 6 06:12 index.html
Take a look in the nginx access logs to see where things are failing
Use ps aux | grep nginx to see which user nginx is running as.
Make sure you have the correct "allow all" permissions set in your nginx config / location stanza.

Unable to load ZF2 with correct(?) include_path

So, I'm still newbie for all Unix stuff and now I face a problem which make me mad :) I also asking my friend, more experienced programmer, but he cant find answer too.
So, I trying to start zf2 application based on zend-skeleton with nginx and php5-fpm.
$ sudo service nginx status
* nginx is running
$ sudo service php5-fpm status
php5-fpm start/running, process 3389
$ ps aux | grep php
root 3389 0.0 0.3 145520 13624 ? Ss 15:40 0:00 php-fpm: master process (/etc/php5/fpm/php-fpm.conf)
www-data 3392 0.0 0.1 145520 4968 ? S 15:40 0:00 php-fpm: pool www
www-data 3393 0.0 0.1 145520 5324 ? S 15:40 0:00 php-fpm: pool www
somebud+ 3551 0.0 0.0 5908 840 pts/1 S+ 15:55 0:00 grep --color=auto php
$ ps aux | grep nginx
somebud+ 3172 0.5 0.6 184412 24944 ? Sl 15:33 0:07 gedit /etc/nginx/nginx.conf
root 3368 0.0 0.0 15196 1092 ? Ss 15:40 0:00 nginx: master process /usr/sbin/nginx
www-data 3369 0.0 0.0 15720 2080 ? S 15:40 0:00 nginx: worker process
www-data 3370 0.0 0.0 15376 1516 ? S 15:40 0:00 nginx: worker process
www-data 3371 0.0 0.0 15376 1516 ? S 15:40 0:00 nginx: worker process
www-data 3372 0.0 0.0 15376 1516 ? S 15:40 0:00 nginx: worker process
somebud+ 3554 0.0 0.0 5908 840 pts/1 S+ 15:55 0:00 grep --color=auto nginx
This is my /etc/nginx/sites-available/testing.dom
server {
listen 80;
server_name testing.dom;
root /var/www/testing.dom/public_html/CommunicationApp/public/;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ .*\.(php|phtml)?$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param APPLICATION_ENV development;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
}
location ~ .*\.(git|jpg|jpeg|png|bmp|swf|ico)?$ {
expires 30d;
}
location ~ .*\.(js|css)?$ {
expires 1h;
}
location ~ /\.ht {
deny all;
}
}
My include_path is in the /etc/php5/fpm/php.ini like this:
; UNIX: "/path1:/path2"
include_path = ".:/usr/share/php:/var/www/testing.dom/public_html/library/Zend"
This is what in this Zend folder:
$ sudo ls /var/www/testing.dom/public_html/library/Zend/
Authentication Code Db Escaper Filter InputFilter Log Mime Paginator Server Stdlib Uri XmlRpc
Barcode Config Debug EventManager Form Json Mail ModuleManager Permissions ServiceManager Tag Validator
Cache Console Di Feed Http Ldap Math Mvc ProgressBar Session Test Version
Captcha Crypt Dom File I18n Loader Memory Navigation Serializer Soap Text View
Is this right library folder?
And this is my /var/www/testing.dom/public_html/CommunicationApp/public/index.php
chdir(dirname(__DIR__));
$temp = get_include_path();
var_dump($temp);
// Decline static file requests back to the PHP built-in webserver
if (php_sapi_name() === 'cli-server' && is_file(__DIR__ . parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH))) {
return false;
}
// Setup autoloading
require '../CommunicationApp/init_autoloader.php';
// Run the application!
Zend\Mvc\Application::init(require 'config/application.config.php')->run();
So, if I enter testing.dom in browser I got still this:
string(62) ".:/usr/share/php:/var/www/testing.dom/public_html/library/Zend"
And nothing else.
And this is nginx error.log:
2014/10/17 16:11:29 [error] 3369#0: *8 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught exception 'RuntimeException' with message 'Unable to load ZF2. Run `php composer.phar install` or define a ZF2_PATH environment variable.' in /var/www/testing.dom/public_html/CommunicationApp/init_autoloader.php:53
Stack trace:
#0 /var/www/testing.dom/public_html/CommunicationApp/public/index.php(17): require()
#1 {main}
thrown in /var/www/testing.dom/public_html/CommunicationApp/init_autoloader.php on line 53" while reading response header from upstream, client: 127.0.0.1, server: testing.dom, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "testing.dom"
Problem was solved! If you got such headache try to define your ZF2_PATH in fastcgi_params like this:
fastcgi_param ZF2_PATH /var/www/testing.dom/public_html/library/;

nginx reload config with multiple servers

I'm serving some demos in isolation like:
/demo1/-- nginx.conf
|- index.html
|- ...
#run
/demo1$ sudo nginx -c `pwd`/nginx.conf
and
/demo2/-- nginx.conf
|- index.html
|- ...
#run
/demo2$ sudo nginx -c `pwd`/nginx.conf
now I have the following nginx processes:
$ ps aux | grep nginx
root 3434 0.0 0.0 85904 1340 ? Ss 12:02 0:00 nginx: master process nginx -c /demo1/nginx.conf
nobody 3435 0.0 0.0 86316 2272 ? S 12:02 0:00 nginx: worker process
root 5096 0.0 0.0 85904 1344 ? Ss 11:21 0:00 nginx: master process nginx -c /demo2/nginx.conf
nobody 5097 0.0 0.0 86316 2272 ? S 11:21 0:00 nginx: worker process
I believe (tell me if I'm wrong) that if I reload the configuration this way:
$ sudo nginx -s reload
It will only deliver the message to the last master process that was spun.
How do I reload the configuration on a specific master process?
After reading the manpage I believe it has some to do with the -g option but I'm not sure how. Should I specify a static PID or something?
Here is my nginx.conf for reference
user nobody;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
server {
listen 8000;
location / {
root /demoX;
index index.html index.htm;
}
}
}
You can use a signal to certain PID:
kill -QUIT 3434
Reload option is a reference to QUIT signal which reloads the config and spawn new worker.

Simple sinatra app with sqlite3 works when using WEBrick but not when using apache and passenger

I'm getting a "500 Internal Server Error" message when my app tries to write to my sqlite3 database.
Everything works fine when I'm using WEBbrick, but I get the above error when I'm using Apache and Passenger. My app loads the first page but fails when it tries to POST.
Here is how I have everything setup:
awesome.rb file:
require 'sinatra'
require 'data_mapper'
require 'dm-core'
require 'dm-migrations'
require 'slim'
APP_ROOT = File.expand_path(File.dirname(__FILE__))
DataMapper::setup(:default, "sqlite3://#{APP_ROOT}/emails.db")
class Email
include DataMapper::Resource
property :id, Serial
property :email, String, :required => true
end
DataMapper.finalize
get '/' do
slim :index
end
post '/add' do
Email.create params[:email]
redirect '/'
end
config.ru file:
require '/var/www/awesome'
root_dir = File.dirname(__FILE__)
set :environment, ENV['RACK_ENV'].to_sym
set :root, root_dir
set :app_file, File.join(root_dir, 'awesome.rb')
disable :run
run Sinatra::Application
httpd.conf file:
<VirtualHost *:80>
ServerName foo.com
DocumentRoot /var/www/public
<Directory /var/www/public>
AllowOverride None
Options FollowSymLinks
Options -MultiViews
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
this is at the very bottom of my apache2.conf file:
LoadModule passenger_module /usr/local/rvm/gems/ruby-1.9.3-p327/gems/passenger-3.0.18/ext/apache2/mod_passenger.so
PassengerRoot /usr/local/rvm/gems/ruby-1.9.3-p327/gems/passenger-3.0.18
PassengerRuby /usr/local/rvm/wrappers/ruby-1.9.3-p327/ruby
I've also given the group www-data write access to /var/www
--UPDATE--
Here is the output for the "ps axu | grep Pass" command:
root 28373 0.0 0.7 220936 1884 ? Ssl 13:15 0:00 PassengerWatchdog
root 28377 0.1 1.0 2067100 2528 ? Sl 13:15 0:10 PassengerHelperAgent
root 28379 0.0 3.8 111856 9508 ? Sl 13:15 0:00 Passenger spawn server
nobody 28382 0.0 1.8 169332 4632 ? Sl 13:15 0:00 PassengerLoggingAgent
I'm running everything as the root user. This is just a test server and I wanted to just get everything working first. I had troubles before with installing ruby system wide so I started over with a clean server and I haven't added any other users.
--UPDATE 2--
emails.db was already set for everyone to read it with chmod 777, but I just changed it to chmod 666. Here is my ls -l output:
-rw-rw-r-- 1 root www-data 442 Dec 23 13:15 awesome.rb
-rw-rw-r-- 1 root www-data 215 Dec 23 12:41 config.ru
-rw-rw-rw- 1 www-data www-data 12288 Dec 23 12:56 emails.db
-rw-rw-r-- 1 root www-data 54 Dec 23 10:55 hello.rb
drwxrwxr-x 2 root www-data 4096 Dec 22 14:50 log
drwxrwxr-x 2 root www-data 4096 Dec 22 15:34 public
drwxrwxr-x 2 root www-data 4096 Dec 23 12:03 tmp
drwxrwxr-x 2 root www-data 4096 Dec 22 17:16 views
I then restarted apache with "/etc/init.d/apache2 restart". I know going from chmod 777 to chmod 666 wouldn't fix my problem, but it is probably a little more secure. I re-ran my app and I still get the same "HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request." I'm pretty sure it still has something to do with apache and sqlite3 because when I comment out the "Email.create params[:email]" line I don't get the error.
--UPDATE 3--
Here is the output of "tail -f /var/log/apache2/error.log":
96.18.233.137 - - [24/Dec/2012 20:46:54] "GET / " 200 706 0.0274
96.18.233.137 - - [24/Dec/2012 20:46:54] "GET /favicon.ico " 404 18 0.0013
96.18.233.137 - - [24/Dec/2012 20:47:01] "POST /add " 14 - 0.0046
And that is all it shows. Chrome shows:
Request Method:POST
Status Code:500 Internal Server Error

Resources