Nginx 服务静态文件,得到403禁止

只是想帮帮别人。是的,您只需要使用 nginx 服务静态文件,并且您已经在 Nginx.conf中实现了所有的功能:

location /static {
autoindex on;
#root /root/downloads/boxes/;
alias /root/downloads/boxes/;
}

但是,最后,你失败了。你从浏览器中得到了“403禁止”..。

———————————————— 答案如下:————————————————————————————

解决方法很简单:

方法1: 以“/root/downloads/box/”所有者的身份运行 nginx

Nginx.conf:

#user  nobody;
worker_processes  1;


#error_log  logs/error.log;
#error_log  logs/error.log  notice;

是的,在第一行“ # user noboy;”中,只需删除“ #”,并将“ 没人”在 Linux/OS X 中更改为您自己的用户名,即更改为“ ”进行测试。重新启动 nginx。

注意 ,你最好不要把 Nginx运行成 ! 这里只是测试,对黑客来说是危险的。

有关更多参考,请参见 Nginx (引擎 X)-多么痛苦的 BUM! [13: 许可被拒绝]

方法2: 将’/root/downloads/box/’所有者更改为‘ www-data’或‘ nobody’

晚期:

ps aux | grep nginx

获取运行 nginx 的用户名。它应该是由 nginx 版本决定的 「 www-data 」“无名小卒”。然后在终端中命中(例如使用 「 www-data 」) :

chown -R www-data:www-data /root/downloads/boxes/

—————————— 还有一件重要的事:————————————————

这些父目录 "/"“/根””/根/下载应该给予 「 www-data 」“无名小卒”执行(x)权限。

ls -al /root
chmod o+x /root
chmod o+x /root/downloads

有关更多参考,请参见 解决“403禁止”错误Nginx 403禁止所有文件

120844 次浏览
小开
最佳答案

You should give nginx permissions to read the file. That means you should give the user that runs the nginx process permissions to read the file.

This user that runs the nginx process is configurable with the user directive in the nginx config, usually located somewhere on the top of nginx.conf:

user www-data

http://wiki.nginx.org/CoreModule#user

The second argument you give to user is the group, but if you don't specify it, it uses the same one as the user, so in my example the user and the group both are www-data.

Now the files you want to serve with nginx should have the correct permissions. Nginx should have permissions to read the files. You can give the group www-data read permissions to a file like this:

chown :www-data my-file.html

http://linux.die.net/man/1/chown

With chown you can change the user and group owner of a file. In this command I only change the group, if you would change the user too you would specify the username before the colon, like chown www-data:www-data my-file.html. But setting the group permissions correct should be enough for nginx to be able to read the file.

小开

for accepted answer

sudo chown -R :www-data static_folder

for changing group owner of all files in that folder

小开

After digging into very useful answers decided to collect everything related to permissions as a recipe. Specifically, the simplest solution with maximal security (=minimal permissions).

  1. Suppose we deploy the site as user admin, that is, she owns site dir and everything within. We do not want to run nginx as this user (too many permissions). It's OK for testing, not for prod.
  2. By default Nginx runs workers as a user nginx, that is, config contains line user nginx
  3. By default user nginx is in the group with the same name: nginx.
  4. We want to give minimal permissions to user nginx without changing file ownership. This seems to be the most secure of naive options.

  5. In order to serve static files, the minimal required permissions in the folders hierarchy (see the group permissions) should be like this (use the command namei -l /home/admin/WebProject/site/static/hmenu.css):

    dr-xr-xr-x root root /
    drwxr-xr-x root root home
    drwxr-x--- admin nginx admin
    drwx--x--- admin nginx WebProject
    drwx--x--- admin nginx site
    drwx--x--- admin nginx static
    -rwxr----- admin nginx hmenu.css

  6. Next, how to get this beautiful picture? To change group ownership for dirs, we first apply sudo chown :nginx /home/admin/WebProject/site/static and then repeat the command stripping dirs from the right one-by-one.

  7. To change permissions for dirs, we apply sudo chmod g+x /home/admin/WebProject/site/static and again strip dirs.

  8. Change group for the files in the /static dir: sudo chown -R :nginx /home/admin/WebProject/site/static

  9. Finally, change permissions for the files in the /static dir: sudo chmod g+r /home/admin/WebProject/site/static/*

(Of course one can create a dedicated group and change the user name, but this would obscure the narration with unimportant details.)

小开

Since Nginx is handling the static files directly, it needs access to the appropriate directories. We need to give it executable permissions for our home directory.

The safest way to do this is to add the Nginx user to our own user group. We can then add the executable permission to the group owners of our home directory, giving just enough access for Nginx to serve the files:

CentOS / Fedora

  sudo usermod -a -G your_user nginx


chmod 710 /home/your_user

Set SELinux to globally permissive mode, run:

sudo setenforce 0

for more info, please visit https://www.nginx.com/blog/using-nginx-plus-with-selinux/

Ubuntu / Debian

  sudo usermod -a -G your_user www-data


sudo chown -R :www-data /path/to/your/static/folder
小开

Setting user root in nginx can be really dangerous. Having to set permissions to all file hierarchy can be cumbersome (imagine the folder's full path is under more than 10 subfolders).

What I'd do is to mirror the folder you want to share, under /usr/share/nginx/any_folder_name with permissions for nginx's configured user (usually www-data). That you can do with bindfs.

In your case I would do:

sudo bindfs -u www-data -g www-data /root/downloads/boxes/ /usr/share/nginx/root_boxes

It will mount /root/downloads/boxes into /usr/share/nginx/root_boxes with all permissions for user www-data. Now you set that path in your location block config

location /static {
autoindex on;
alias /usr/share/nginx/root_boxes/;
}
小开

For me is was SElinux, I had to run the following: (RHEL/Centos on AWS)

sudo setsebool -P httpd_can_network_connect on
chcon -Rt httpd_sys_content_t /var/www/
小开

Try the accepted answer by @gitaarik, and if it still gives 403 Forbidden or 404 Not Found and your location target is / read on.

I also experienced this issue, but none of the permission changes mentioned above solved my problem. It was solved by adding the root directive because I was defining the root location (/) and accidentally used the alias directive when I should have used the root directive.

The configuration is accepted, but gives 403 Forbidden, or 404 Not Found if auto-indexing is enabled for /:

location / {
alias /my/path/;
index index.html;
}

Correct definition:

location / {
root /my/path/;
index index.html;
}
小开

I bang my head on this 403 problem for quite some time. I'm using CentOS from DigitalOcean.

I thought to fix the problem was just to set SELINUX=disabled in /etc/selinux/config but I was wrong. Somehow, I screwed my droplet.

This works for me! sudo chown nginx:nginx /var/www/mydir

小开

I ran into this issue with a Django project. Changing user permissions and groups didn't work. However, moving the entire static folder from my project to /var/www did.

Copy your project static files to /var/www/static

# cp -r /project/static /var/www/static

Point nginx to proper directory

# sudo nano /etc/nginx/sites-available/default


server {
listen 80 default_server;
listen [::]:80 default_server;


server_name _;


location /static/ {
root /var/www;
}


location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}


}

Test nginx config and reload

# sudo nginx -t
# sudo systemctl reload nginx
小开

My nginx is run as nginx user and nginx group, but add nginx group to public folder not work for me.

I check the permission as a nginx user.

su nginx -s /bin/bash

I found the I need to add the group for the full path. My path is start at /root, so I need to do following:

chown -R :nginx /root
小开

You can just do like what is did:

CentOS / Fedora

sudo usermod -a -G your_user_name nginx


chmod 710 /home/your_user_name

Ubuntu / Debian

sudo usermod -a -G your_user_name www-data


sudo chown -R :www-data /path/to/your/static_folder

And in your nginx file that serve your site make sure that your location for static is like this:

location /static/ {
root /path/to/your/static_folder;
}

提交答案