禁止所有文件使用 Nginx 403

2022-01-13 00:00:00 nginx centos php http-status-code-403

我在 CentOS 5 机器上安装了带有 PHP-FPM 的 nginx,但我很难让它为我的任何文件提供服务 - 无论是否是 PHP.

I have nginx installed with PHP-FPM on a CentOS 5 box, but am struggling to get it to serve any of my files - whether PHP or not.

Nginx 以 www-data:www-data 运行,默认的Welcome to nginx on EPEL"站点(由 root:root 拥有,具有 644 权限)加载正常.

Nginx is running as www-data:www-data, and the default "Welcome to nginx on EPEL" site (owned by root:root with 644 permissions) loads fine.

nginx 配置文件有一个 /etc/nginx/sites-enabled/*.conf 的包含指令, 我有一个配置文件 example.com.conf,因此:

The nginx configuration file has an include directive for /etc/nginx/sites-enabled/*.conf, and I have a configuration file example.com.conf, thus:

server {
 listen 80;

 Virtual Host Name
 server_name www.example.com example.com;


 location / {
   root /home/demo/sites/example.com/public_html;
   index index.php index.htm index.html;
 }

 location ~ .php$ {
  fastcgi_pass   127.0.0.1:9000;
  fastcgi_index  index.php;
  fastcgi_param  PATH_INFO $fastcgi_script_name;
  fastcgi_param  SCRIPT_FILENAME  /home/demo/sites/example.com/public_html$fastcgi_script_name;
  include        fastcgi_params;
 }
}

尽管 public_html 归 www-data:www-data 所有,拥有 2777 文件权限,但此站点无法提供任何内容 -

Despite public_html being owned by www-data:www-data with 2777 file permissions, this site fails to serve any content -

 [error] 4167#0: *4 open() "/home/demo/sites/example.com/public_html/index.html" failed (13: Permission denied), client: XX.XXX.XXX.XX, server: www.example.com, request: "GET /index.html HTTP/1.1", host: "www.example.com"

我发现了许多其他用户从 nginx 获得 403 的帖子,但我看到的大多数帖子要么涉及使用 Ruby/Passenger 进行更复杂的设置(过去我实际上已经成功),要么仅在以下情况下收到错误涉及到上游的PHP-FPM,所以他们似乎帮助不大.

I've found numerous other posts with users getting 403s from nginx, but most that I have seen involve either more complex setups with Ruby/Passenger (which in the past I've actually succeeded with) or are only receiving errors when the upstream PHP-FPM is involved, so they seem to be of little help.

我在这里做了什么傻事吗?

Have I done something silly here?

推荐答案

一个经常被忽视的权限要求是用户需要在文件的每个父目录中拥有 x 权限才能访问该文件.检查/、/home、/home/demo 等的权限以获取 www-data x 访问权限.我的猜测是/home 可能是 770 并且 www-data 不能通过它来访问任何子目录.如果是,请尝试 chmod o+x/home(或任何拒绝请求的目录).

One permission requirement that is often overlooked is a user needs x permissions in every parent directory of a file to access that file. Check the permissions on /, /home, /home/demo, etc. for www-data x access. My guess is that /home is probably 770 and www-data can't chdir through it to get to any subdir. If it is, try chmod o+x /home (or whatever dir is denying the request).

要轻松显示路径上的所有权限,您可以使用 namei -om/path/to/check

To easily display all the permissions on a path, you can use namei -om /path/to/check

相关文章