禁止所有文件使用 Nginx 403
我在 CentOS 5 机器上安装了带有 PHP-FPM 的 nginx,但我很难让它为我的任何文件提供服务 - 无论是否是 PHP.
I have nginx installed with PHP-FPM on a CentOS 5 box, but am struggling to get it to serve any of my files - whether PHP or not.
Nginx 以 www-data:www-data 运行,默认的Welcome to nginx on EPEL"站点(由 root:root 拥有,具有 644 权限)加载正常.
Nginx is running as www-data:www-data, and the default "Welcome to nginx on EPEL" site (owned by root:root with 644 permissions) loads fine.
nginx 配置文件有一个 /etc/nginx/sites-enabled/*.conf 的包含指令, 我有一个配置文件 example.com.conf,因此:
The nginx configuration file has an include directive for /etc/nginx/sites-enabled/*.conf, and I have a configuration file example.com.conf, thus:
server {
listen 80;
Virtual Host Name
server_name www.example.com example.com;
location / {
root /home/demo/sites/example.com/public_html;
index index.php index.htm index.html;
}
location ~ .php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME /home/demo/sites/example.com/public_html$fastcgi_script_name;
include fastcgi_params;
}
}
尽管 public_html 归 www-data:www-data 所有,拥有 2777 文件权限,但此站点无法提供任何内容 -
Despite public_html being owned by www-data:www-data with 2777 file permissions, this site fails to serve any content -
[error] 4167#0: *4 open() "/home/demo/sites/example.com/public_html/index.html" failed (13: Permission denied), client: XX.XXX.XXX.XX, server: www.example.com, request: "GET /index.html HTTP/1.1", host: "www.example.com"
我发现了许多其他用户从 nginx 获得 403 的帖子,但我看到的大多数帖子要么涉及使用 Ruby/Passenger 进行更复杂的设置(过去我实际上已经成功),要么仅在以下情况下收到错误涉及到上游的PHP-FPM,所以他们似乎帮助不大.
I've found numerous other posts with users getting 403s from nginx, but most that I have seen involve either more complex setups with Ruby/Passenger (which in the past I've actually succeeded with) or are only receiving errors when the upstream PHP-FPM is involved, so they seem to be of little help.
我在这里做了什么傻事吗?
Have I done something silly here?
推荐答案
一个经常被忽视的权限要求是用户需要在文件的每个父目录中拥有 x 权限才能访问该文件.检查/、/home、/home/demo 等的权限以获取 www-data x 访问权限.我的猜测是/home 可能是 770 并且 www-data 不能通过它来访问任何子目录.如果是,请尝试 chmod o+x/home(或任何拒绝请求的目录).
One permission requirement that is often overlooked is a user needs x permissions in every parent directory of a file to access that file. Check the permissions on /, /home, /home/demo, etc. for www-data x access. My guess is that /home is probably 770 and www-data can't chdir through it to get to any subdir. If it is, try chmod o+x /home (or whatever dir is denying the request).
要轻松显示路径上的所有权限,您可以使用 namei -om/path/to/check
To easily display all the permissions on a path, you can use namei -om /path/to/check
相关文章