Centos 7 file permission problem

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Centos 7 file permission problem

lists@lazygranch.com
I'm setting up a web server on a Centos 7 VPS. I'm relatively sure I
have the firewalls set up properly since I can see my browser requests
in the access and error log. That said, I have file permission problem.

nginx 1.12.2
Linux servername 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 

nginx.conf (with comments removed for brevity and my domain name remove
because google)
-------
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

server {
        listen 80;
        server_name mydomain.com www.mydomain.com;

        return 301 https://$host$request_uri;
}

    server {
        listen       443 ssl  http2;
        server_name  mydomain.com www.mydomain.com;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        root         /usr/share/nginx/html/mydomain.com/public_html;

ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

        location / {
            root   /usr/share/nginx/html/mydomain.com/public_html;
            index  index.html index.htm;
        }
#
        error_page 404 /404.html;
            location = /40x.html {
        }
#
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

I have firefox set up with no cache and do not save history.
-------------------------------------------------------------
access log:

mypi - - [20/Dec/2017:07:46:44 +0000] "GET /index.html HTTP/2.0" 403 169
"-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0" "-"

myip - - [20/Dec/2017:07:48:44 +0000] "GET /index.html
HTTP/2.0" 403 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0)
Gecko/20100101 Firefox/52.0" "-"
-------------------------------
error log:

2017/12/20 07:46:44 [error] 10146#0: *48 open() "/usr/share/nginx/html/mydomain.com/public_html/index.html" failed (13: Permission denied), client: myip, server: mydomain.com, request: "GET /index.html HTTP/2.0", host: "mydomain.com"
2017/12/20 07:48:44 [error] 10146#0: *48 open() "/usr/share/nginx/html/mydomain.com/public_html/index.html" failed (13: Permission denied), client: myip, server: mydomain.com, request: "GET /index.html HTTP/2.0", host: "mydomain.com"


Directory permissions:
For now, I made eveything 755 with ownership nginx:nginx I did chmod
and chown with the -R option

/etc/nginx:
drwxr-xr-x.  4 nginx nginx    4096 Dec 20 07:39 nginx

/usr/share/nginx:
drwxr-xr-x.   4 nginx nginx    33 Dec 15 08:47 nginx

/var/log:
drwx------. 2 nginx  nginx    4096 Dec 20 07:51 nginx
--------------------------------------------------------------
systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-12-20 04:21:37 UTC; 3h 37min ago
  Process: 10145 ExecReload=/bin/kill -s HUP $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 9620 (nginx)
   CGroup: /system.slice/nginx.service
           ├─ 9620 nginx: master process /usr/sbin/nginx
           └─10146 nginx: worker process


Dec 20 07:18:33 servername systemd[1]: Reloaded The nginx HTTP and reverse proxy server.
--------------------------------------------------------------

ps aux | grep nginx
root      9620  0.0  0.3  71504  3848 ?        Ss   04:21   0:00 nginx: master process /usr/sbin/nginx
nginx    10146  0.0  0.4  72004  4216 ?        S    07:18   0:00 nginx: worker process
root     10235  0.0  0.0 112660   952 pts/1    S+   08:01   0:00 grep ngin

-----------------------------------
firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client http https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Centos 7 file permission problem

Aziz Rozyev
Hi,

have you checked this with disabled selinux ?

br,
Aziz.





> On 20 Dec 2017, at 11:07, [hidden email] wrote:
>
> I'm setting up a web server on a Centos 7 VPS. I'm relatively sure I
> have the firewalls set up properly since I can see my browser requests
> in the access and error log. That said, I have file permission problem.
>
> nginx 1.12.2
> Linux servername 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
> nginx.conf (with comments removed for brevity and my domain name remove
> because google)
> -------
> user nginx;
> worker_processes auto;
> error_log /var/log/nginx/error.log;
> pid /run/nginx.pid;
>
> events {
>    worker_connections 1024;
> }
>
> http {
>    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
>                      '$status $body_bytes_sent "$http_referer" '
>                      '"$http_user_agent" "$http_x_forwarded_for"';
>
>    access_log  /var/log/nginx/access.log  main;
>
>    sendfile            on;
>    tcp_nopush          on;
>    tcp_nodelay         on;
>    keepalive_timeout   65;
>    types_hash_max_size 2048;
>
>    include             /etc/nginx/mime.types;
>    default_type        application/octet-stream;
>
> server {
>        listen 80;
>        server_name mydomain.com www.mydomain.com;
>
>        return 301 https://$host$request_uri;
> }
>
>    server {
>        listen       443 ssl  http2;
>        server_name  mydomain.com www.mydomain.com;
>        ssl_dhparam /etc/ssl/certs/dhparam.pem;
>        root         /usr/share/nginx/html/mydomain.com/public_html;
>
> ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
> ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
>        ssl_ciphers HIGH:!aNULL:!MD5;
>        ssl_prefer_server_ciphers on;
>
>        location / {
>            root   /usr/share/nginx/html/mydomain.com/public_html;
>            index  index.html index.htm;
>        }
> #
>        error_page 404 /404.html;
>            location = /40x.html {
>        }
> #
>        error_page 500 502 503 504 /50x.html;
>            location = /50x.html {
>        }
>    }
>
> }
>
> I have firefox set up with no cache and do not save history.
> -------------------------------------------------------------
> access log:
>
> mypi - - [20/Dec/2017:07:46:44 +0000] "GET /index.html HTTP/2.0" 403 169
> "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
> Firefox/52.0" "-"
>
> myip - - [20/Dec/2017:07:48:44 +0000] "GET /index.html
> HTTP/2.0" 403 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0)
> Gecko/20100101 Firefox/52.0" "-"
> -------------------------------
> error log:
>
> 2017/12/20 07:46:44 [error] 10146#0: *48 open() "/usr/share/nginx/html/mydomain.com/public_html/index.html" failed (13: Permission denied), client: myip, server: mydomain.com, request: "GET /index.html HTTP/2.0", host: "mydomain.com"
> 2017/12/20 07:48:44 [error] 10146#0: *48 open() "/usr/share/nginx/html/mydomain.com/public_html/index.html" failed (13: Permission denied), client: myip, server: mydomain.com, request: "GET /index.html HTTP/2.0", host: "mydomain.com"
>
>
> Directory permissions:
> For now, I made eveything 755 with ownership nginx:nginx I did chmod
> and chown with the -R option
>
> /etc/nginx:
> drwxr-xr-x.  4 nginx nginx    4096 Dec 20 07:39 nginx
>
> /usr/share/nginx:
> drwxr-xr-x.   4 nginx nginx    33 Dec 15 08:47 nginx
>
> /var/log:
> drwx------. 2 nginx  nginx    4096 Dec 20 07:51 nginx
> --------------------------------------------------------------
> systemctl status nginx
> ● nginx.service - The nginx HTTP and reverse proxy server
>   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
>   Active: active (running) since Wed 2017-12-20 04:21:37 UTC; 3h 37min ago
>  Process: 10145 ExecReload=/bin/kill -s HUP $MAINPID (code=exited, status=0/SUCCESS)
> Main PID: 9620 (nginx)
>   CGroup: /system.slice/nginx.service
>           ├─ 9620 nginx: master process /usr/sbin/nginx
>           └─10146 nginx: worker process
>
>
> Dec 20 07:18:33 servername systemd[1]: Reloaded The nginx HTTP and reverse proxy server.
> --------------------------------------------------------------
>
> ps aux | grep nginx
> root      9620  0.0  0.3  71504  3848 ?        Ss   04:21   0:00 nginx: master process /usr/sbin/nginx
> nginx    10146  0.0  0.4  72004  4216 ?        S    07:18   0:00 nginx: worker process
> root     10235  0.0  0.0 112660   952 pts/1    S+   08:01   0:00 grep ngin
>
> -----------------------------------
> firewall-cmd --zone=public --list-all
> public (active)
>  target: default
>  icmp-block-inversion: no
>  interfaces: eth0
>  sources:
>  services: ssh dhcpv6-client http https
>  ports:
>  protocols:
>  masquerade: no
>  forward-ports:
>  source-ports:
>  icmp-blocks:
>  rich rules:
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Centos 7 file permission problem

lists@lazygranch.com
Well that was it. You can't believe how many hours I wasted on that.
Thanks. Double thanks.
I'm going to mention this in the Digital Ocean help pages.

I disabled selinx, but I have a book laying around on how to set it up.
Eh, it is on the list.

 On Wed, 20 Dec 2017 14:17:18 +0300
Aziz Rozyev <[hidden email]> wrote:

> Hi,
>
> have you checked this with disabled selinux ?
>
> br,
> Aziz.
>
>
>
>
>
> > On 20 Dec 2017, at 11:07, [hidden email] wrote:
> >
> > I'm setting up a web server on a Centos 7 VPS. I'm relatively sure I
> > have the firewalls set up properly since I can see my browser
> > requests in the access and error log. That said, I have file
> > permission problem.
> >
> > nginx 1.12.2
> > Linux servername 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20
> > 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> > nginx.conf (with comments removed for brevity and my domain name
> > remove because google)
> > -------
> > user nginx;
> > worker_processes auto;
> > error_log /var/log/nginx/error.log;
> > pid /run/nginx.pid;
> >
> > events {
> >    worker_connections 1024;
> > }
> >
> > http {
> >    log_format  main  '$remote_addr - $remote_user [$time_local]
> > "$request" ' '$status $body_bytes_sent "$http_referer" '
> >                      '"$http_user_agent" "$http_x_forwarded_for"';
> >
> >    access_log  /var/log/nginx/access.log  main;
> >
> >    sendfile            on;
> >    tcp_nopush          on;
> >    tcp_nodelay         on;
> >    keepalive_timeout   65;
> >    types_hash_max_size 2048;
> >
> >    include             /etc/nginx/mime.types;
> >    default_type        application/octet-stream;
> >
> > server {
> >        listen 80;
> >        server_name mydomain.com www.mydomain.com;
> >
> >        return 301 https://$host$request_uri;
> > }
> >
> >    server {
> >        listen       443 ssl  http2;
> >        server_name  mydomain.com www.mydomain.com;
> >        ssl_dhparam /etc/ssl/certs/dhparam.pem;
> >        root         /usr/share/nginx/html/mydomain.com/public_html;
> >
> > ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; #
> > managed by Certbot
> > ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
> > # managed by Certbot ssl_ciphers HIGH:!aNULL:!MD5;
> > ssl_prefer_server_ciphers on;
> >
> >        location / {
> >            root   /usr/share/nginx/html/mydomain.com/public_html;
> >            index  index.html index.htm;
> >        }
> > #
> >        error_page 404 /404.html;
> >            location = /40x.html {
> >        }
> > #
> >        error_page 500 502 503 504 /50x.html;
> >            location = /50x.html {
> >        }
> >    }
> >
> > }
> >
> > I have firefox set up with no cache and do not save history.
> > -------------------------------------------------------------
> > access log:
> >
> > mypi - - [20/Dec/2017:07:46:44 +0000] "GET /index.html HTTP/2.0"
> > 403 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
> > Firefox/52.0" "-"
> >
> > myip - - [20/Dec/2017:07:48:44 +0000] "GET /index.html
> > HTTP/2.0" 403 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0)
> > Gecko/20100101 Firefox/52.0" "-"
> > -------------------------------
> > error log:
> >
> > 2017/12/20 07:46:44 [error] 10146#0: *48 open()
> > "/usr/share/nginx/html/mydomain.com/public_html/index.html" failed
> > (13: Permission denied), client: myip, server: mydomain.com,
> > request: "GET /index.html HTTP/2.0", host: "mydomain.com"
> > 2017/12/20 07:48:44 [error] 10146#0: *48 open()
> > "/usr/share/nginx/html/mydomain.com/public_html/index.html" failed
> > (13: Permission denied), client: myip, server: mydomain.com,
> > request: "GET /index.html HTTP/2.0", host: "mydomain.com"
> >
> >
> > Directory permissions:
> > For now, I made eveything 755 with ownership nginx:nginx I did chmod
> > and chown with the -R option
> >
> > /etc/nginx:
> > drwxr-xr-x.  4 nginx nginx    4096 Dec 20 07:39 nginx
> >
> > /usr/share/nginx:
> > drwxr-xr-x.   4 nginx nginx    33 Dec 15 08:47 nginx
> >
> > /var/log:
> > drwx------. 2 nginx  nginx    4096 Dec 20 07:51 nginx
> > --------------------------------------------------------------
> > systemctl status nginx
> > ● nginx.service - The nginx HTTP and reverse proxy server
> >   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled;
> > vendor preset: disabled) Active: active (running) since Wed
> > 2017-12-20 04:21:37 UTC; 3h 37min ago Process: 10145
> > ExecReload=/bin/kill -s HUP $MAINPID (code=exited,
> > status=0/SUCCESS) Main PID: 9620 (nginx)
> > CGroup: /system.slice/nginx.service ├─ 9620 nginx: master
> > process /usr/sbin/nginx └─10146 nginx: worker process
> >
> >
> > Dec 20 07:18:33 servername systemd[1]: Reloaded The nginx HTTP and
> > reverse proxy server.
> > --------------------------------------------------------------
> >
> > ps aux | grep nginx
> > root      9620  0.0  0.3  71504  3848 ?        Ss   04:21   0:00
> > nginx: master process /usr/sbin/nginx nginx    10146  0.0  0.4
> > 72004  4216 ?        S    07:18   0:00 nginx: worker process
> > root     10235  0.0  0.0 112660   952 pts/1    S+   08:01   0:00
> > grep ngin
> >
> > -----------------------------------
> > firewall-cmd --zone=public --list-all
> > public (active)
> >  target: default
> >  icmp-block-inversion: no
> >  interfaces: eth0
> >  sources:
> >  services: ssh dhcpv6-client http https
> >  ports:
> >  protocols:
> >  masquerade: no
> >  forward-ports:
> >  source-ports:
> >  icmp-blocks:
> >  rich rules:
> > _______________________________________________
> > nginx mailing list
> > [hidden email]
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Centos 7 file permission problem

方坤
This time, SELinux again, seems to be a real problem for new talents. I remembered my hours headached with that.

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Centos 7 file permission problem

Aziz Rozyev
In reply to this post by lists@lazygranch.com
no problem, btw, check out this post

https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/


br,
Aziz.





> On 21 Dec 2017, at 03:33, [hidden email] wrote:
>
> Well that was it. You can't believe how many hours I wasted on that.
> Thanks. Double thanks.
> I'm going to mention this in the Digital Ocean help pages.
>
> I disabled selinx, but I have a book laying around on how to set it up.
> Eh, it is on the list.
>
> On Wed, 20 Dec 2017 14:17:18 +0300
> Aziz Rozyev <[hidden email]> wrote:
>
>> Hi,
>>
>> have you checked this with disabled selinux ?
>>
>> br,
>> Aziz.
>>
>>
>>
>>
>>
>>> On 20 Dec 2017, at 11:07, [hidden email] wrote:
>>>
>>> I'm setting up a web server on a Centos 7 VPS. I'm relatively sure I
>>> have the firewalls set up properly since I can see my browser
>>> requests in the access and error log. That said, I have file
>>> permission problem.
>>>
>>> nginx 1.12.2
>>> Linux servername 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20
>>> 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>>
>>> nginx.conf (with comments removed for brevity and my domain name
>>> remove because google)
>>> -------
>>> user nginx;
>>> worker_processes auto;
>>> error_log /var/log/nginx/error.log;
>>> pid /run/nginx.pid;
>>>
>>> events {
>>>   worker_connections 1024;
>>> }
>>>
>>> http {
>>>   log_format  main  '$remote_addr - $remote_user [$time_local]
>>> "$request" ' '$status $body_bytes_sent "$http_referer" '
>>>                     '"$http_user_agent" "$http_x_forwarded_for"';
>>>
>>>   access_log  /var/log/nginx/access.log  main;
>>>
>>>   sendfile            on;
>>>   tcp_nopush          on;
>>>   tcp_nodelay         on;
>>>   keepalive_timeout   65;
>>>   types_hash_max_size 2048;
>>>
>>>   include             /etc/nginx/mime.types;
>>>   default_type        application/octet-stream;
>>>
>>> server {
>>>       listen 80;
>>>       server_name mydomain.com www.mydomain.com;
>>>
>>>       return 301 https://$host$request_uri;
>>> }
>>>
>>>   server {
>>>       listen       443 ssl  http2;
>>>       server_name  mydomain.com www.mydomain.com;
>>>       ssl_dhparam /etc/ssl/certs/dhparam.pem;
>>>       root         /usr/share/nginx/html/mydomain.com/public_html;
>>>
>>> ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; #
>>> managed by Certbot
>>> ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
>>> # managed by Certbot ssl_ciphers HIGH:!aNULL:!MD5;
>>> ssl_prefer_server_ciphers on;
>>>
>>>       location / {
>>>           root   /usr/share/nginx/html/mydomain.com/public_html;
>>>           index  index.html index.htm;
>>>       }
>>> #
>>>       error_page 404 /404.html;
>>>           location = /40x.html {
>>>       }
>>> #
>>>       error_page 500 502 503 504 /50x.html;
>>>           location = /50x.html {
>>>       }
>>>   }
>>>
>>> }
>>>
>>> I have firefox set up with no cache and do not save history.
>>> -------------------------------------------------------------
>>> access log:
>>>
>>> mypi - - [20/Dec/2017:07:46:44 +0000] "GET /index.html HTTP/2.0"
>>> 403 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
>>> Firefox/52.0" "-"
>>>
>>> myip - - [20/Dec/2017:07:48:44 +0000] "GET /index.html
>>> HTTP/2.0" 403 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0)
>>> Gecko/20100101 Firefox/52.0" "-"
>>> -------------------------------
>>> error log:
>>>
>>> 2017/12/20 07:46:44 [error] 10146#0: *48 open()
>>> "/usr/share/nginx/html/mydomain.com/public_html/index.html" failed
>>> (13: Permission denied), client: myip, server: mydomain.com,
>>> request: "GET /index.html HTTP/2.0", host: "mydomain.com"
>>> 2017/12/20 07:48:44 [error] 10146#0: *48 open()
>>> "/usr/share/nginx/html/mydomain.com/public_html/index.html" failed
>>> (13: Permission denied), client: myip, server: mydomain.com,
>>> request: "GET /index.html HTTP/2.0", host: "mydomain.com"
>>>
>>>
>>> Directory permissions:
>>> For now, I made eveything 755 with ownership nginx:nginx I did chmod
>>> and chown with the -R option
>>>
>>> /etc/nginx:
>>> drwxr-xr-x.  4 nginx nginx    4096 Dec 20 07:39 nginx
>>>
>>> /usr/share/nginx:
>>> drwxr-xr-x.   4 nginx nginx    33 Dec 15 08:47 nginx
>>>
>>> /var/log:
>>> drwx------. 2 nginx  nginx    4096 Dec 20 07:51 nginx
>>> --------------------------------------------------------------
>>> systemctl status nginx
>>> ● nginx.service - The nginx HTTP and reverse proxy server
>>>  Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled;
>>> vendor preset: disabled) Active: active (running) since Wed
>>> 2017-12-20 04:21:37 UTC; 3h 37min ago Process: 10145
>>> ExecReload=/bin/kill -s HUP $MAINPID (code=exited,
>>> status=0/SUCCESS) Main PID: 9620 (nginx)
>>> CGroup: /system.slice/nginx.service ├─ 9620 nginx: master
>>> process /usr/sbin/nginx └─10146 nginx: worker process
>>>
>>>
>>> Dec 20 07:18:33 servername systemd[1]: Reloaded The nginx HTTP and
>>> reverse proxy server.
>>> --------------------------------------------------------------
>>>
>>> ps aux | grep nginx
>>> root      9620  0.0  0.3  71504  3848 ?        Ss   04:21   0:00
>>> nginx: master process /usr/sbin/nginx nginx    10146  0.0  0.4
>>> 72004  4216 ?        S    07:18   0:00 nginx: worker process
>>> root     10235  0.0  0.0 112660   952 pts/1    S+   08:01   0:00
>>> grep ngin
>>>
>>> -----------------------------------
>>> firewall-cmd --zone=public --list-all
>>> public (active)
>>> target: default
>>> icmp-block-inversion: no
>>> interfaces: eth0
>>> sources:
>>> services: ssh dhcpv6-client http https
>>> ports:
>>> protocols:
>>> masquerade: no
>>> forward-ports:
>>> source-ports:
>>> icmp-blocks:
>>> rich rules:
>>> _______________________________________________
>>> nginx mailing list
>>> [hidden email]
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>> _______________________________________________
>> nginx mailing list
>> [hidden email]
>> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Centos 7 file permission problem

方坤
I generally disable SELinux after installing CentOS, once and for all, and
I guess I am not the only guy who repeat this.

SELinux was likely to be designed not for regular use.

On Thu, Dec 21, 2017 at 3:06 PM, Aziz Rozyev <[hidden email]> wrote:

> no problem, btw, check out this post
>
> https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
>
>
> br,
> Aziz.
>
>
>
>
>
>> On 21 Dec 2017, at 03:33, [hidden email] wrote:
>>
>> Well that was it. You can't believe how many hours I wasted on that.
>> Thanks. Double thanks.
>> I'm going to mention this in the Digital Ocean help pages.
>>
>> I disabled selinx, but I have a book laying around on how to set it up.
>> Eh, it is on the list.
>>
>> On Wed, 20 Dec 2017 14:17:18 +0300
>> Aziz Rozyev <[hidden email]> wrote:
>>
>>> Hi,
>>>
>>> have you checked this with disabled selinux ?
>>>
>>> br,
>>> Aziz.
>>>
>>>
>>>
>>>
>>>
>>>> On 20 Dec 2017, at 11:07, [hidden email] wrote:
>>>>
>>>> I'm setting up a web server on a Centos 7 VPS. I'm relatively sure I
>>>> have the firewalls set up properly since I can see my browser
>>>> requests in the access and error log. That said, I have file
>>>> permission problem.
>>>>
>>>> nginx 1.12.2
>>>> Linux servername 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20
>>>> 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>>>>
>>>>
>>>> nginx.conf (with comments removed for brevity and my domain name
>>>> remove because google)
>>>> -------
>>>> user nginx;
>>>> worker_processes auto;
>>>> error_log /var/log/nginx/error.log;
>>>> pid /run/nginx.pid;
>>>>
>>>> events {
>>>>   worker_connections 1024;
>>>> }
>>>>
>>>> http {
>>>>   log_format  main  '$remote_addr - $remote_user [$time_local]
>>>> "$request" ' '$status $body_bytes_sent "$http_referer" '
>>>>                     '"$http_user_agent" "$http_x_forwarded_for"';
>>>>
>>>>   access_log  /var/log/nginx/access.log  main;
>>>>
>>>>   sendfile            on;
>>>>   tcp_nopush          on;
>>>>   tcp_nodelay         on;
>>>>   keepalive_timeout   65;
>>>>   types_hash_max_size 2048;
>>>>
>>>>   include             /etc/nginx/mime.types;
>>>>   default_type        application/octet-stream;
>>>>
>>>> server {
>>>>       listen 80;
>>>>       server_name mydomain.com www.mydomain.com;
>>>>
>>>>       return 301 https://$host$request_uri;
>>>> }
>>>>
>>>>   server {
>>>>       listen       443 ssl  http2;
>>>>       server_name  mydomain.com www.mydomain.com;
>>>>       ssl_dhparam /etc/ssl/certs/dhparam.pem;
>>>>       root         /usr/share/nginx/html/mydomain.com/public_html;
>>>>
>>>> ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; #
>>>> managed by Certbot
>>>> ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
>>>> # managed by Certbot ssl_ciphers HIGH:!aNULL:!MD5;
>>>> ssl_prefer_server_ciphers on;
>>>>
>>>>       location / {
>>>>           root   /usr/share/nginx/html/mydomain.com/public_html;
>>>>           index  index.html index.htm;
>>>>       }
>>>> #
>>>>       error_page 404 /404.html;
>>>>           location = /40x.html {
>>>>       }
>>>> #
>>>>       error_page 500 502 503 504 /50x.html;
>>>>           location = /50x.html {
>>>>       }
>>>>   }
>>>>
>>>> }
>>>>
>>>> I have firefox set up with no cache and do not save history.
>>>> -------------------------------------------------------------
>>>> access log:
>>>>
>>>> mypi - - [20/Dec/2017:07:46:44 +0000] "GET /index.html HTTP/2.0"
>>>> 403 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
>>>> Firefox/52.0" "-"
>>>>
>>>> myip - - [20/Dec/2017:07:48:44 +0000] "GET /index.html
>>>> HTTP/2.0" 403 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0)
>>>> Gecko/20100101 Firefox/52.0" "-"
>>>> -------------------------------
>>>> error log:
>>>>
>>>> 2017/12/20 07:46:44 [error] 10146#0: *48 open()
>>>> "/usr/share/nginx/html/mydomain.com/public_html/index.html" failed
>>>> (13: Permission denied), client: myip, server: mydomain.com,
>>>> request: "GET /index.html HTTP/2.0", host: "mydomain.com"
>>>> 2017/12/20 07:48:44 [error] 10146#0: *48 open()
>>>> "/usr/share/nginx/html/mydomain.com/public_html/index.html" failed
>>>> (13: Permission denied), client: myip, server: mydomain.com,
>>>> request: "GET /index.html HTTP/2.0", host: "mydomain.com"
>>>>
>>>>
>>>> Directory permissions:
>>>> For now, I made eveything 755 with ownership nginx:nginx I did chmod
>>>> and chown with the -R option
>>>>
>>>> /etc/nginx:
>>>> drwxr-xr-x.  4 nginx nginx    4096 Dec 20 07:39 nginx
>>>>
>>>> /usr/share/nginx:
>>>> drwxr-xr-x.   4 nginx nginx    33 Dec 15 08:47 nginx
>>>>
>>>> /var/log:
>>>> drwx------. 2 nginx  nginx    4096 Dec 20 07:51 nginx
>>>> --------------------------------------------------------------
>>>> systemctl status nginx
>>>> ● nginx.service - The nginx HTTP and reverse proxy server
>>>>  Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled;
>>>> vendor preset: disabled) Active: active (running) since Wed
>>>> 2017-12-20 04:21:37 UTC; 3h 37min ago Process: 10145
>>>> ExecReload=/bin/kill -s HUP $MAINPID (code=exited,
>>>> status=0/SUCCESS) Main PID: 9620 (nginx)
>>>> CGroup: /system.slice/nginx.service ├─ 9620 nginx: master
>>>> process /usr/sbin/nginx └─10146 nginx: worker process
>>>>
>>>>
>>>> Dec 20 07:18:33 servername systemd[1]: Reloaded The nginx HTTP and
>>>> reverse proxy server.
>>>> --------------------------------------------------------------
>>>>
>>>> ps aux | grep nginx
>>>> root      9620  0.0  0.3  71504  3848 ?        Ss   04:21   0:00
>>>> nginx: master process /usr/sbin/nginx nginx    10146  0.0  0.4
>>>> 72004  4216 ?        S    07:18   0:00 nginx: worker process
>>>> root     10235  0.0  0.0 112660   952 pts/1    S+   08:01   0:00
>>>> grep ngin
>>>>
>>>> -----------------------------------
>>>> firewall-cmd --zone=public --list-all
>>>> public (active)
>>>> target: default
>>>> icmp-block-inversion: no
>>>> interfaces: eth0
>>>> sources:
>>>> services: ssh dhcpv6-client http https
>>>> ports:
>>>> protocols:
>>>> masquerade: no
>>>> forward-ports:
>>>> source-ports:
>>>> icmp-blocks:
>>>> rich rules:
>>>> _______________________________________________
>>>> nginx mailing list
>>>> [hidden email]
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> [hidden email]
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx