Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx open() permission denied but everything seems to work #792

Closed
zanami opened this issue May 2, 2020 · 4 comments
Closed

Nginx open() permission denied but everything seems to work #792

zanami opened this issue May 2, 2020 · 4 comments
Assignees
@ScIT-Raphael
Labels
bug Something isn't working web Issues related to web components
Milestone
1.1.3

Comments

@zanami
Copy link

zanami commented May 2, 2020

Permission denied errors in /var/log/nginx/*.error.log appears only when / is requested.

GET / — error (only in logs)
GET /anything — no error

In order to better assist, please post any relevant log information below:

==> somesite.me.error.log <==
2020/05/02 12:27:49 [crit] 18581#18581: *5141207 open() "/home/ab/web/somesite.me/public_html/" failed (13: Permission denied), client: 77.88.5.141, server: somesite.me, request: "GET / HTTP/1.1", host: "somesite.me"

No error in browser, sites work fine, so it's not permissions in general.
Maybe something is wrong with nginx config templates but I'm not sure.
No idea what to google because 'nginx permission denied' is too broad.

4 total sites configured, nginx+php-fpm (no apache)

Affected sites use these templates: wordpress, drupal6, vbulletin (custom, but they are basically the same)

If I change web template for a site from drupal6 to modx the above error fires twice per request. Again, site works.

Which of the following web server configurations are you using?

  • Nginx + PHP-FPM
  • Multi-PHP
  • PHP-FPM + Multi-PHP
@zanami
Copy link
Author

zanami commented May 2, 2020

This template for Grav CMS works without issues (with Grav)
If I use the same template for a Wordpress site it produces that "denied" error twice for GET /
The site work otherwise
¯_(ツ)_/¯

server {
    listen      %ip%:%web_ssl_port% ssl http2;
    server_name %domain_idn% %alias_idn%;
    root        %sdocroot%;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/%domain%.log combined;
    access_log  /var/log/nginx/domains/%domain%.bytes bytes;
    error_log   /var/log/nginx/domains/%domain%.error.log error;

    ssl_certificate      %ssl_pem%;
    ssl_certificate_key  %ssl_key%;
    ssl_stapling on;
    ssl_stapling_verify on;

    include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    ## Begin - Index
    # for subfolders, simply adjust:
    # `location /subfolder {`
    # and the rewrite to use `/subfolder/index.php`
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
    ## End - Index
    ## Begin - Security
    # deny all direct access for these folders
    location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
    # deny running scripts inside core system folders
    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
    # deny running scripts inside user folder
    location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
    # deny access to specific files in the root folder
    location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
    ## End - Security

    ## Begin - PHP
    location ~ \.php$ {
        # Choose either a socket or TCP/IP address
        fastcgi_pass %backend_lsnr%;
        # fastcgi_pass unix:/var/run/php5-fpm.sock; #legacy
        # fastcgi_pass 127.0.0.1:9000;

        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
    }
    ## End - PHP
    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location ~* "/\.(htaccess|htpasswd)$" {
        deny    all;
        return  404;
    }
    location /vstats/ {
        alias   %home%/%user%/web/%domain%/stats/;
        include %home%/%user%/web/%domain%/stats/auth.conf*;
    }

    include     /etc/nginx/conf.d/phpmyadmin.inc*;
    include     /etc/nginx/conf.d/phppgadmin.inc*;
    include     %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}

@ScIT-Raphael
Copy link
Member

We just discussed this internaly, @ioannidesalex had it also and was able to solve it by setting chmod 755 to public html folder. Could you also check if it would fit for you?

chmod 755 /home/USER/web/DOMAIN/public_html

Depends on your feedback, we'll check and discuss a possible solution during a next hestia upgrade.

@ScIT-Raphael ScIT-Raphael self-assigned this May 2, 2020
@ScIT-Raphael ScIT-Raphael added bug Something isn't working needs feedback web Issues related to web components labels May 2, 2020
@ScIT-Raphael ScIT-Raphael added this to the 1.1.3 milestone May 2, 2020
@zanami
Copy link
Author

zanami commented May 2, 2020

Yep, chmod 755 helps. I wonder what rule causes this and/or why it works in some cases.

@ScIT-Raphael
Copy link
Member

Thanks for your fast feedback, we will check this further and implement a fix after checking all parts.

@Lupul Lupul mentioned this issue Jun 18, 2020
Closed
@Lupul Lupul closed this as completed in 83cebba Jun 26, 2020
@jaapmarcus jaapmarcus mentioned this issue Jul 21, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ScIT-Raphael ScIT-Raphael

Labels
bug Something isn't working web Issues related to web components
Projects
None yet
Milestone
1.1.3
Development

No branches or pull requests
2 participants
@zanami @ScIT-Raphael