403 nginx (1.13.1) on a folder outside of /usr/share/nginx/

1
votes

CentOS 7 + nginx 1.13.1

SELinux -> Current mode: permissive

Doing everything under root account.

The /root/raid is the same folder as /usr/share/nginx/html/raid as it is mounted from /dev/md0:

mount /dev/md0 /usr/share/nginx/html/raid
mount /dev/md0 /root/raid

If I try to change the root folder in nginx.conf to smth outside of /usr/share/nginx/, like /root/raid, I get 403 error :(

Here's my nginx.conf:

user  nginx;
worker_processes auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;

    keepalive_timeout  65;

    include /etc/nginx/conf.d/*.conf;


    server {
        listen       80 default_server;
        server_name  _ server1 server1.domain.com;

        root         /usr/share/nginx/html/raid;
        #root         /root/raid;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }

    }
}

I did this:

# chown -R nginx:nginx /usr/share/nginx/html/raid
# chmod -R 775 /usr/share/nginx/html/raid

Or this (not really needed as they're the same folder anyway, right?):

# chown -R nginx:nginx /root/raid
# chmod -R 775 /root/raid

# ls -la /usr/share/nginx/html/raid
total 28
drwxrwxr-x. 3 nginx nginx 4096 Jun 20 02:56 .
drwxr-xr-x. 3 root  root    18 Jun 20 02:56 ..
-rwxrwxr-x. 1 nginx nginx 3650 Oct 31  2016 404.html
-rwxrwxr-x. 1 nginx nginx  537 May 30 18:10 50x.html
-rwxrwxr-x. 1 nginx nginx  924 Jun 16 21:49 index.html
-rwxrwxr-x. 1 nginx nginx   19 Jun  8 18:48 info.php
-rwxrwxr-x. 1 nginx nginx    1 Jun 20 02:56 test

# ls -la /root/raid
total 28
drwxrwxr-x. 3 nginx nginx 4096 Jun 20 02:56 .
dr-xr-x---. 6 root  root   192 Jun 20 02:23 ..
-rwxrwxr-x. 1 nginx nginx 3650 Oct 31  2016 404.html
-rwxrwxr-x. 1 nginx nginx  537 May 30 18:10 50x.html
-rwxrwxr-x. 1 nginx nginx  924 Jun 16 21:49 index.html
-rwxrwxr-x. 1 nginx nginx   19 Jun  8 18:48 info.php
-rwxrwxr-x. 1 nginx nginx    1 Jun 20 02:56 test

As soon as I change the root path in nginx.conf back to /usr/share/nginx/html/raid & the site opens up correctly.

Also I've tried:

# setsebool -P httpd_can_network_connect on
# chcon -Rt httpd_sys_content_t /root/raid
# chcon -R --reference=/usr/share/nginx /root/raid

Shouldn't be really needed with permissive mode, right?

nginx logs show the following:

/var/log/access.log:

192.168.0.103 - - [20/Jun/2017:12:45:33 +0300] "GET / HTTP/1.1" 403 571 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "-"

/var/log/error.log:

2017/06/20 12:45:33 [error] 18114#18114: *4 "/root/raid/index.html" is forbidden (13: Permission denied), client: 192.168.0.103, server: _, request: "GET / HTTP/1.1", host: "server1.domain.com"

What did I forget? :)

1
nginxcentos7selinux

1 Answers

0
votes

(1)DON'T mount the same device to the different mount point, this's not the root cause, but don't do it forever.
(2)mount point "/root/raid", this is a DIR in root path "/root", "nginx:nginx" can't read the subdir in "/root", right? Don't mount /dev/md0 in "/root", change the mount point to other logical dir, such as "/srv/app/raid".
(3)the better way is to use soft link if you want to change the webroot, such as:

ln -s /srv/app/raid /other_path/raid

so "/other_path/raid" is your new webroot .