Jim Ohlstein wrote:

Hi -

Thanks for asking this question, because in trying to answer it I had to carefully dig down a bit deeper into the subdirectories under /usr/local/nginx ... and I finally fixed the problem by:

- setting 'r' and 'x' permissions on /usr/local/nginx/html for the 'world' ('other') group - setting 'r' permission on the *.html files in that directory

using the commands:

sudo chmod o+rx /usr/local/nginx/html sudo chmod o+r /usr/local/nginx/html/*

Now I see "Welcome to nginx!" in my browser. Thanks.

- Stefan Scott

===========================================================================

Gory details below for anyone who might be interested...

The permissions displayed on both servers are identical when doing 'ls -l /usr/local | grep nginx':

$ ls -l /usr/local | grep nginx drwxr-sr-x 8 root staff 4096 2008-11-26 21:23 nginx

...but doing 'ls -l /usr/local/nginx' on both servers showed that on the bad server the html folder was missing 'r' and 'x' permissions for the 'world' ('other') group:

BAD-SERVER $ ls -l /usr/local/nginx total 24 drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 client_body_temp drwxr-sr-x 2 root staff 4096 2008-11-28 22:02 conf drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 fastcgi_temp drwxr-s--- 2 root staff 4096 2008-11-28 22:02 html drwxr-sr-x 2 root staff 4096 2008-11-28 22:03 logs drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 proxy_temp

GOOD-SERVER $ ls -l /usr/local/nginx total 24 drwx--S--- 2 nobody staff 4096 2008-11-26 21:23 client_body_temp drwxr-sr-x 2 root staff 4096 2008-11-27 16:56 conf drwx--S--- 2 nobody staff 4096 2008-11-26 21:23 fastcgi_temp drwxr-sr-x 6 root staff 4096 2008-11-27 15:11 html drwxr-sr-x 2 root staff 4096 2008-11-28 04:57 logs drwx--S--- 2 nobody staff 4096 2008-11-26 21:23 proxy_temp

Then I noticed weird output from 'ls -l' on the *.html files on the server that shows the '403' error. A bunch of '?' are displayed instead of permissions info, apparently meaning the current user doesn't have permission to view these files.

Going down the lowest level (to view the *.html files), doing 'ls -l /usr/local/nginx/html' on the server showing '403' displays a bunch of '?' instead of permissions info:

BAD-SERVER $ ls -l /usr/local/nginx/html /usr/local/nginx/html: total 0 ?--------- ? ? ? ? ? /usr/local/nginx/html/50x.html ?--------- ? ? ? ? ? /usr/local/nginx/html/index.html

BAD-SERVER $ sudo ls -l html/* -rw-r----- 1 root staff 383 2008-11-28 22:02 html/50x.html -rw-r----- 1 root staff 151 2008-11-28 22:02 html/index.html

GOOD-SERVER $ ls -l /usr/local/nginx/html total 8 -rw-r--r-- 1 root staff 383 2008-11-26 20:59 50x.html -rw-r--r-- 1 root staff 151 2008-11-26 20:59 index.html

And doing 'cat /usr/local/nginx/html/*' on the "bad" server returned:

cat: /usr/local/nginx/html/50x.html: Permission denied cat: /usr/local/nginx/html/index.html: Permission denied

I understand the basics but not the subtleties of permissions. Just now I discovered an interesting detail about the need to set the 'r' and 'x' permissions for the 'world' ('other') group on all directories in the path used by the webserver to access the *.html file(s):

======================================================================

http://wiki.debian.org/Permissions

Is there ever a place where you'd want "x" on a directory but not "r"? Yes. This is useful when you want to allow people to get at files in a directory if they happen to know the file's name, but not to be able to find out the names of the files. Also, it can be useful if you're setting up an anonymous upload place, and you don't want people to be able to see what others have uploaded until you have a chance to filter out the undesirable files.

But the most common time you'll see an "x" on a directory without its "r" is when a user has a web site set up in her ~/public_html directory, but doesn't want her entire home directory to be visible to the world. In order for Apache to get to the files in public_html, the home directory has to be "x" (executable) for all users, and so does public_html itself. So she might have it set up something like this:

drwxr-x--x 150 jane jane 19456 2005-03-11 10:29 /home/jane drwxr-x--x 14 jane jane 5632 2005-02-11 08:48 /home/jane/public_html -rw-r--r-- 1 jane jane 1226 2004-11-04 10:05 /home/jane/public_html/index.html

Now, other users on the system (outside of the "jane" group) can't see what files jane has in her home directory, and they can't see what she has in her public_html directory, but apache can open the index.html file. (To recap, apache needs "x" permissions on all of the directories leading up to the index.html file, and it needs "r" permission on the file itself, in order to open it for reading.)

======================================================================

So on the "bad" server I set the 'r' and 'x' permissions for 'world' on directory /usr/local/nginx/html:

$ cd /usr/local/nginx /usr/local/nginx $ sudo chmod o+rx html /usr/local/nginx $ ls -l total 24 drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 client_body_temp drwxr-sr-x 2 root staff 4096 2008-11-28 22:02 conf drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 fastcgi_temp drwxr-sr-x 2 root staff 4096 2008-11-28 22:02 html ## r-x set for 'other' drwxr-sr-x 2 root staff 4096 2008-11-28 22:03 logs drwx--S--- 2 nobody staff 4096 2008-11-28 22:03 proxy_temp

And then I went into /usr/local/nginx/html and set the 'r' permission for 'world' ('other') on both *.html files:

/usr/local/nginx $ cd html /usr/local/nginx/html $ ls -l total 8 -rw-r----- 1 root staff 383 2008-11-28 22:02 50x.html -rw-r----- 1 root staff 151 2008-11-28 22:02 index.html

/usr/local/nginx/html $ sudo chmod o+r * /usr/local/nginx/html $ ls -l total 8 -rw-r--r-- 1 root staff 383 2008-11-28 22:02 50x.html -rw-r--r-- 1 root staff 151 2008-11-28 22:02 index.html

I had to use 'sudo' because I'm not the owner or in the group for these files/directories.

Maybe this had something to do with the user I was logged in as while doing the nginx install - or maybe the nginx install itself was not configured to set the permissions properly - but at any rate it's working now and I'm very happy to see "Welcome to nginx!" on my home page.

Thanks.