Hi, I wanna ask what are the correct permission for "private" and "web" folder. Mine are 710, but I have nginx log full of "permissison denied" messages: 2014/04/26 08:26:55 [crit] 21750#0: *1036140 open() "/var/www/example.com/web/" failed (13: Permission denied), client: serverIpAddress, server: example.com, request: "GET / HTTP/1.0", host: "example.com" But websites are running correctly even with this error message. When I set 750, error message is gone. Thank you EDITED: My only (extra) nginx directive: location / { try_files $uri /index.php?$args; }
hi, thanks for your reply. I think the problem is in try_files directive, because when I go to my web homepage, the url is "/" so nginx try to find a file "/" which is "web" folder, but it's not nginx readable... So only 750 helps. But ispconfig creates websites with 710 (at least my ispconfig).
thanks... I think there is no problem in my nginx configuration (even in link you posted they are using the same directives as I am), it will be something about the permissions and ispconfig. I hope till can explain me more.
Hi mate. I'm having same problem than you. I have reported it before, but I didn't found any solution yet. Here is my previous thread: http://www.howtoforge.com/forums/showthread.php?t=65615
Hi mate, I'm glad not to be alone with this issue. Maybe we should create a ticket in bugtracker. I will do it on monday or thuesday if we won't get reply from till (or anyone from staff).
Here is what I used to run on /web/ folders to clean them up while migrating sites in directly. I have noticed recently (since 3.0.5.4) that ALL files inside /var/www/example.com/ are root:root instead of for example web20:client9. I think something has changed... Code: cd /var/www/example.com/web/ chown -Rf web20:client9 * chown root:root stats find . -type f -exec chmod 754 {} \; find . -type d -exec chmod 775 {} \;
My root:root problems turned out to be OpenVZ second level quota issues. Fix is below. Code: vzctl set 101 --quotaugidlimit 100 --save http://acorp.net/wordpress/second-level-quotas-for-an-openvz-container/
I think root:root issue is about selected value of Security level in Server Config -> Web. When you set high, the permissions are user:group, when you set middle, the permissions are root:root.
The security level should be set to high. the medium security level is just there for some backwarcs compatibility with very old servers. Here are the correct permissions for a website in security level high: Code: root@server1:/var/www/test.int# ls -la total 72 drwxr-xr-x 18 root root 4096 Apr 4 23:31 . drwxr-xr-x 9 root root 4096 Apr 23 12:02 .. -rwxr-xr-x 1 web1 client0 0 Apr 23 12:34 .bash_history drwxr-xr-x 2 root root 4096 Sep 13 2012 bin drwxr-x--x 2 web1 client0 4096 Sep 7 2012 cgi-bin drwxr-xr-x 2 root root 4096 Feb 24 08:30 dev drwxr-xr-x 6 root root 4096 Sep 13 2012 etc drwxr-xr-x 5 root root 4096 Apr 23 12:34 home drwxr-xr-x 3 root root 4096 Sep 13 2012 lib lrwxrwxrwx 1 root root 4 Sep 13 2012 lib64 -> /lib drwxr-xr-x 3 web1 client0 4096 Apr 19 00:30 log drwx--x--- 2 web1 client0 4096 Sep 10 2012 private drwx------ 2 web1 client0 4096 Apr 23 12:34 .ssh drwxr-xr-x 2 root root 4096 Sep 16 2012 ssl drwx--x--- 4 web1 client0 4096 Apr 4 23:31 sub drwxrwxrwx 2 web1 client0 4096 Feb 19 00:30 tmp drwxr-xr-x 6 root root 4096 Sep 13 2012 usr drwxr-xr-x 3 root root 4096 Sep 13 2012 var drwx--x--x 5 web1 client0 4096 Apr 1 16:16 web drwx--x--- 2 web1 client0 4096 Sep 10 2012 webdav This website has a jailed use, so it contains a few more directories.
thank you till... so back to my question - is my issue related to something in my configuration? is everything working for you with your 711 permission and this nginx configuration location / { try_files $uri /index.php?$args; } ? Working means no error message in logs when you go on homepage. My web permissions offtopic: how did you make it your web permissions are so nice formatted?
Yes, without error messages. Your permissions are 710, this was used by former ispconfig versions and has been changed to 711 now as 710 is causing permission problems on nfs servers. Update your server to the current ispconfig version, then enable under System > server config > web that permissions shall be updated on website changes and then use the resync tool to force a update on all websites. use CODE instead of QUOTE to format sourcecode and command output.
definetely I will update, but in this thread http://www.howtoforge.com/forums/showthread.php?t=65615 this guy have same problem as I have and updating didn't help him. I tried to set 711 but it didn't really help. what works is 750. I think it's logical it needs 750 because my root is in web folder, which cant be read by www-data user, but try_files is trying to read this folder when I'm on homepage and uri is /. But if it works for you (and for others too) there must be a hidden problem somewhere.
It might be that it depends on the nginx version. I checked a few additional servers and I see the issue here as well now. We will change the default permissions to 750 even if this removes the website isolation between sites of the same client. The website is running as user web[ID] and the web folder is owned by web[id] user and not www-data, so 711 should be fine and it works, so nginx can access it correctly and should not throw an error message.
hm website is running as webID, put it's php-fpm related, or not? I think nginx works with webs as www-data - am I wrong? That's why it needs 751. And I also noticed there is "nginx" user in my /etc/passwd, it wasn't there before, so probably in some new version of nginx it will create "nginx" user but I don't know its purpuse. Can you confirm you have also nginx user on server where this issue appears?
PHP is running s as webID user. If the permissions would be wrong, then nginx would not display the website as it could not access it.
Yes I understand this, but what I don't understand is that you wrote and then So what you want to say is that it's not a problem with permissions but a problem with nginx itself?
What we are talking about here is that websites are working correctly while nginx writes an error to the log file. If there would be a real problem that nginx can not access the site, then the site wont work (blank page), but indeed, the sites are working correctly, so nginx must be able to access the data to deliver it to the web client with the current permissins.
I don't think so. I'm using try_files try_files $uri /index.php?$args; so first nginx try $uri, on homepage, $uri == / == web folder (beucase $document_root == web_folder), but it's not accessible (because it's 711), so nginx will try /index.php?$args, which is already accessible (in my case 644), so everything is ok. So if I'm not wrong, the problem is just about the web folder and its permission.
