Nginx is throwing an 403 Forbidden on Static Files

Question

I have a django app, python 2.7 with gunicorn and nginx.

Nginx is throwing a 403 Forbidden Error, if I try to view anything in my static folder @:

/home/ubuntu/virtualenv/myapp/myapp/homelaunch/static

nginx config(/etc/nginx/sites-enabled/myapp) contains:

server {
        listen       80;
        server_name     *.myapp.com;
        access_log /home/ubuntu/virtualenv/myapp/error/access.log;
        error_log /home/ubuntu/virtualenv/myapp/error/error.log warn;
        connection_pool_size 2048;

        fastcgi_buffer_size 4K;
        fastcgi_buffers 64 4k;

        root /home/ubuntu/virtualenv/myapp/myapp/homelaunch/;

        location /static/ {
            alias /home/ubuntu/virtualenv/myapp/myapp/homelaunch/static/;
        }

        location / {
            proxy_pass http://127.0.0.1:8001;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
        }
    }

error.log contains:

2013/11/24 23:00:16 [error] 18243#0: *277 open() "/home/ubuntu/virtualenv/myapp/myapp/homelaunch/static/img/templated/home/img.png" failed (13: Permission denied), client: xx.xx.xxx.xxx, server: *.myapp.com, request: "GET /static/img/templated/home/img2.png HTTP/1.1", host: "myapp.com", referrer: "http://myapp.com/"

access.log contains

xx.xx.xx.xxx - - [24/Nov/2013:23:02:02 +0000] "GET /static/img/templated/base/animg.png HTTP/1.1" 403 141 "http://myapp.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:25.0) Gecko/20100101 Firefox/25.0"
xx.xx.xx.xxx - - [24/Nov/2013:23:02:07 +0000] "-" 400 0 "-" "-"

I tried just viewing say a .css file in /static/ and it throws an error like this in source:

<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.1.19</center>
</body>
</html>

Kamil Kiełczewski · Answer 1 · 2018-01-09T21:19:05.407

33

MacOs El Capitan: At the top of nginx.conf write user username group_name

My user name is Kamil so i write:

user Kamil staff;

(word 'staff' is very important in macOS). This do the trick. After that you don't need to change any permission in your project folder and files.

edited Jan 09 '18 at 21:19

answered Jun 30 '16 at 12:12

Kamil Kiełczewski

85,173
29
368
345

1

Somebody gives this guy an award. – harryghgim Feb 22 '23 at 00:31

score 28 · Accepted Answer · answered Nov 24 '13 at 23:18

28

It appears the user nginx is running as (nginx?) is missing privileges to read the local file /home/ubuntu/virtualenv/myapp/myapp/homelaunch/static/img/templated/home/img.png. You probably wanna check file permissions as well as permissions on the directories in the hierarchy.

answered Nov 24 '13 at 23:18

bryn

3,155
1
16
15

2

I tried doing the sudo chmod 777 -R static (just to see if it does any difference and it doesnt – CodeTalk Nov 24 '13 at 23:49
3

So it is likely the user is missing the right to stat/list one or more directories in the hierarchy. This is may be best solved using group membership, but if you do `chmod a+x` on every directory (home,ubuntu,virtualenv etc) I am guessing it will work. The executable bit on directories controls whether users are allowed to list contents. – bryn Nov 25 '13 at 00:25
Sadly I did this on static dir, then all the subdir and still getting the same error in error.log and access.log – CodeTalk Nov 25 '13 at 00:35
1

It is more likely it is 'missing' +x on /home/ubuntu (so not subdirs, but parent dirs). Which user is nginx running as? A different, more or less dirty fix (depending on setup) may be `gpasswd -a nginx ubuntu` (where *nginx* is the user nginx is running as and *ubuntu* is the user private group of user *ubuntu*). – bryn Nov 25 '13 at 00:48
how can i determine the user nginx is running as? – CodeTalk Nov 25 '13 at 00:58
and what is missing?? – CodeTalk Nov 25 '13 at 01:00
1

`ps -ef | grep nginx` should give a list of running nginx processes. `ps -ef | grep nginx | cut -d' ' -f1` should give you just the user (the leftmost column). – bryn Nov 25 '13 at 19:08
@bryn that was certainly my issue and that fixed my issue. is this safe to do in production? – Gobi Dasu May 19 '17 at 06:40
1

@GovindaDasu The short answer is "probably, yes" (if you mean `chmod a+x`), but you could confine it more by setting `+x` on the directories only for the given user or group...or you could set up a directory structure outside of /home. If the rest of your setup is OK (maybe disable directory listings in nginx where not needed?), `chmod a+x` may be just fine! :) – bryn May 19 '17 at 10:32
Make sure you do that at `/etc/nginx/nginx.conf` – A Campos Dec 21 '22 at 00:15

score 12 · Answer 3 · edited Apr 12 '19 at 14:19

It seems the web server user doesn't have read permissions to the static files. You can solve this in 2 ways:

(easiest, safer) run the nginx as you app user instead of default nginx user. To do this, add the following in nginx.conf
```
user your_app_user
```
Replace your_app_user with appropriate unix username for your app. In this case the your_app_user already has necessary permissions to the static content.
Another way would be to to grant permissions for the web server user to the static dir.

score 10 · Answer 4 · edited Jan 23 '16 at 16:00

10

The minimum fix that worked for me is:

sudo chmod -R 664 /home/ubuntu/virtualenv/myapp/myapp/homelaunch/static/
sudo chmod -R a+X /home/ubuntu/virtualenv/myapp/myapp/homelaunch/static/

(BTW, in my case the static folder is called collected_static)

edited Jan 23 '16 at 16:00

jpaugh

6,634
4
38
90

answered Sep 18 '14 at 13:10

o_c

3,965
1
22
22

This worked for me. Rest of the settings suggested were already there. – Kishor Pawar May 25 '19 at 11:22

score 9 · Answer 5 · answered Jul 30 '22 at 12:38

9

The best solution in that case would be to add www-data to username group:

gpasswd -a www-data username

For your changes to work, restart nginx

nginx -s reload

answered Jul 30 '22 at 12:38

Sanjay Sikdar

435
4
10

1

Just solved my problem ✅✅✅ – Gedeon Mutshipayi Aug 28 '23 at 22:23

score 7 · Answer 6 · edited Jan 23 '16 at 17:00

7

Try specifying a user at the top of your nginx.conf, above the server section.

user www-data;

edited Jan 23 '16 at 17:00

jpaugh

6,634
4
38
90

answered Nov 24 '13 at 23:26

eezis

2,103
2
19
14

2

If I do that,a nd then restart nginx it says - unknown directive "user" in /etc/nginx/sites-enabled/myapp:1 – CodeTalk Nov 24 '13 at 23:48
1

I did this in nginx.conf, but it didnt fix anything – CodeTalk Nov 25 '13 at 00:19
After this command I must to re-install nginx ... and run all my services again – Serhii Zelenchuk Nov 30 '22 at 15:39

score 3 · Answer 7 · answered May 28 '21 at 09:01

I had the same issue no long ago. It might be a combination of factors. I found how to fix 403 access denied by replacing the user in the nginx.conf file.

I deployed my website on an ubuntu server using Digital Ocean.
I created a new user on my new ubuntu server and give admin priviliges

    adduser newuser

    usermod -aG sudo newuser

I updated my new server and installed few packages

    sudo apt update

    sudo apt install python3-pip python3-dev libpq-dev postgresql postgresql-contrib nginx curl

I followed all this beautiful instruction on how to deploy your site on Digital Ocean
Since I changed the user and I ssh into my new server using this new user, I need to replace the user on the nginx.conf. By default nginx.conf user is www-data:

    user www-data;

    worker_processes auto;

    pid /run/nginx.pid;

Then I replaced with my sudo user and solved my problem.

    user newuser;

    worker_processes auto;

    pid /run/nginx.pid;

Then I restart nginx, gunicorn and postgresql(even if the last one it is not really necessary)

    sudo systemctl restart nginx 

    sudo systemctl restart gunicorn

    sudo systemctl restart postgresql

And tada.. :) no more issue.

thanks for saving my life – Maninder Singh Nov 01 '21 at 16:49 — Maninder Singh, Nov 01 '21 at 16:49

score 2 · Answer 8 · answered Dec 01 '22 at 17:52

Fix 403 error with Django static files on Ubuntu server.

Run this -> gpasswd -a www-data your_proj_username
Reload nginx -> nginx -s reload
Check chmod for your dirs: /home, /home/proj_dir, /home/proj_dir/static

Run this - stat --format '%a' /home . Result must be 755
Run this - stat --format '%a' /home/your_proj_dir/static . Result must be 755
Run this - stat --format '%a' /home/your_proj_dir . Result must be 750

If you have different values you can try to change this:

sudo chmod 755 /home
sudo chmod 755 /home/your_proj_dir/static
sudo chmod 750 /home/your_proj_dir

Reload you project-server. This solve all permission errors

score -6 · Answer 9 · answered Nov 25 '13 at 16:31

-6

After hours upon hours following so many articles, I ran across : http://nicholasorr.com/blog/2008/07/22/nginx-engine-x-what-a-pain-in-the-bum/

which had a comment to chmod the whole django app dir, so I did:

sudo chmod -R myapp

This fixed it. Unbelievable!

Thanks to those who offered solutions to fix this.

answered Nov 25 '13 at 16:31

CodeTalk

3,571
16
57
92

3

chmod 777 -R myapp is worked for me. The above code has syntax error. – atilkan Oct 16 '15 at 19:20
17

chmod 777 is NOT a solution. You're making your files globally read/write/executable; all of these are potentially bad things. Please read up on file permissions and never, ever suggest this to anyone. – kungphu Apr 16 '16 at 00:37

Nginx is throwing an 403 Forbidden on Static Files

9 Answers9

Linked