Forbidden location when using alias in nginx for relative urls

Question

I am trying to set up roundcube / phpldapadmin / ... with Nginx on relative urls, e.g.:

example.com/roundcube
example.com/phpldapadmin

The source are in the following folders:

/var/www/roundcube
/usr/share/phpldapadmin

Everything was working fine with Apache 2.4 but I am new to Nginx. I have the following location for roundcube:

location /roundcube/ {
    root /var/www;
    index index.php;

    location ~ \.php$ {
        try_files $uri =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

Which works fine, but the following for phpldapadmin does not work:

location /phpldapadmin/ {
    alias  /usr/share/phpldapadmin/htdocs;
    index  index.php index.html index.htm;

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

I get a 403 forbidden, with the following logs:

2016/02/07 21:43:33 [error] 23047#0: *1 directory index of "/usr/share/phpldapadmin/htdocs" is forbidden, client: xxx.xxx.xxx.xxx, server: , request: "GET /phpldapadmin/ HTTP/1.1", host: ""

I checked the permission:

$ namei -om /usr/share/phpldapadmin/htdocs
f: /usr/share/phpldapadmin/htdocs
 drwxr-xr-x root root     /
 drwxr-xr-x root root     usr
 drwxr-xr-x root root     share
 drwxr-xr-x root root     phpldapadmin
 drwxr-xr-x root www-data htdocs
$ ls -l /usr/share/phpldapadmin/htdocs/index.php
-rw-r--r-- 1 root root 20036 Oct 28 17:32 /usr/share/phpldapadmin/htdocs/index.php

I tried changing the owner to :www-data but it did not work. When I tried the following for roundcube it did not work:

location /roundcube/ {
    alias /var/www/roundcube;
    ...
}

I am thinking that this is probably a problem with a trailing /, or something similar, but I am really new to nginx so I can't find it...

Basically, I have the inverse problem of: https://stackoverflow.com/questions/31820362/nginx-403-directory-is-forbidden-when-using-root-location

score 16 · Accepted Answer · answered Feb 08 '16 at 20:01

16

The location and alias should both have a trailing / or neither have a trailing /. But in your case, you should be using root instead of alias for both location blocks.

location /roundcube {
    root /var/www;
    index index.php;

    location ~ \.php$ {
        try_files $uri =404;

        fastcgi_pass unix:/var/run/php5-fpm.sock;

        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

location /phpmyadmin {
    root  /usr/share;
    index  index.php index.html index.htm;

    location ~ \.php$ {
        try_files $uri =404;

        fastcgi_pass unix:/var/run/php5-fpm.sock;

        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

The fastcgi_index will not do anything in a location that only matches .php (see this document).

The SCRIPT_FILENAME parameter is needed in both blocks (or neither if it is already in /etc/nginx/fastcgi_params).

answered Feb 08 '16 at 20:01

Richard Smith

45,711
6
82
81

Thanks for your reply, actually I had tried with every possible combinations of trailing slash for `location` and `root` and did not manage to get it working. With `root` it works well, the problem is that (I forgot to put this in the question... ) I have `phpldapadmin` which have its root in `phpldapadmin/htdocs` so I cannot use `root`. I managed to get it working by removing the `try_files` instruction after reading that `try_files` and `alias` do not work well together. – Holt Feb 08 '16 at 20:13
I also had to change the `fastcgi_param` to `$request_filename` for the conf to work, and it works with a trailing slash in `location` and no trailing slash in `root` (but not for `alias`), don't know if it's normal... – Holt Feb 08 '16 at 20:14
`root` doesn't care about trailing slashes because it isn't trying to rewrite the URI. But using `$request_filename` with `alias` is a good idea - I will remember that one. – Richard Smith Feb 08 '16 at 20:27
I got it working, but since you seem to be far more competent than I am about nginx, I'd be very happy if you could provide an explanation on why `$request_filename` makes the whole thing works... And thanks for the explanation about the trailing slash ! – Holt Feb 08 '16 at 20:30
Many examples show SCRIPT_FILENAME set to `$document_root$fastcgi_script_name` because it works with the `fastcgi_split_path_info` directive. Unless modified, `$fastcgi_script_name` is the same value as `$uri`. The `root` directive causes `$request_filename` to be set to `$document_root$uri`, whereas the `alias` directive removes the location prefix from `$uri` before computing `$request_filename`. I think that `$request_filename` is a robust solution and that `alias` has some unusual side-effects which are not necessarily all bugs. – Richard Smith Feb 08 '16 at 20:59

score 1 · Answer 2 · answered Jun 16 '17 at 09:59

1

Alternatively you can try to write at the top of nginx.conf >> user username

Since I am using AWS Linux EC2 instance I wrote

user ec2-user;

instead of

user nginx;

This solves the problem by giving all the required permissions

answered Jun 16 '17 at 09:59

rahulthakur319

455
4
16

this seems more like a work around rather than a good solution. you probably should move media to somewere such as /var/www – Enzo Dtz Aug 21 '22 at 02:00

Forbidden location when using alias in nginx for relative urls

2 Answers2

Linked