Laravel + NGINX giving 403 forbidden

Question

I am really stuck loading a Laravel app for the first time on the web (EC2).

I have an instance of Ubuntu 18.04 running latest laravel 5.6. I have been stuck for hours trying to resolve a 403 issue. I have followed:

These steps (create new group, add ubuntu and www-data to it, set group and owner to read, write and execute)

These steps to set folder permissions

... many other attempts / server rebuilds...

So just now I set all files and folders in root to 777 to test

$ find /home/ubuntu/projectname -type f -exec chmod 777 {} \;
$ find /home/ubuntu/projectname -type d -exec chmod 777 {} \;

And on suggestion below I also did this:

$ namei -l /home/ubuntu/projectname/public
f: /home/ubuntu/projectname/public
drwxr-xr-x root     root     /
drwxr-xr-x root     root     home
drwxr-xr-x ubuntu   ubuntu   ubuntu
drwxrwxrwx www-data www-data projectname
drwxrwxrwx www-data www-data public

$ sudo chmod -R 777 /home/ubuntu/projectname

$ ls -l
drwxrwxrwx   8 www-data www-data   4096 Aug 16 10:25 app
-rwxrwxrwx   1 www-data www-data   1686 Aug 16 10:25 artisan
drwxrwxrwx   3 www-data www-data   4096 Aug 16 10:25 bootstrap
-rwxrwxrwx   1 www-data www-data   1652 Aug 16 10:25 composer.json
-rwxrwxrwx   1 www-data www-data 166078 Aug 16 10:25 composer.lock
drwxrwxrwx   2 www-data www-data   4096 Aug 16 10:25 config
drwxrwxrwx   5 www-data www-data   4096 Aug 16 10:25 database
drwxrwxrwx 999 www-data www-data  36864 Aug 16 10:46 node_modules
-rwxrwxrwx   1 www-data www-data   1442 Aug 16 10:25 package.json
-rwxrwxrwx   1 www-data www-data 604905 Aug 16 10:45 package-lock.json
-rwxrwxrwx   1 www-data www-data   1134 Aug 16 10:25 phpunit.xml
drwxrwxrwx   6 www-data www-data   4096 Aug 16 10:46 public
-rwxrwxrwx   1 www-data www-data   3675 Aug 16 10:25 readme.md
drwxrwxrwx   6 www-data www-data   4096 Aug 16 10:25 resources
drwxrwxrwx   2 www-data www-data   4096 Aug 16 10:25 routes
-rwxrwxrwx   1 www-data www-data    563 Aug 16 10:25 server.php
drwxrwxrwx   6 www-data www-data   4096 Aug 16 10:25 storage
drwxrwxrwx   4 www-data www-data   4096 Aug 16 10:25 tests
drwxrwxrwx  45 www-data www-data   4096 Aug 16 10:45 vendor
-rwxrwxrwx   1 www-data www-data   1738 Aug 16 10:25 webpack.mix.js

This last one has me stumped as the result is the same in my nginx project error log (tail -f):

2018/08/16 13:44:25 [error] 27246#27246: *1 directory index of "/home/ubuntu/projectname/public/" is forbidden, client: 29.99.0.232, server: projectname.com.au, request: "GET / HTTP/1.1", host: "projectname.com.au"

I do not know what to try next. Any help will get you on my Christmas card list!

My project is cloned to:

/home/ubuntu/projectname

My nginx config (taken from Laravel's Deploy page) is:

server {
    listen 80;

    server_name projectname.com.au www.projectname.com.au;
    root /home/ubuntu/projectname/public;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    access_log  /var/log/nginx/projectname.access.log;
    error_log  /var/log/nginx/projectname.error.log error;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/projectname.com.au/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/projectname.com.au/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

server {
    if ($host = www.projectname.com.au) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = projectname.com.au) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        server_name projectname.com.au www.projectname.com.au;
    return 404; # managed by Certbot
}

Just to make sure, can you try running `chmod -R 777 /home/ubuntu/projectname` — Chris, Aug 16 '18 at 14:04
hi @Chris. I just updated my question after running the `chmod`. Still same 403 result. Same message in the projectname.error.log — TheRealPapa, Aug 16 '18 at 14:10
The folder should not be 777, and some installations of nginx might actually balk. Is there an index.php in your public folder? The fact that it's trying to show the directory index instead of automatically loading the index file means something's either missing or misconfigured. — aynber, Aug 16 '18 at 14:17
Can you at least access static files in `public` like `/robots.txt`? — Tobias K., Aug 16 '18 at 14:34
Hi @Tobias K, I can access a logo file in the browser using https://projectname.com.au/logo.png. This serves up the image to the browser! Additionally I changed the access rights to 644 (files) and 755 (folders) and the image is still served OK — TheRealPapa, Aug 16 '18 at 14:46
Hi @aynber, the 777 was my last attempt at brute force to see why it is being so difficult. I will not leave it at 777. — TheRealPapa, Aug 16 '18 at 14:47
TheRealPapa regarding static file: Then it's at least not a directory permission issue. Right now I think @Chris answer is the most likely solution/problem. — Tobias K., Aug 16 '18 at 14:48
So where is the index.php from Laravel being served? There are no errors in Laravel log. What kind of voodoo is this? — TheRealPapa, Aug 16 '18 at 14:51
The index.php should be served from the public folder. Can you show the directory listing of the public folder? — aynber, Aug 16 '18 at 14:55
WOW! Hours wasted over a stupid entry in a gitignore file... my index.php was excluded from the repo and so it did not make it onto the server!!! Thanks @aynber you found it for me by asking a most obvious question!! — TheRealPapa, Aug 16 '18 at 15:14

score 15 · Answer 1 · answered Aug 16 '18 at 14:17

15

Try changing this line in the Nginx config:

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

to this:

location / {
   try_files $uri /index.php?$query_string;
}

From what I can see, this is caused because nginx will try to index the directory, and be blocked by itself.

Source answer: Nginx 403 error: directory index of [folder] is forbidden

answered Aug 16 '18 at 14:17

Chris

1,574
4
16
49

Hi @chris, so now the forbidden is gone, but a blank page is served. No errors in the proj.error.log, no errors in laravel.log, and I can see a GET request in proj.access.log. – TheRealPapa Aug 16 '18 at 14:37
Hi Tobias, my blank page is being served with HTTP 200. Nothing in Laravel log, proj.error.log – TheRealPapa Aug 16 '18 at 16:34
I'm confused, I thought your issue was resolved based on your comment that your index.php was in gitignore? You still get that blank page? – Tobias K. Aug 16 '18 at 18:19
Works perfectly. Saved my day! – Margus Pala Apr 17 '19 at 15:27

score 1 · Answer 2 · answered Aug 16 '18 at 14:28

1

There might be permission problems for nginx somewhere else along the path to the root directory.

Run namei -l /home/ubuntu/projectname/public and make sure, that every directory has atleast execute permissions to the nginx user.

answered Aug 16 '18 at 14:28

Balázs Sárközi

17
3

Hi @Balázs Sárközi, here's the output and yes there is execution rights for nginx (unless I misunderstood?). I added the result to my question – TheRealPapa Aug 16 '18 at 14:40

score -1 · Answer 3 · answered May 31 '23 at 15:54

I had to run single site on my server and without creating any other virtual host so I just updated the default config of nginx file and it worked for me.

Let me share the steps and changes I did.

First go to /var/www/html/ and create your project What I did is created the project name with wwwroot to work without error. You can also add a new project there with your project name.

So my project was directly inside wwwroot folder.

In /etc/nginx/sites-available

nano default

I added one more text in this line from this

location / {
     index  index.php index.html index.htm hostingstart.html;  
}

to this

location / {
     index  index.php index.html index.htm hostingstart.html public;  
}

I added public folder inside the location because laravel's index file is located inside public directory.

But if you want to add a project name inside wwwroot folder you can add location name as project_name/public and it will work.

Make sure to restart your nginx server with command service nginx restart after above changes are done.

It worked for me in azure app service which only supports nginx for php8

Laravel + NGINX giving 403 forbidden

3 Answers3

Linked