Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#1118 closed defect (worksforme)

Nginx refuses to allow access to WAR files

Reported by: steowens@… Owned by:
Priority: critical Milestone:
Component: nginx-core Version: 1.10.x
Keywords: Cc:
uname -a: [root@mongodb-1 nginx]# uname -a
Linux mongodb-1.iaas.starwave.com 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: [root@mongodb-1 nginx]# nginx -V
nginx version: nginx/1.10.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

Description

No matter what I do to enable access to a war file I am trying to use NGINX as a file serer for, it still returns 403.

[root@mongodb-1 nginx]# cat nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {

worker_connections 1024;

}

http {

log_format main '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

server {

listen 80 default_server;
listen [::]:80 default_server;
server_name _;
autoindex on;
root /usr/share/nginx/html;

# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

location / {

sendfile on;
sendfile_max_chunk 1m;
tcp_nodelay on;
keepalive_timeout 65;

allow all;

}

error_page 404 /404.html;

location = /40x.html {

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

}

}

# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }

}

[root@mongodb-1 nginx]# namei -l /usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war
f: /usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war
dr-xr-xr-x root root /
drwxr-xr-x root root usr
drwxr-xr-x root root share
drwxr-xr-x root root nginx
drwxr-xr-x centos centos html
-rw-r--r-- centos centos apim-gateway-webapp-1.0.57-SNAPSHOT.war

[root@mongodb-1 nginx]# cat /var/log/nginx/error.log
2016/10/20 19:27:40 [error] 5276#0: *2 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 10.125.140.188, server: _, request: "GET /favicon.ico HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 19:54:05 [error] 5276#0: *3 open() "/usr/share/nginx/html/www/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (2: No such file or directory), client: 10.42.59.199, server: _, request: "GET /www/apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194"
2016/10/20 19:54:36 [error] 5276#0: *4 open() "/usr/share/nginx/html/www/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (2: No such file or directory), client: 10.42.59.199, server: _, request: "GET /www/apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194"
2016/10/20 19:55:19 [error] 5276#0: *5 open() "/usr/share/nginx/html/www/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (2: No such file or directory), client: 10.125.140.188, server: _, request: "GET /www/apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194"
2016/10/20 20:05:21 [error] 5474#0: *1 "/usr/share/nginx/html/www/index.html" is not found (2: No such file or directory), client: 10.125.140.188, server: _, request: "GET /www/ HTTP/1.1", host: "10.42.59.194"
2016/10/20 20:06:01 [error] 5474#0: *5 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.42.59.199, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194"
2016/10/20 20:06:19 [error] 5474#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:12:59 [error] 5506#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:13:08 [error] 5506#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:17:11 [error] 5539#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:21:29 [error] 5559#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:32:27 [error] 5585#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194"
2016/10/20 20:32:31 [error] 5585#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:33:05 [error] 5585#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:35:14 [emerg] 5587#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to [::]:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to [::]:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to [::]:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to [::]:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to [::]:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: still could not bind()
2016/10/20 20:37:36 [error] 5617#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
[root@mongodb-1 nginx]#

Change History (4)

comment:1 by steowens@…, 3 years ago

/etc/nginx/conf.d is empty
/etc/nginx/default.d is empty

comment:2 by Ilyas Bakirov, 3 years ago

nginx is running under "nginx" user and file has permissions:

-rw-r--r-- centos centos apim-gateway-webapp-1.0.57-SNAPSHOT.war

comment:3 by Maxim Dounin, 3 years ago

Resolution: worksforme
Status: newclosed

Most likely you are facing SELinux restrictions, try disabling SELinux to see if it helps. If you have further questions, please use mailing list.

comment:4 by Maxim Dounin, 3 years ago

sensitive: 10
Note: See TracTickets for help on using tickets.