Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#1118 closed defect (worksforme)

Nginx refuses to allow access to WAR files

Reported by: steowens@… Owned by:
Priority: critical Milestone:
Component: nginx-core Version: 1.10.x
Keywords: Cc:
uname -a: [root@mongodb-1 nginx]# uname -a Linux mongodb-1.iaas.starwave.com 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: [root@mongodb-1 nginx]# nginx -V nginx version: nginx/1.10.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

Description

No matter what I do to enable access to a war file I am trying to use NGINX as a file serer for, it still returns 403.

[root@mongodb-1 nginx]# cat nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {

worker_connections 1024;

}

http {

log_format main '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

server {

listen 80 default_server;
listen [::]:80 default_server;
server_name _;
autoindex on;
root /usr/share/nginx/html;

# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

location / {

sendfile on;
sendfile_max_chunk 1m;
tcp_nodelay on;
keepalive_timeout 65;

allow all;

}

error_page 404 /404.html;

location = /40x.html {

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

}

}

# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }

}

[root@mongodb-1 nginx]# namei -l /usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war
f: /usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war
dr-xr-xr-x root root /
drwxr-xr-x root root usr
drwxr-xr-x root root share
drwxr-xr-x root root nginx
drwxr-xr-x centos centos html
-rw-r--r-- centos centos apim-gateway-webapp-1.0.57-SNAPSHOT.war

[root@mongodb-1 nginx]# cat /var/log/nginx/error.log
2016/10/20 19:27:40 [error] 5276#0: *2 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 10.125.140.188, server: _, request: "GET /favicon.ico HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 19:54:05 [error] 5276#0: *3 open() "/usr/share/nginx/html/www/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (2: No such file or directory), client: 10.42.59.199, server: _, request: "GET /www/apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194"
2016/10/20 19:54:36 [error] 5276#0: *4 open() "/usr/share/nginx/html/www/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (2: No such file or directory), client: 10.42.59.199, server: _, request: "GET /www/apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194"
2016/10/20 19:55:19 [error] 5276#0: *5 open() "/usr/share/nginx/html/www/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (2: No such file or directory), client: 10.125.140.188, server: _, request: "GET /www/apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194"
2016/10/20 20:05:21 [error] 5474#0: *1 "/usr/share/nginx/html/www/index.html" is not found (2: No such file or directory), client: 10.125.140.188, server: _, request: "GET /www/ HTTP/1.1", host: "10.42.59.194"
2016/10/20 20:06:01 [error] 5474#0: *5 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.42.59.199, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194"
2016/10/20 20:06:19 [error] 5474#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:12:59 [error] 5506#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:13:08 [error] 5506#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:17:11 [error] 5539#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:21:29 [error] 5559#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:32:27 [error] 5585#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194"
2016/10/20 20:32:31 [error] 5585#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:33:05 [error] 5585#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
2016/10/20 20:35:14 [emerg] 5587#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to [::]:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to [::]:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to [::]:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to [::]:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: bind() to [::]:80 failed (98: Address already in use)
2016/10/20 20:35:14 [emerg] 5587#0: still could not bind()
2016/10/20 20:37:36 [error] 5617#0: *1 open() "/usr/share/nginx/html/apim-gateway-webapp-1.0.57-SNAPSHOT.war" failed (13: Permission denied), client: 10.125.140.188, server: _, request: "GET /apim-gateway-webapp-1.0.57-SNAPSHOT.war HTTP/1.1", host: "10.42.59.194", referrer: "http://10.42.59.194/"
[root@mongodb-1 nginx]#

Change History (4)

comment:1 Changed 3 years ago by steowens@…

/etc/nginx/conf.d is empty
/etc/nginx/default.d is empty

comment:2 Changed 3 years ago by i.bakirov@…

nginx is running under "nginx" user and file has permissions:

-rw-r--r-- centos centos apim-gateway-webapp-1.0.57-SNAPSHOT.war

comment:3 Changed 3 years ago by mdounin

  • Resolution set to worksforme
  • Status changed from new to closed

Most likely you are facing SELinux restrictions, try disabling SELinux to see if it helps. If you have further questions, please use mailing list.

comment:4 Changed 3 years ago by mdounin

  • sensitive changed from 1 to 0
Note: See TracTickets for help on using tickets.