Configure nginx for downloads - Permission denied for user nginx

General support questions
Post Reply
asdrgil
Posts: 4
Joined: 2021/11/18 09:03:41

Configure nginx for downloads - Permission denied for user nginx

Post by asdrgil » 2021/11/23 15:08:16

I have a webpage with Nginx + Uwsgi + Django on Centos7 where I have an external path called /download to manage the downloads in Django (the user credentials) and the internal path /download-nginx to actually download the files on the directory /var/wwww/download. Currently I'm getting a permission denied error on Nginx:

Code: Select all

 open() "/var/www/download/example.txt" failed (13: Permission denied)
I have read several other solutions on SO telling that the problem is that the provided user in nginx.conf does not have enough permissions. The thing is that I believe that they do have enough permissions:

Code: Select all

$ sudo -u nginx stat /var

File: ‘/var’
Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 802h/2050d      Inode: 50331745    Links: 21
Access: (0777/drwxrwxrwx)  Uid: (  996/   nginx)   Gid: (    0/    root)
Context: system_u:object_r:var_t:s0
Access: 2021-11-23 11:24:53.329927606 +0000
Modify: 2021-11-23 09:43:29.250244353 +0000
Change: 2021-11-23 11:21:37.151148760 +0000
Also, just in case I have done chmod 777 recursively on directory /var/wwww/download

My nginx.conf file is as follows:

Code: Select all

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    client_max_body_size 128M;
    proxy_max_temp_file_size 0;
    proxy_buffering off;
    server_names_hash_bucket_size 256;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    upstream django {
        server 127.0.0.1:8000;
    }

    server {
        listen       80;
        listen       [::]:80;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

	location /download-nginx {
            internal;
            alias /var/www/download;
            sendfile on;
            proxy_max_temp_file_size 0;
    }

    location / {
        uwsgi_pass django;
        proxy_read_timeout 300s;
        proxy_connect_timeout 75s;
        uwsgi_param Host $host;
        uwsgi_param X-Real-IP $remote_addr;
        uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
        uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto;

        uwsgi_param QUERY_STRING $query_string;
        uwsgi_param REQUEST_METHOD $request_method;
        uwsgi_param CONTENT_TYPE $content_type;
        uwsgi_param CONTENT_LENGTH $content_length;
        uwsgi_param REQUEST_URI $request_uri;
        uwsgi_param PATH_INFO $document_uri;
        uwsgi_param DOCUMENT_ROOT $document_root;
        uwsgi_param SERVER_PROTOCOL $server_protocol;
        uwsgi_param HTTPS $https if_not_empty;
        uwsgi_param REMOTE_ADDR $remote_addr;
        uwsgi_param REMOTE_PORT $remote_port;
        uwsgi_param SERVER_PORT $server_port;
        uwsgi_param SERVER_NAME $server_name;
    }

	error_page 404 /404.html;
        location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }

}
The download view on my Django webpage is as follows, (although the error I'm pretty sure that is not on this snippet):

Code: Select all

def download(request):
    # Auth code is ommitted #
    response = HttpResponse()
    path = "/var/www/download/example.txt"
    name = "example.txt"
    response['Content-Length'] = os.path.getsize(path)
    response['X-Accel-Redirect'] = "/download-nginx/{0}".format(name)
    del response['Content-Type']
    del response['Content-Disposition']
    del response['Accept-Ranges']
    del response['Set-Cookie']
    del response['Cache-Control']
    del response['Expires']
    return response
Therefore, my question is: what should I do in my Centos machine in order to be able to access the data on /var/www/download with nginx user and provide it to the users as downloadable elements?

asdrgil
Posts: 4
Joined: 2021/11/18 09:03:41

Re: Configure nginx for downloads - Permission denied for user nginx

Post by asdrgil » 2021/11/23 16:14:19

Problem solved with the following snippet:

Code: Select all

sudo chmod +x /var
sudo chmod +x /var/www
sudo chmod +x /var/www/download

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Configure nginx for downloads - Permission denied for user nginx

Post by TrevorH » 2021/11/23 18:10:44

The only problem with that "solution" is that next time you update the package that owns those directories, it will switch the ownership and permissions back to what they should be and wipe out any changes you have made. Also, the fact that it fixed the issue means that the permissions on those directories were already incorrect as they should all already have the ugo+x permission to start with.

Code: Select all

[root@centos7 ~]# ls -la /var/www
total 20
drwxr-xr-x.  5 root root 4096 Nov 10 14:27 .
drwxr-xr-x. 22 root root 4096 Feb  9  2019 ..
drwxr-xr-x.  2 root root 4096 Nov 10 14:27 cgi-bin
drwxr-xr-x.  2 root root 4096 Nov 10 14:27 html
drwxr-xr-x.  3 root root 4096 May 18  2019 sites
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply