Nginx – 403 Forbidden serving static files from VirtualBox shared folder with nginx (Ubuntu 10.04LTS guest, Windows 7 host)

http-status-code-403network-sharenginxUbuntuvirtualbox

I'm working on a local development VM and trying to test serving my site with gunicorn and nginx as a reverse proxy for static resources only. The site loads minus static resources with user nginx; in nginx.conf. Attempting to load a static resource individually reveals a 403 Forbidden error.

For background. The static resources are in a shared folder under /media/sf_work. All files are owned by root:vboxsf (VirtualBox default). My user account on the system has been added to the vboxsf group, and I have full access to the shared folder.

For comparison, I tried changing the nginx.conf user to my user account. In that scenario, the static files did load, but then the homepage itself gives a 403 Forbidden error. So, I then tried adding the nginx user to the vboxsf group, but then everything gives a 403 Forbidden error. After further investigation it seems that if the nginx.conf user is in any group, it results in a 403 Forbidden.

Any idea what could possibly be going on here?

UPDATE

So, the issue with the homepage returning 403 Forbidden when using my user account as the nginx user (the only way that static files work) is related to no index.html file being in the directory (directory listing denied). However, I obviously don't want it to list the directory; it should be passing this request off to the gunicorn proxy. I'm using the following:

location / {
    try_files $uri $uri/ @proxy
}
location @proxy {
    proxy_pass_header Server;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
    proxy_connect_timeout 10;
    proxy_read_timeout 10;
    proxy_pass http://127.0.0.1:8080;
}

Is there anything wrong with this?

Best Answer

So, I finally solved it. First, the nginx.conf user must have access to the shared folder, obviously, which means I had to use my user account. I'm not happy about that, but this is just a development box, so security is really not a concern.

Then, there was a problem with my try_files directive. In retrospect, it makes perfect sense. I'm requesting /, and that directory actually does exist, but I don't want that match. So what I actually needed was:

try_files $uri @proxy

Then, everything worked fine.

Related Solutions

Nginx – Help needed setting up nginx to serve static files

I looked at the nginx error logs and found that it was trying to serve the media from /var/django/myproject/site_media/site_media instead of /var/django/myproject/site_media --weird.

I changed root /var/django/myproject/site_media; to root /var/django/myproject; and it works now.

Nginx – Static file permissions with Nginx, Gunicorn and Django

Blanket permissions to these files are not required. Nginx needs just a read permission. My nginx user account is www-data, gunicorn runs with www_flask privileges. Nginx serves all files uploaded from flask without problems.

File permissions ls -lRr /webroot

/webroot:
total 4
drwxr-xr-x 3 www_flask www_flask 4096 Jul  4 13:20 gunicorn

/webroot/gunicorn:
total 4
drwxr-xr-x 2 www_flask www_flask 4096 Jul  4 14:57 uploads

/webroot/gunicorn/uploads:
total 924
-rw-rw-r-- 1 www_flask www_flask 164308 Jul  4 14:55 0001.jpg
-rw-rw-r-- 1 www_flask www_flask  53917 Jul  4 14:56 0004.jpg
-rw-rw-r-- 1 www_flask www_flask 349420 Jul  4 15:07 0005.jpg
-rw-rw-r-- 1 www_flask www_flask 365642 Jul  4 14:56 0006.jpg

nginx config

server {
    listen 127.0.0.1:80;
    server_name localhost;

    location / { 
        try_files $uri @gunicorn_proxy; 
    }   

    location /media {
        alias /webroot/gunicorn/uploads/;
    }   

    location @gunicorn_proxy {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass http://127.0.0.1:8000;
    }   
}

Flask upload example from tutorial /home/www_flask/evironments/flask/myapp/myapp.py

import os
from flask import Flask, request, redirect, url_for
from werkzeug import secure_filename

UPLOAD_FOLDER = '/webroot/gunicorn/uploads'

ALLOWED_EXTENSIONS = set(['txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif'])

app = Flask(__name__)
app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER


def allowed_file(filename):
    return '.' in filename and filename.rsplit('.', 1)[1] in ALLOWED_EXTENSIONS

def uploaded_file(filename):
    return send_from_directory(app.config['UPLOAD_FOLDER'],
                               filename)

@app.route('/', methods=['GET', 'POST'])
def upload_file():
    if request.method == 'POST':
        file = request.files['file']
        if file and allowed_file(file.filename):
            filename = secure_filename(file.filename)
            file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
            return redirect('media/' + filename)
    return '''
    <!doctype html>
    <title>Upload new File</title>
    <h1>Upload new File</h1>
    <form action="" method=post enctype=multipart/form-data>
      <p><input type=file name=file>
         <input type=submit value=Upload>
    </form>
    '''

if __name__ == '__main__':
    app.run(debug=True)

Best Answer

Related Solutions

Nginx – Help needed setting up nginx to serve static files

Nginx – Static file permissions with Nginx, Gunicorn and Django

Related Topic