0

I am setting up an nginx webserver for a new website, and I'd like to set the root directory for by webserver to srv, so I created the /srv directory and placed all webserver files there, but nginx is not able to find any files within it. I receive an error 404 on every visit. It is able to find the files when root is set to /var/www/html though. (or any directory inside /var/www). I am running OpenBSD. Below is my /etc/nginx/nginx.conf file:

user www;
worker_processes 1;
events {
    worker_connections 800;
}

http {
    index index.html;

    server {
        root /srv/foo;
        listen 80;
        listen [::]:80;
        server_name example.com www.example.com;
        sendfile on;
        tcp_nopush on;
        access_log /var/log/nginx/access.log;

        location / {
            add_header X-uri "$uri" always;
            add_header X-docroot "$document_root" always;
            add_header X-realroot "$realpath_root" always;
            try_files $uri $uri.html $uri/ =404;
        }
    }
}

All directories and files have read permissions set. Additionally, I have also tried to host the files in a new directory called /usr/srv, but I had the same issue. I am adding headers in the hopes of providing some debug information, but everything looks normal in a curl GET request. I do get an error with the realpath_root header. Below is the log:

2023/06/25 16:30:01 [crit] 14127#0: *32 realpath() "/srv/foo" failed (2: No such file or directory), client: 127.0.0.1, server: example.com, request: "GET / HTTP/1.1", host: "example.com"

Any clue why I am not able to serve from any subdirectory other than /var/www subdirectories?

skytanium
  • 3
  • 2
  • Have you looked at the logs? Does this happen from the local machine or from external machines? Is the port open? Is SELinux enabled. The most important thing is the logs. – Nasir Riley Jun 26 '23 at 01:10
  • I have looked in the logs and there is nothing of interest, a 404 page is returned for all request URIs. This happens on both local and external machines. SELinux is not applicable in this case since I am running OpenBSD, but if there is a similar program handling permissions on OpenBSD, I am not aware of it. In OpenBSD's build in http server (httpd), the program is chrooted to /var/www. I believe it's possible that the same could be happening for nginx, which could be the source of the issue, but I'm not sure how to test it. – skytanium Jun 26 '23 at 03:11
  • You might start by checking the paths in your config files to see if they contain symlinks - this would indicate that nginx may be running in a chroot environment. – symcbean Jun 26 '23 at 09:40
  • Ignore the part about SELinux. The issue is chroot. As there is a user running the daemon, which in your case is `www`, it is restricted to that user's home. You can see what this with the command `getent passwd www`. – Nasir Riley Jun 26 '23 at 12:15

1 Answers1

0

On OpenBSD, Nginx is chrooted. From OpenBSD 5.6 nginx(8) man page:

-u

By default nginx will chroot(2) to the home directory of the user running the daemon, typically “www”, or to the home directory of user in nginx.conf. The -u option disables this behaviour, and returns nginx to the original "unsecure" behaviour.

Your desired configuration decreases security. Is there a real reason for using /srv/foo instead of /var/www/foo?

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • My reasoning for moving my server files out of var was because I prefer having all files in `var` be variable or temporary files (log files, mail, etc), for organization's sake. To me, static web content seems very permanent. --- Strangely, earlier I had attempted to change the home directory of the `www` user to `/srv` to see if that was the issue. It didn't solve it for me, but I'll try it again soon. How could changing the home directory to another isolated directory decrease security? – skytanium Jun 26 '23 at 13:22
  • 1
    Update: Passing the -u option solves the issue, so I'm marking this answer as accepted. However, changing the home directory of the `www` user via the `usermod` or `vipw` commands does NOT change where nginx chroots to. Neither does creating a new user with its own home directory and having nginx run as that user. Nginx appears to root to `/var/www` regardless of what the user's home directory is. – skytanium Jun 26 '23 at 14:09