Forbidden location when using alias in nginx for relative urls

Asked 7/2, 2016 at 20:54 Answered 16/6, 2017 at 9:59

I am trying to set up roundcube / phpldapadmin / ... with Nginx on relative urls, e.g.:

example.com/roundcube
example.com/phpldapadmin

The source are in the following folders:

/var/www/roundcube
/usr/share/phpldapadmin

Everything was working fine with Apache 2.4 but I am new to Nginx. I have the following location for roundcube:

location /roundcube/ {
    root /var/www;
    index index.php;

    location ~ \.php$ {
        try_files $uri =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

Which works fine, but the following for phpldapadmin does not work:

location /phpldapadmin/ {
    alias  /usr/share/phpldapadmin/htdocs;
    index  index.php index.html index.htm;

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

I get a 403 forbidden, with the following logs:

2016/02/07 21:43:33 [error] 23047#0: *1 directory index of "/usr/share/phpldapadmin/htdocs" is forbidden, client: xxx.xxx.xxx.xxx, server: , request: "GET /phpldapadmin/ HTTP/1.1", host: ""

I checked the permission:

$ namei -om /usr/share/phpldapadmin/htdocs
f: /usr/share/phpldapadmin/htdocs
 drwxr-xr-x root root     /
 drwxr-xr-x root root     usr
 drwxr-xr-x root root     share
 drwxr-xr-x root root     phpldapadmin
 drwxr-xr-x root www-data htdocs
$ ls -l /usr/share/phpldapadmin/htdocs/index.php
-rw-r--r-- 1 root root 20036 Oct 28 17:32 /usr/share/phpldapadmin/htdocs/index.php

I tried changing the owner to :www-data but it did not work. When I tried the following for roundcube it did not work:

location /roundcube/ {
    alias /var/www/roundcube;
    ...
}

I am thinking that this is probably a problem with a trailing /, or something similar, but I am really new to nginx so I can't find it...

Basically, I have the inverse problem of: https://stackoverflow.com/questions/31820362/nginx-403-directory-is-forbidden-when-using-root-location

Subway answered 7/2, 2016 at 20:54 Comment(0)

The location and alias should both have a trailing / or neither have a trailing /. But in your case, you should be using root instead of alias for both location blocks.

location /roundcube {
    root /var/www;
    index index.php;

    location ~ \.php$ {
        try_files $uri =404;

        fastcgi_pass unix:/var/run/php5-fpm.sock;

        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

location /phpmyadmin {
    root  /usr/share;
    index  index.php index.html index.htm;

    location ~ \.php$ {
        try_files $uri =404;

        fastcgi_pass unix:/var/run/php5-fpm.sock;

        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

The fastcgi_index will not do anything in a location that only matches .php (see this document).

The SCRIPT_FILENAME parameter is needed in both blocks (or neither if it is already in /etc/nginx/fastcgi_params).

Darwinism answered 8/2, 2016 at 20:1 Comment(5)

Thanks for your reply, actually I had tried with every possible combinations of trailing slash for location and root and did not manage to get it working. With root it works well, the problem is that (I forgot to put this in the question... ) I have phpldapadmin which have its root in phpldapadmin/htdocs so I cannot use root. I managed to get it working by removing the try_files instruction after reading that try_files and alias do not work well together. – Subway 8/2, 2016 at 20:13

I also had to change the fastcgi_param to $request_filename for the conf to work, and it works with a trailing slash in location and no trailing slash in root (but not for alias), don't know if it's normal... – Subway 8/2, 2016 at 20:14

root doesn't care about trailing slashes because it isn't trying to rewrite the URI. But using $request_filename with alias is a good idea - I will remember that one. – Darwinism 8/2, 2016 at 20:27

I got it working, but since you seem to be far more competent than I am about nginx, I'd be very happy if you could provide an explanation on why $request_filename makes the whole thing works... And thanks for the explanation about the trailing slash ! – Subway 8/2, 2016 at 20:30

Many examples show SCRIPT_FILENAME set to $document_root$fastcgi_script_name because it works with the fastcgi_split_path_info directive. Unless modified, $fastcgi_script_name is the same value as $uri. The root directive causes $request_filename to be set to $document_root$uri, whereas the alias directive removes the location prefix from $uri before computing $request_filename. I think that $request_filename is a robust solution and that alias has some unusual side-effects which are not necessarily all bugs. – Darwinism 8/2, 2016 at 20:59

Alternatively you can try to write at the top of nginx.conf >> user username

Since I am using AWS Linux EC2 instance I wrote

user ec2-user;

instead of

user nginx;

This solves the problem by giving all the required permissions

Hephzibah answered 16/6, 2017 at 9:59 Comment(1)

this seems more like a work around rather than a good solution. you probably should move media to somewere such as /var/www – Eucharist 21/8, 2022 at 2:0

Recommended topics

Hot tags