I generally disable SELinux after installing CentOS, once and for all, and I guess I am not the only guy who repeat this.
SELinux was likely to be designed not for regular use. On Thu, Dec 21, 2017 at 3:06 PM, Aziz Rozyev <aroz...@nginx.com> wrote: > no problem, btw, check out this post > > https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/ > > > br, > Aziz. > > > > > >> On 21 Dec 2017, at 03:33, li...@lazygranch.com wrote: >> >> Well that was it. You can't believe how many hours I wasted on that. >> Thanks. Double thanks. >> I'm going to mention this in the Digital Ocean help pages. >> >> I disabled selinx, but I have a book laying around on how to set it up. >> Eh, it is on the list. >> >> On Wed, 20 Dec 2017 14:17:18 +0300 >> Aziz Rozyev <aroz...@nginx.com> wrote: >> >>> Hi, >>> >>> have you checked this with disabled selinux ? >>> >>> br, >>> Aziz. >>> >>> >>> >>> >>> >>>> On 20 Dec 2017, at 11:07, li...@lazygranch.com wrote: >>>> >>>> I'm setting up a web server on a Centos 7 VPS. I'm relatively sure I >>>> have the firewalls set up properly since I can see my browser >>>> requests in the access and error log. That said, I have file >>>> permission problem. >>>> >>>> nginx 1.12.2 >>>> Linux servername 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 >>>> 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux >>>> >>>> >>>> nginx.conf (with comments removed for brevity and my domain name >>>> remove because google) >>>> ------- >>>> user nginx; >>>> worker_processes auto; >>>> error_log /var/log/nginx/error.log; >>>> pid /run/nginx.pid; >>>> >>>> events { >>>> worker_connections 1024; >>>> } >>>> >>>> http { >>>> log_format main '$remote_addr - $remote_user [$time_local] >>>> "$request" ' '$status $body_bytes_sent "$http_referer" ' >>>> '"$http_user_agent" "$http_x_forwarded_for"'; >>>> >>>> access_log /var/log/nginx/access.log main; >>>> >>>> sendfile on; >>>> tcp_nopush on; >>>> tcp_nodelay on; >>>> keepalive_timeout 65; >>>> types_hash_max_size 2048; >>>> >>>> include /etc/nginx/mime.types; >>>> default_type application/octet-stream; >>>> >>>> server { >>>> listen 80; >>>> server_name mydomain.com www.mydomain.com; >>>> >>>> return 301 https://$host$request_uri; >>>> } >>>> >>>> server { >>>> listen 443 ssl http2; >>>> server_name mydomain.com www.mydomain.com; >>>> ssl_dhparam /etc/ssl/certs/dhparam.pem; >>>> root /usr/share/nginx/html/mydomain.com/public_html; >>>> >>>> ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # >>>> managed by Certbot >>>> ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; >>>> # managed by Certbot ssl_ciphers HIGH:!aNULL:!MD5; >>>> ssl_prefer_server_ciphers on; >>>> >>>> location / { >>>> root /usr/share/nginx/html/mydomain.com/public_html; >>>> index index.html index.htm; >>>> } >>>> # >>>> error_page 404 /404.html; >>>> location = /40x.html { >>>> } >>>> # >>>> error_page 500 502 503 504 /50x.html; >>>> location = /50x.html { >>>> } >>>> } >>>> >>>> } >>>> >>>> I have firefox set up with no cache and do not save history. >>>> ------------------------------------------------------------- >>>> access log: >>>> >>>> mypi - - [20/Dec/2017:07:46:44 +0000] "GET /index.html HTTP/2.0" >>>> 403 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 >>>> Firefox/52.0" "-" >>>> >>>> myip - - [20/Dec/2017:07:48:44 +0000] "GET /index.html >>>> HTTP/2.0" 403 169 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) >>>> Gecko/20100101 Firefox/52.0" "-" >>>> ------------------------------- >>>> error log: >>>> >>>> 2017/12/20 07:46:44 [error] 10146#0: *48 open() >>>> "/usr/share/nginx/html/mydomain.com/public_html/index.html" failed >>>> (13: Permission denied), client: myip, server: mydomain.com, >>>> request: "GET /index.html HTTP/2.0", host: "mydomain.com" >>>> 2017/12/20 07:48:44 [error] 10146#0: *48 open() >>>> "/usr/share/nginx/html/mydomain.com/public_html/index.html" failed >>>> (13: Permission denied), client: myip, server: mydomain.com, >>>> request: "GET /index.html HTTP/2.0", host: "mydomain.com" >>>> >>>> >>>> Directory permissions: >>>> For now, I made eveything 755 with ownership nginx:nginx I did chmod >>>> and chown with the -R option >>>> >>>> /etc/nginx: >>>> drwxr-xr-x. 4 nginx nginx 4096 Dec 20 07:39 nginx >>>> >>>> /usr/share/nginx: >>>> drwxr-xr-x. 4 nginx nginx 33 Dec 15 08:47 nginx >>>> >>>> /var/log: >>>> drwx------. 2 nginx nginx 4096 Dec 20 07:51 nginx >>>> -------------------------------------------------------------- >>>> systemctl status nginx >>>> ● nginx.service - The nginx HTTP and reverse proxy server >>>> Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; >>>> vendor preset: disabled) Active: active (running) since Wed >>>> 2017-12-20 04:21:37 UTC; 3h 37min ago Process: 10145 >>>> ExecReload=/bin/kill -s HUP $MAINPID (code=exited, >>>> status=0/SUCCESS) Main PID: 9620 (nginx) >>>> CGroup: /system.slice/nginx.service ├─ 9620 nginx: master >>>> process /usr/sbin/nginx └─10146 nginx: worker process >>>> >>>> >>>> Dec 20 07:18:33 servername systemd[1]: Reloaded The nginx HTTP and >>>> reverse proxy server. >>>> -------------------------------------------------------------- >>>> >>>> ps aux | grep nginx >>>> root 9620 0.0 0.3 71504 3848 ? Ss 04:21 0:00 >>>> nginx: master process /usr/sbin/nginx nginx 10146 0.0 0.4 >>>> 72004 4216 ? S 07:18 0:00 nginx: worker process >>>> root 10235 0.0 0.0 112660 952 pts/1 S+ 08:01 0:00 >>>> grep ngin >>>> >>>> ----------------------------------- >>>> firewall-cmd --zone=public --list-all >>>> public (active) >>>> target: default >>>> icmp-block-inversion: no >>>> interfaces: eth0 >>>> sources: >>>> services: ssh dhcpv6-client http https >>>> ports: >>>> protocols: >>>> masquerade: no >>>> forward-ports: >>>> source-ports: >>>> icmp-blocks: >>>> rich rules: >>>> _______________________________________________ >>>> nginx mailing list >>>> nginx@nginx.org >>>> http://mailman.nginx.org/mailman/listinfo/nginx >>> >>> _______________________________________________ >>> nginx mailing list >>> nginx@nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
