Nginx cannot find files outside of /var/www directory in OpenBSD

skytanium

6/25/24, 5:04 PM

I am setting up an nginx webserver for a new website, and I'd like to set the root directory for by webserver to srv, so I created the /srv directory and placed all webserver files there, but nginx is not able to find any files within it. I receive an error 404 on every visit. It is able to find the files when root is set to /var/www/html though. (or any directory inside /var/www). I am running OpenBSD. Below is my /etc/nginx/nginx.conf file:

user www;
worker_processes 1;
events {
    worker_connections 800;
}

http {
    index index.html;

    server {
        root /srv/foo;
        listen 80;
        listen [::]:80;
        server_name example.com www.example.com;
        sendfile on;
        tcp_nopush on;
        access_log /var/log/nginx/access.log;

        location / {
            add_header X-uri "$uri" always;
            add_header X-docroot "$document_root" always;
            add_header X-realroot "$realpath_root" always;
            try_files $uri $uri.html $uri/ =404;
        }
    }
}

All directories and files have read permissions set. Additionally, I have also tried to host the files in a new directory called /usr/srv, but I had the same issue. I am adding headers in the hopes of providing some debug information, but everything looks normal in a curl GET request. I do get an error with the realpath_root header. Below is the log:

2023/06/25 16:30:01 [crit] 14127#0: *32 realpath() "/srv/foo" failed (2: No such file or directory), client: 127.0.0.1, server: example.com, request: "GET / HTTP/1.1", host: "example.com"

Any clue why I am not able to serve from any subdirectory other than /var/www subdirectories?

152

1 + 4

nginx

openbsd

Nasir Riley

6/26/24, 1:10 AM

Have you looked at the logs? Does this happen from the local machine or from external machines? Is the port open? Is SELinux enabled. The most important thing is the logs.

skytanium

6/26/24, 3:11 AM

I have looked in the logs and there is nothing of interest, a 404 page is returned for all request URIs. This happens on both local and external machines. SELinux is not applicable in this case since I am running OpenBSD, but if there is a similar program handling permissions on OpenBSD, I am not aware of it. In OpenBSD's build in http server (httpd), the program is chrooted to /var/www. I believe it's possible that the same could be happening for nginx, which could be the source of the issue, but I'm not sure how to test it.

symcbean

6/26/24, 9:40 AM

You might start by checking the paths in your config files to see if they contain symlinks - this would indicate that nginx may be running in a chroot environment.

Nasir Riley

6/26/24, 12:15 PM

Ignore the part about SELinux. The issue is chroot. As there is a user running the daemon, which in your case is `www`, it is restricted to that user's home. You can see what this with the command `getent passwd www`.

Score:0

Server

Esa Jokinen

6/26/24, 5:04 AM

On OpenBSD, Nginx is chrooted. From OpenBSD 5.6 nginx(8) man page:

-u

By default nginx will chroot(2) to the home directory of the user running the daemon, typically “www”, or to the home directory of user in nginx.conf. The -u option disables this behaviour, and returns nginx to the original "unsecure" behaviour.

Your desired configuration decreases security. Is there a real reason for using /srv/foo instead of /var/www/foo?

+ 2

skytanium

6/26/24, 1:22 PM

My reasoning for moving my server files out of var was because I prefer having all files in `var` be variable or temporary files (log files, mail, etc), for organization's sake. To me, static web content seems very permanent. --- Strangely, earlier I had attempted to change the home directory of the `www` user to `/srv` to see if that was the issue. It didn't solve it for me, but I'll try it again soon. How could changing the home directory to another isolated directory decrease security?

skytanium

6/26/24, 2:09 PM

Update: Passing the -u option solves the issue, so I'm marking this answer as accepted. However, changing the home directory of the `www` user via the `usermod` or `vipw` commands does NOT change where nginx chroots to. Neither does creating a new user with its own home directory and having nginx run as that user. Nginx appears to root to `/var/www` regardless of what the user's home directory is.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Nginx cannot find files outside of /var/www directory in OpenBSD

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.