Почему вылезает ошибка 403?

Question

[Человек Человеков]

403 Forbidden
nginx

Вылезает при таком конфиге nginx:

/etc/nginx/nginx.conf
 
         user www-data;
        worker_processes 2;
        pid /var/run/nginx.pid;

        events {
                worker_connections  2048;
                use epoll;
}

http {
        access_log              /var/log/nginx/access.log;
        error_log               /var/log/nginx/error.log;
        include                 /etc/nginx/mime.types;
        default_type    application/octet-stream;
        keepalive_timeout 65;
        server_tokens   off;

        gzip on;
        gzip_min_length 10240;
        gzip_proxied expired no-cache no-store private auth;
        gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
        gzip_disable "msie6";


        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        client_max_body_size 100m;
        types_hash_max_size 2048;

        geoip_country /usr/share/GeoIP/GeoIP.dat;
                map $geoip_country_code $allowed_country        {
                                default no;
                                RU yes;
                                UA yes;
                                BY yes;
                                CZ yes;
                                US yes;
                }
        include /etc/nginx/conf.d/*.conf;
}

upstream php_workers {
                server unix:/var/run/php-fpm.socket;
}

server {
                listen 80;
                server_name mail.somehost.ru;
                        if ($allowed_country = no) {
                                return 404;
                        }
                return 302 https://$server_name$request_uri;
}
server {
                listen 443 ssl;
                server_name mail.somehost.ru;
                ssl on;
                add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
                ssl_certificate         /etc/nginx/certs/somehost.ru.crt;
                ssl_certificate_key     /etc/nginx/certs/somehost.ru.key;
                ssl_dhparam                     /etc/ssl/dhparams.pem;

                ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers             ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
                ssl_session_cache       shared:SSL:10m;
                ssl_prefer_server_ciphers       on;

                        if ($allowed_country = no) {
                                return 404;
                        }
        index index.php;

        # Deny all attempts to access hidden files such as .htaccess.
        location ~ /\. { deny all; }
        # Handling noisy favicon.ico messages
        location = ^/favicon.ico { access_log off; log_not_found off; }

        # Roundcube webmail
        location ~ ^/mail(.*)\.php$ {
                include fastcgi_params;
                fastcgi_pass php_workers;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail$1.php;
        }

        location ~ ^/mail(.*) {
                alias /opt/www/roundcubemail$1;
                index index.php;
        }

        location ~ ^/mail/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { deny all; }

        # Normal PHP scripts
        location ~ \.php$ {
                include fastcgi_params;
                fastcgi_pass php_workers;
                fastcgi_param SCRIPT_FILENAME /opt/www/$fastcgi_script_name;
        }
        # iRedAdmin: static files under /iredadmin/static
        location ~ ^/iredadmin/static/(.*)\.(png|jpg|gif|css|js) {
                alias /opt/www/iredadmin/static/$1.$2;
        }

        # iRedAdmin: Python scripts
        location ~ ^/iredadmin(.*) {
                rewrite ^/iredadmin(/.*)$ $1 break;
                include uwsgi_params;
                uwsgi_pass unix:/var/run/uwsgi_iredadmin.socket;
                uwsgi_param UWSGI_CHDIR /opt/www/iredadmin;
                uwsgi_param UWSGI_SCRIPT iredadmin;
                uwsgi_param SCRIPT_NAME /iredadmin;
                allow XXXXXXXXXX;
                allow XXXXXXXXXX;
                deny all;
        }
        # iRedAdmin: redirect /iredadmin to /iredadmin/
        location = /iredadmin {
                rewrite ^ /iredadmin/;
        }
}

В логах в это время:
error.log
2016/06/30 18:48:13 [error] 25415#0: *16 directory index of "/usr/share/nginx/html/" is forbidden, client: XXX.XXX.XXX.XXX, server: mail.somehost.ru, request: "GET / HTTP/1.1", host: "mail.somehost.ru"

access.log
XXX.XXX.XXX.XXX - - [30/Jun/2016:18:49:27 +0300] "GET / HTTP/1.1" 403 162 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
XXX.XXX.XXX.XXX - - [30/Jun/2016:18:49:28 +0300] "GET / HTTP/1.1" 403 162 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
XXX.XXX.XXX.XXX - - [30/Jun/2016:18:49:29 +0300] "GET / HTTP/1.1" 403 162 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"

Answer 1

[Андрей Буров]

у Вас нет location для запроса к /

nginx.org/ru/docs/http/request_processing.html

сделайте

location / {
        index index.php;
}

и укажите root

Answer 2

[Антон Уланов]

у вас логах сказано что не доступа к: directory index of "/usr/share/nginx/html/" is forbidden

Comments

[Человек Человеков]

Это нормально. Так как нигде нет опции root, соответсвтенно берёт дефолтное значение.

[Антон Уланов]

тссс :)

Answer 3

[Клёвый Админ]

Визуально ничего в конфиге не вижу, чтобы мешало и выдавало именно 403. Но советую начинать с простого - убрать лишнее, всякие проверки на GeoIP \ allow и deny секции, оставить лишь один сервер и одну локацию, проверить и потом уже снимать комментарии со всего остального. Грамотная локализация проблемы поможет вам.

Ну и проверить что php вам не возвращает 403. Мало ли. Создайте в корне index.html проверьте как будет пускать в него.

Answer 4

[Человек Человеков]

поправил так:

ssl_prefer_server_ciphers on;

# if ($allowed_country = no) {
# return 404;
# }
root /opt/www/roundcubemail;
index index.php;

location / {
index index.php;
}
# Deny all attempts to access hidden files such as .htaccess.
location ~ /\. { deny all; }
# Handling noisy favicon.ico messages
location = ^/favicon.ico { access_log off; log_not_found off; }

, но всё равно не работает ;)

Comments

[Человек Человеков]

error.log

2016/07/01 14:02:23 [error] 3684#0: *22 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: XXX.XXX.XXX.XXX, server: mail.somemail.ru, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket:", host: "mail.somemail.ru"
2016/07/01 14:02:24 [error] 3684#0: *24 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: XXX.XXX.XXX.XXX, server: mail.somemail.ru, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket:", host: "mail.somemail.ru"

access.log
XXX.XXX.XXX.XXX - - [01/Jul/2016:14:02:22 +0300] "GET / HTTP/1.1" 404 47 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
XXX.XXX.XXX.XXX - - [01/Jul/2016:14:02:23 +0300] "GET / HTTP/1.1" 404 47 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
XXX.XXX.XXX.XXX - - [01/Jul/2016:14:02:24 +0300] "GET / HTTP/1.1" 404 47 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"