problem hub
Read-only firstNginx 403 forbidden
Diagnose path permissions, Nginx root/alias config, access rules, and error logs before changing modes or ownership.
Safest first command
sudo nginx -t
Before you run this
Expected output: Syntax test output and whether Nginx config is valid.
When not to use it: Do not chmod or chown web roots recursively before proving the denied path and Nginx worker user.
Expected output example
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
How to read the result
A passing config test rules out syntax errors only. Permission, root/alias, index, deny/allow, and worker-user issues can still cause 403.
What to check next
Config test fails
Means: A syntax or include error may block a clean reload.
Next step: Fix config syntax before chasing permissions.
Path component lacks execute permission
Means: Nginx cannot traverse a parent directory.
Next step: Trace owner and mode on every path component.
Error log says permission denied or directory index forbidden
Means: The decisive cause is in filesystem permissions or index config.
Next step: Read file mode and root/alias directives.
Nginx 403 decision tree
Test config, trace path permissions, inspect root/alias and access directives, then read error logs. Keep chmod/chown changes scoped to the decisive path only.
sudo nginx -tnamei -l /srv/www/site/index.htmlstat -c '%A %U:%G %n' /srv/www/site/index.htmlgrep -RInE 'root|alias|deny|allow' /etc/nginx/sites-enabled /etc/nginx/conf.d 2>/dev/nullsudo tail -80 /var/log/nginx/error.log
Bad fixes to avoid
Do not use chmod -R 777. Do not chown an entire web root before confirming the worker user. Do not reload a broken config just to see what happens.
Common causes
- Parent directory traversal blocked
- Wrong root or alias
- Missing index file
- deny/allow rule
- Wrong file owner/group
What not to change yet
- Do not recursively change permissions.
- Do not disable access rules before reading config.
- Do not paste raw logs publicly without redaction.
Stop and escalate if
- The next step could interrupt users, remove data, or lock out access.
- The output includes secrets, customer data, or private infrastructure details.
- You cannot explain the blast radius of the repair command.
supporting commands
Command path
Guides and drills
- Linux permission denied hub Use when the 403 reduces to filesystem permissions.
- Nginx 502 hub Use when the failure is upstream, not static file access.