Back to problems

problem hub

Read-only first

Nginx 403 forbidden

Diagnose path permissions, Nginx root/alias config, access rules, and error logs before changing modes or ownership.

Safest first command

sudo nginx -t

Before you run this

Expected output: Syntax test output and whether Nginx config is valid.

When not to use it: Do not chmod or chown web roots recursively before proving the denied path and Nginx worker user.

Expected output example

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

How to read the result

A passing config test rules out syntax errors only. Permission, root/alias, index, deny/allow, and worker-user issues can still cause 403.

What to check next

Config test fails

Means: A syntax or include error may block a clean reload.

Next step: Fix config syntax before chasing permissions.

Test Nginx Config Without Reloading

Path component lacks execute permission

Means: Nginx cannot traverse a parent directory.

Next step: Trace owner and mode on every path component.

Trace Nginx Web Path Permissions

Error log says permission denied or directory index forbidden

Means: The decisive cause is in filesystem permissions or index config.

Next step: Read file mode and root/alias directives.

Read Recent Nginx Error Log Lines

Nginx 403 decision tree

Test config, trace path permissions, inspect root/alias and access directives, then read error logs. Keep chmod/chown changes scoped to the decisive path only.

  1. sudo nginx -t
  2. namei -l /srv/www/site/index.html
  3. stat -c '%A %U:%G %n' /srv/www/site/index.html
  4. grep -RInE 'root|alias|deny|allow' /etc/nginx/sites-enabled /etc/nginx/conf.d 2>/dev/null
  5. sudo tail -80 /var/log/nginx/error.log

Bad fixes to avoid

Do not use chmod -R 777. Do not chown an entire web root before confirming the worker user. Do not reload a broken config just to see what happens.

Common causes

  • Parent directory traversal blocked
  • Wrong root or alias
  • Missing index file
  • deny/allow rule
  • Wrong file owner/group

What not to change yet

  • Do not recursively change permissions.
  • Do not disable access rules before reading config.
  • Do not paste raw logs publicly without redaction.

Stop and escalate if

  • The next step could interrupt users, remove data, or lock out access.
  • The output includes secrets, customer data, or private infrastructure details.
  • You cannot explain the blast radius of the repair command.

supporting commands

Command path

Guides and drills