Hello,
I have three websites that exist in the following directory:
$ ls /var/www/html/
branch-view portal portal-view
The portal directory is the Laravel project and the other two are React. In Laravel project, the user has to upload the file and its directory is /var/www/html/portal/storage.
Assign the Nginx user as the owner of your website files:
# chown -R www-data:www-data /var/www/html
Directories: 755 (read/execute for others):
# find /var/www/html -type d -exec chmod 755 {} \;
Files: 644 (read-only for others)
# find /var/www/html -type f -exec chmod 644 {} \;
Let me try to see if I can shed any light. Note: I am not and NGINX guru nor a Laravel guru.
NGINX will need to read and serve all files. Laravel (PHP-FPM) has to read and serve the storage directory. At the same time, we need to think about security and DevOps access.
You added devops to the www-data group.
You gave full write permission to all the files and directories. This might be a security risk.
You gave everyone open permissions to storage. This is not optimal.
The newgrp command does not affect NGINX (practical for terminal access, though).
So, changing things around, you can try:
Set the correct ownership
sudo chown -R www-data:www-data /var/www/html
Set base permissions for directories (owner: rwx, group: rx, others: rx)
sudo find /var/www/html -type d -exec chmod 755 {} ;
Set base permissions for files (owner: rw, group: r, others: r)
sudo find /var/www/html -type f -exec chmod 644 {} ;
Grant write permissions for Laravel’s storage directory (owner/group: rwx, others: rx)
sudo chmod -R 775 /var/www/html/portal/storage
Make all directories executable for the web server (important for navigation)
This was implicitly handled by 755 for directories, but it’s good to double-check
sudo find /var/www/html -type d -exec chmod a+x {} ;
Allow devops user (via www-data group) to write to website files
This makes directories have rwx for group and files have rw for group
sudo find /var/www/html -type d -exec chmod g+w {} ;
sudo find /var/www/html -type f -exec chmod g+w {} ;
Optional: Set the setgid bit on directories so new files/dirs inherit the www-data group
sudo find /var/www/html -type d -exec chmod g+s {} ;
Restart NGINX and Laravel.
Please let me know if this works or if there are any other blockers.
If NGINX can read the files, users should be able to view the website from any browser. Whether that can happen if you set the permissions to root or devops fundamentally depends on how you setup your user/group permissions.