Control Web Panel
WebPanel => Apache => Nginx => Topic started by: kandalf on May 19, 2026, 10:41:38 AM
-
Setup: CWP on AlmaLinux 8.10, nginx 1.24.0 from appstream, default config with "user nobody;".
After every nginx package update, uploads larger than client_body_buffer_size start failing. The RPM resets /var/lib/nginx and /var/lib/nginx/tmp to "nginx:root 0770", so the nobody worker can't traverse into them to write client body temp files. SELinux is off, this is just DAC.
Confirm with:
rpm -q --queryformat "[%{FILEMODES:perms} %{FILEUSERNAME}:%{FILEGROUPNAME} %{FILENAMES}\n]" nginx | grep /var/lib/nginx
The usual chown fix works until the next update.
Permanent fix that survives updates: move the temp paths out of /var/lib/nginx into /var/cache/nginx (not owned by any RPM) and add them to nginx.conf:
client_body_temp_path /var/cache/nginx/client_body 1 2;
fastcgi_temp_path /var/cache/nginx/fastcgi 1 2;
uwsgi_temp_path /var/cache/nginx/uwsgi 1 2;
scgi_temp_path /var/cache/nginx/scgi 1 2;
Anyone else hitting this? Would it make sense for CWP to ship the default nginx.conf with these paths set, or switch the default user to "nginx" to match the RPM?
-
On one server, I've been with the default CWP Nginx 1.24 config, but with the Rift CVE, I switched over to the 1.31 AppStream version. So I haven't noticed the issue until now. But as a responsible sysadmin, with the switch to the AppStream-managed version I will accommodate permissions and/or the main conf as needed (thanks for the head's up!). No need to be bound by the CWP defaults if you aren't using their Nginx compiled from source.
-
Thanks for chiming in. Good to know I'm not the only one running the AppStream nginx under CWP.
Quick note on your point: even when you "accommodate permissions" on /var/lib/nginx, the fix doesn't stick across package updates. The RPM ships /var/lib/nginx and /var/lib/nginx/tmp with explicit %attr(0770, nginx, root) in the spec, and dnf reapplies those attributes on every upgrade automatically, without any postinstall scriptlet. That's why a one-shot chown isn't enough if you keep user=nobody in nginx.conf. The temp paths really do need to move out of /var/lib/nginx (or you switch user to nginx, which has its own implications for CWP integrations).
Still hoping someone from the CWP team can weigh in on whether the shipped default should set explicit *_temp_path or move to user=nginx.
-
try to add the custom "chown", "chmod" commands to:
/etc/cron.daily/cwp
right after:
/usr/local/cwp/php71/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.phpto fix the permissions after the daily cwp update.
-
try to add the custom "chown", "chmod" commands to:
/etc/cron.daily/cwp
right after:
/usr/local/cwp/php71/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.phpto fix the permissions after the daily cwp update.
I prefer my approach but yours also works.
But this issue happens to someone else? I have it on all my servers.
-
It can be solved in one more way using an RPM:
Create and install an RPM package used as a trigger. The task of the custom RPM is to run a script if the "nginx" RPM is updated/installed. The script can do anything (fix permissions).
-
try to add the custom "chown", "chmod" commands to:
/etc/cron.daily/cwp
right after:
/usr/local/cwp/php71/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.phpto fix the permissions after the daily cwp update.
I prefer my approach but yours also works.
But this issue happens to someone else? I have it on all my servers.
Yes, I'm having the same problem, and I'm resolving it with `chown` when it occurs. I even removed `/var/lib/nginx` from the installation, but then I needed to do some CWP migrations, and everything went back to square one. So, I'll make time to study and use your approach.