fix: nginx worker processes should run as www-data#78
Merged
Conversation
Adds an example that creates files owned by www-data with 750/640 permissions and verifies nginx can serve them. This will fail because the Bitnami nginx image runs worker processes as 'daemon' instead of 'www-data'. See: https://github.com/lando/drupal/issues/124
✅ Deploy Preview for lando-nginx ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
The Bitnami nginx image uses NGINX_DAEMON_USER to configure the worker process user. Previously set to 'root', which caused the Bitnami entrypoint to fall back to 'daemon'. This mismatch means nginx workers can't read files owned by www-data with restrictive permissions (750/640), resulting in 403 errors on CSS/JS assets in Drupal and other PHP apps. Fixes: https://github.com/lando/drupal/issues/124
No need for a separate example — bake the www-data assertions into the 1.29 test that already runs in CI.
This plugin has been crashing every deploy-preview build since at least Dec 2025. Removing it so PR previews actually deploy again.
…iews" This reverts commit 8625c1f.
Docker Hub responses lack Content-Type headers, causing netlify-plugin-checklinks to fail with content-type-missing errors. The links themselves are valid — Docker Hub just doesn't set the header. Fixes deploy-preview builds that have been failing since Dec 2025.
AaronFeledy
force-pushed
the
fix/nginx-worker-user
branch
from
c863432 to
6704f30
Compare
The actual worker user is controlled by the 'user' directive in nginx.conf, not the NGINX_DAEMON_USER env var (which gets overwritten by Bitnami's nginx-env.sh anyway). Changed from 'root root' to 'www-data www-data' so nginx workers can read files created by PHP. Reverts the env var change (irrelevant) and fixes the real source. Fixes: https://github.com/lando/drupal/issues/124
Bitnami's nginx-env.sh hardcodes NGINX_DAEMON_USER='daemon', overwriting any env var Lando sets. The entrypoint then rewrites the 'user' directive in nginx.conf with this value. The only reliable fix is patching nginx-env.sh before the entrypoint runs. Added sed commands to launch.sh to replace 'daemon' with 'www-data' in nginx-env.sh before the Bitnami entrypoint sources it. Fixes: https://github.com/lando/drupal/issues/124
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Bitnami nginx image runs worker processes as
daemonby default. When used with Drupal (or any PHP app), files created by PHP are owned bywww-data. If those files have restrictive permissions (e.g., 750/640), nginx workers running asdaemonget 403 errors trying to serve CSS/JS/etc.Test
This PR first adds a
worker-userexample test that:www-datawith 750/640 permissionswww-dataThis test should FAIL on the initial push to prove the bug exists.
Fix
Coming in a follow-up commit after CI confirms the failure.
References
Fixes #79
Note
Medium Risk
Changes the nginx container startup behavior by patching Bitnami scripts to run workers as
www-data, which could impact permissions and runtime behavior across environments. Adds a targeted example test to validate file-serving and process ownership, reducing regression risk but still touching core startup paths.Overview
Ensures nginx worker processes run as
www-databy patching Bitnami’snginx-env.shduringconfig/launch.shbefore the entrypoint executes, preventing 403s when serving files created by PHP with restrictive permissions.Extends the
1.29example to installprocps, create awww-data-owned test file with750/640perms, and documents verification commands to confirm worker user and successful serving (HTTP 200). Also updates Netlify link-check config to ignorehub.docker.comand includes apackage-lock.jsonmetadata-only adjustment.Written by Cursor Bugbot for commit cc7b549. This will update automatically on new commits. Configure here.