{"id":776,"date":"2025-10-15T16:16:16","date_gmt":"2025-10-15T08:16:16","guid":{"rendered":"https:\/\/play.datalude.com\/blog\/?p=776"},"modified":"2025-10-15T16:19:59","modified_gmt":"2025-10-15T08:19:59","slug":"fixing-up-nginx-file-opening-permissions","status":"publish","type":"post","link":"https:\/\/play.datalude.com\/blog\/2025\/10\/fixing-up-nginx-file-opening-permissions\/","title":{"rendered":"Fixing up nginx file opening permissions"},"content":{"rendered":"\n

Got this error message on startup of nginx. <\/p>\n\n\n\n

nginx: [warn] 4096 worker_connections exceed open file resource limit: 1024<\/code><\/pre>\n\n\n\n
There are a lot of places you can change this value so it gets a bit confusing. It could be the user that nginx is running under, (usually www-data) or the process, or it could be set in systemd init file or in security\/limits.conf … OK, so we'll run a script to gather the info<\/p>\n\n\n\n
#!\/bin\/bash\n\n# --- Configuration ---\nNGINX_CONF=\"\/etc\/nginx\/nginx.conf\"\nNGINX_SERVICE=\"nginx.service\"\nLIMITS_CONF=\"\/etc\/security\/limits.conf\"\nSYSCTL_CONF=\"\/etc\/sysctl.conf\"\n# --- End Configuration ---\n\necho \"#################################################################\"\necho \"# NGINX ULIMIT (MAX OPEN FILES) CHECKER\"\necho \"#################################################################\"\n\n# 1. Find the NGINX User\nNGINX_USER=$(grep -E '^\\s*user\\s+' $NGINX_CONF | awk '{print $2}' | sed 's\/;\/\/' | head -n 1)\nif [[ -z \"$NGINX_USER\" ]]; then\n    NGINX_USER=\"www-data\" # Common default user if not explicitly set\nfi\necho -e \"\\n[1] NGINX RUNNING USER: ${NGINX_USER}\"\n\n# 2. Get NGINX Process Limits\necho -e \"\\n[2] CURRENT NGINX WORKER PROCESS LIMITS (\/proc\/<pid>\/limits)\"\nNGINX_PID=$(pgrep -u \"$NGINX_USER\" nginx | head -n 1)\nif [[ -n \"$NGINX_PID\" ]]; then\n    cat \"\/proc\/$NGINX_PID\/limits\" | grep \"Max open files\"\nelse\n    echo \"NGINX worker process is not currently running under user '$NGINX_USER'.\"\nfi\n\n# 3. Check NGINX Configuration Directives\necho -e \"\\n[3] NGINX CONFIGURATION CHECK (${NGINX_CONF})\"\nNGINX_RBLIMIT=$(grep -E '^\\s*worker_rlimit_nofile\\s+' $NGINX_CONF | awk '{print $2}' | sed 's\/;\/\/' | head -n 1)\nNGINX_CONNECTIONS=$(grep -E '^\\s*worker_connections\\s+' $NGINX_CONF | awk '{print $2}' | sed 's\/;\/\/' | head -n 1)\n\nif [[ -n \"$NGINX_RBLIMIT\" ]]; then\n    echo -e \"   - worker_rlimit_nofile: \\t**$NGINX_RBLIMIT**\"\nelse\n    echo -e \"   - worker_rlimit_nofile: \\tNot set (NGINX inherits OS limit)\"\nfi\n\nif [[ -n \"$NGINX_CONNECTIONS\" ]]; then\n    echo -e \"   - worker_connections: \\t**$NGINX_CONNECTIONS**\"\nelse\n    echo -e \"   - worker_connections: \\tNot set (Defaults to 512 or 1024)\"\nfi\n\n# 4. Check systemd Service Unit Limit (Most modern Linux systems)\necho -e \"\\n[4] SYSTEMD SERVICE UNIT LIMIT (${NGINX_SERVICE})\"\nSYSTEMD_LIMIT=$(systemctl show $NGINX_SERVICE --property LimitNOFILE | awk -F'=' '{print $2}')\nif [[ -n \"$SYSTEMD_LIMIT\" ]]; then\n    echo -e \"   - LimitNOFILE (systemd): \\t**$SYSTEMD_LIMIT**\"\nelse\n    echo \"   - LimitNOFILE (systemd): \\tNot explicitly set (Inherits from system defaults\/limits.conf)\"\nfi\n\n# 5. Check User Limits (limits.conf)\necho -e \"\\n[5] USER LIMITS CONFIGURATION (${LIMITS_CONF})\"\nUSER_LIMITS=$(grep -E \"^$NGINX_USER\\s+(soft|hard)\\s+nofile\" $LIMITS_CONF)\nALL_USER_LIMITS=$(grep -E \"^\\*\\s+(soft|hard)\\s+nofile\" $LIMITS_CONF)\n\nif [[ -n \"$USER_LIMITS\" ]]; then\n    echo -e \"   - Limits for $NGINX_USER:\\n$USER_LIMITS\"\nelif [[ -n \"$ALL_USER_LIMITS\" ]]; then\n    echo -e \"   - General limits (*):\\n$ALL_USER_LIMITS\"\nelse\n    echo \"   - No explicit nofile limits found for '$NGINX_USER' or '*'.\"\nfi\n\n# 6. Check System-Wide Kernel Limit\necho -e \"\\n[6] SYSTEM-WIDE KERNEL LIMIT (fs.file-max)\"\nKERNEL_MAX=$(cat \/proc\/sys\/fs\/file-max)\necho -e \"   - fs.file-max (Kernel): \\t**$KERNEL_MAX**\"\n\necho \"#################################################################\"<\/code><\/pre>\n\n\n\n
OK, so that gives us the output <\/p>\n\n\n\n
#################################################################\n# NGINX ULIMIT (MAX OPEN FILES) CHECKER\n#################################################################\n\n[1] NGINX RUNNING USER: www-data\n\n[2] CURRENT NGINX WORKER PROCESS LIMITS (\/proc\/<pid>\/limits)\nMax open files            1024                 524288               files     \n\n[3] NGINX CONFIGURATION CHECK (\/etc\/nginx\/nginx.conf)\n   - worker_rlimit_nofile: \tNot set (NGINX inherits OS limit)\n   - worker_connections: \t**4096**\n\n[4] SYSTEMD SERVICE UNIT LIMIT (nginx.service)\n   - LimitNOFILE (systemd): \t**524288**\n\n[5] USER LIMITS CONFIGURATION (\/etc\/security\/limits.conf)\n   - Limits for www-data:\nwww-data         hard    nofile          65536\nwww-data         soft    nofile          65536\n\n[6] SYSTEM-WIDE KERNEL LIMIT (fs.file-max)\n   - fs.file-max (Kernel): \t**9223372036854775807**\n#################################################################<\/code><\/pre>\n\n\n\n
So we need to alter the low value for the nginx worker process, currently at 1024<\/p>\n\n\n\n
Insert this line near the top of \/etc\/nginx\/nginx.conf file, before the events {} section. <\/p>\n\n\n\n
worker_rlimit_nofile 65536; <\/code><\/pre>\n\n\n\n
And restart nginx. Now we see <\/p>\n\n\n\n
[2] CURRENT NGINX WORKER PROCESS LIMITS (\/proc\/<pid>\/limits)\nMax open files            65536                65536                files     \n\n[3] NGINX CONFIGURATION CHECK (\/etc\/nginx\/nginx.conf)\n   - worker_rlimit_nofile: \t**65536**\n   - worker_connections: \t**4096**\n<\/code><\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Got this error message on startup of nginx. There are a lot of places you can change this value so it gets a bit confusing. It could be the user that nginx is running under, (usually www-data) or the process, or it could be set in systemd init file or in security\/limits.conf … OK, so … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[4,145],"tags":[],"class_list":["post-776","post","type-post","status-publish","format-standard","hentry","category-linux","category-nginx"],"_links":{"self":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts\/776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/comments?post=776"}],"version-history":[{"count":2,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts\/776\/revisions"}],"predecessor-version":[{"id":778,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts\/776\/revisions\/778"}],"wp:attachment":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/media?parent=776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/categories?post=776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/tags?post=776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}