I'm a heavy user of Jekyll and rsync to deploy static websites.  I've never really felt the need to go down the git deploy route when rsync can handle most use cases (throwing away version control, multiple contributors etc).

However, I have only just cracked the nut on rsync + nginx permissions.  I've had a real mixed bag of experiences with different VPS' and versions of Ubuntu and nginx, but I have finally worked out the holy grail of permissions.

The problem has always been the permissions on the static files, and the nginx user (typically www-data) being denied read permissions.  Easy enough to fix, but every time you rsync as a normal user you lose the fix and nginx can no longer read your files.

Fixing nginx + rsync permissions for Jekyll deployments

So, assuming you have a normal user account called vpschef you need to:

sudo usermod -aG www-data vpschef

Assuming that nginx is running in the group www-data (you can find out with ps aux | grep nginx) - this adds your normal user in to the same group.

N.B. The alternative is to grant www-data regular logon/SSH permissions so it can rsync the files, but this is an additional security consideration that does not need to be made.

Now, if you have NOTHING in your /srv or /var/www directory you can run:

sudo chown www-data:www-data /srv

To change the ownership of your web directory to www-data user and group.  Note that if you already have content and sub-folders deployed in this directory, you need to pass the -R recursive flag to chown to propagate ownership to all existant files.

To clean up some of the permissions here we prevent anyone NOT in this group for reading/executing in this directory tree:

sudo chmod 770 /srv

Remembering to pass -R again to chmod if you have content here already.

Finally, the piece that has caused me so much hassle over the last few months is we need to run setuid/setgid to set the group permission to NEWLY CREATED files and folders:

sudo chmod g+s /srv

Subsequently, all new files written in to /srv will have the correct permissions for nginx to read and execute.

Have you had this problem, did you come up with a better solution than this?  Let us know below!