403 forbidden for AWS Beanstalk Flask static files without SSL

Question

My local machine is a virtual CeontOS-7 with a Python 2.7 virtualenv containing a Flask application directory, the structure is the following:

/var
  /www
    /myAppenv
      /myApp
        /.ebextensions
           myApp-env.config
        /.elasticbeanstalk
        application.py
        requirements.txt
        /flaskApp
          /core
            views.py
            models.py
            forms.py
          /templates
          /static

and I deploy it from /myApp using EB CLI deploy to a Beanstalk application named myApp with an environment named myApp-env.

I think the static files path is set right in /.ebextensions/myApp-env.config:

option_settings:
   "aws:elasticbeanstalk:container:python:staticfiles":
     "/static/": "flaskApp/static/"

and I can see in AWS web console-> environment-> Configurations-> Software Configuration that

StaticFiles: /static/=flaskApp/static/ 

so the path setting doesn't seem to be the cause of the problem.

So when I open the web page for my application I see the page missing css and js, since everything from static directory gets a 403 forbidden response:

GET http://myApp-dev.elasticbeanstalk.com/ [HTTP/1.1 200 OK 174ms]
GET http://myApp-dev.elasticbeanstalk.com/static/bootstrap-3.3.5-dist/js/bootstrap.min.js  [HTTP/1.1 403 Forbidden 55ms]
...

Guessing it's something about permissions, since in my local dir files are owned by my linux account (for samba reasons), then I tried to chown root and chgrp root (static dirs and files permissions are 755), but it didn't change anything. I actually don't think is anything related to firewall/selinux, by the fact that the home page is actually loading.

Does anybody know how to solve this problem?

Answer 1

I think I found the problem. I was inspecting by EB SSH just to understand what was going on and I noticed that the "ec2-user" I got logged in the AWS machine could access (running cd command) till the directory

/opt/python/current/app

but ec2-user wasn't allow to access dir

/opt/python/current/app/flaskApp

because of permissions.

While the static dirs and files contained in flaskApp yet had permissions set on 755, I noticed that flaskApp dir (which contains static dir) was 744 (that I thought would be fine). So I changed flaskApp dir permissions to 755 and it worked: now static files get loaded!

By the way I doubt this permissions set is good for production. The alternative could be to structure dirs so that static isn't a subdirectory of flaskApp dir, allowing this way to keep static dir set on 755 while having flaskApp dir set on more conservative permissions.