@iget-esoares I believe this is an nginx/php-fpm issue. Please see this thread for a possible solution: http://stackoverflow.com/questions/23390531/access-denied-403-for-php-files-with-nginx-php-fpm?answertab=active#tab-top

Closing this issue, since it is not magento related.

@mazhalai

Yes, it is an magento related problem!

I have many applications running on this machine, from Laravel to Zend applications, and this problem does not occours.

Magento 2 suggests an default nginx conf file that does not work!

Trying to follow the error.

When I try to access http://magneto/ it give me this:

NOTE: You cannot install Magento using the Setup Wizard because the Magento setup directory cannot be accessed. 
You can install Magento using either the command line or you must restore access to the following directory: /home/esoares/Code/project-community-edition/setup

Following the stack, I found this method: Magento\Framework\App\Http->redirectToSetup() that check if setupinfo is available.

The method isAvailable is:

public function isAvailable()
    {
        var_dump($this->projectRoot) // This dumps: `/home/esoares/Code/project-community-edition/pub/`

        $setupDir = $this->getDir($this->projectRoot); // If I var_dump this, i get: `/home/esoares/Code/project-community-edition/pub/setup`

        $isSubDir = false !== strpos($setupDir . '/', $this->docRoot . '/');
        return $isSubDir && realpath($setupDir);
    }

Note that this is producing wrong setup directory and root directory!

Solved:

Changed nginx.conf.sample /setup location block to:

location /setup {
    root $MAGE_ROOT;
    location ~ ^/setup/index.php {

        ### This fixes the problem:
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        ################################

        fastcgi_pass   fastcgi_backend;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    location ~ ^/setup/(?!pub/). {
        deny all;
    }

    location ~ ^/setup/pub/ {
        add_header X-Frame-Options "SAMEORIGIN";
    }
}

this is not required, related only to your environment.

Thanks @iget-esoares. I had the same problem with nginx.

Thanks from me too @iget-esoares. Wonder why so common problem posted only here. Lost 2 days to found fix for it. @mazhalai we need your attention, it's a BUG

@deenoize if it was a bug then 95% installations would fail... while it's only few of them, which tells me that you have to check your php cgi.fix_pathinfo variable. or even check your specific setup...

The fix for me was to update cgi.fix_pathinfo to 1 inside of my php.ini file.

@magenx sure thing, but I saw a lot of people out there who face a problem just like me. It will be nice if you add commented cgi.fix_pathinfo variable and description to nginx.conf.sample for such situations

I have a fairly basic Nginx + PHP-FPM setup, and adding this one fastcgi_split_path_info line was the difference between being able to install Magento through the wizard or not. I would recommend merging the fix into the default configuration, as it I can verify it works correctly on my debian jessie setup. It's also mentioned as a potential solution to 403 problems here: http://stackoverflow.com/questions/23390531/access-denied-403-for-php-files-with-nginx-php-fpm?answertab=active#tab-top

I found simple solution from here:
http://dltr.org/blog/magento/583/magento-2-setup-on-existing-vagrant-environment-using-browser

Had the same problem here, @iget-esoares solution fixed it for me. Setting cgi.fix_pathinfo = 0 is a common step in HowToForge guides, especially using ISPConfig.

This seems to be a php7 issue. We tested on php5 - no problem to install.
We tested with the same system and php7 replacing php5 --> same problem.

With this fix it worked.
@mazhalai Can you test on your system if you experience the same with PHP7 installed - then this should be included in the nginx.conf.sample i think.

iget-esoares solutions works under PHP7.0-fpm. Thanks!

@iget-esoares solution works. Awesome man!

@mazhalai

Can you pls consider to reopen this and also include it in next release as this is magento related!

I downloaded the lastest version 2.1, and suffer this problem.

first, thanks @iget-esoares it solved my problem
second, why magento official does not integrate this fix @magento-admin

I also had this issue. I resolved the issue by removing the content of server{} section of the default nginx.conf file, and replaced it with the suggestion in magento/nginx.conf.sample. Obviously I corrected paths, as opposed to blindly copying/pasting, so all paths are valid/correct.

Almost ONE YEAR after creating this issue, I've decided to try Magento 2 again, and I stuck on the same error, in another totally different machine (Ubuntu 16 instead of 14, brand new setup).

Again, the only fix I've found was my own fix.
I really don't understand WHY this shouldn't be merged, since many people related that it fixed for them.

Imagine many new people that want to try Magento 2, and stuck into this error? Not everyone has the know legend to fix this, or seek on github issues.

@mazhalai
@magento-admin

@iget-esoares totally agree. Do you use php7?

We found it to work without the fix on php5 but php7 need the fix.
Also i really do not understand why there is no feedback here of implementing this.

this thread just shows how many people dont know the difference between the real bug and specific environmental configuration.

I am using php7.0-fpm, and nginx running on Ubuntu 16.04. @iget-esoares's solution worked flawlessly. I have been searching for a solution to my problem for 2 days now. Thank you.

I do believe that this configuration change, while not actually a bug. Does deserve, at very least, a mention in the comments of the sample nginx configuration file.

Same problem, same fix. Thanks @iget-esoares.

The solution of @iget-esoares has fixed the issue for me also.
Thanks Iget!

Same, thanks @iget-esoares.

Hi @iget-esoares ,

Can you please help me to solve the same problem.? I'm trying the magento 2 with nginx in my local environment. I'm getting same problem when trying to call my project htttp://radianstore/setup its not loading /navigation ,/side-menu etc throwing 404. But all css and js files are loading. I have tried the fix you suggested in my /var/www/html/radianstore/nginx.conf.sample

===================

root $MAGE_ROOT/pub;
index index.php;
autoindex off;
charset UTF-8;
error_page 404 403 = /errors/404.php;

location ~* ^/setup($|/) {
    root $MAGE_ROOT;
    location ~ ^/setup/index.php {
     fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        fastcgi_pass   fastcgi_backend;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
    location ~ ^/setup/(?!pub/). {
        deny all;
    }
    location ~ ^/setup/pub/ {
        add_header X-Frame-Options "SAMEORIGIN";
    }
}

location ~* ^/update($|/) {
    root $MAGE_ROOT;
    location ~ ^/update/index.php {
        fastcgi_split_path_info ^(/update/index.php)(/.+)$;
        fastcgi_pass   fastcgi_backend;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_param  PATH_INFO        $fastcgi_path_info;
        include        fastcgi_params;
    }
    location ~ ^/update/(?!pub/). {
        deny all;
    }
    location ~ ^/update/pub/ {
        add_header X-Frame-Options "SAMEORIGIN";
    }
}
location / {
    try_files $uri $uri/ /index.php?$args;
}

location /pub/ {
    location ~ ^/pub/media/(downloadable|customer|import|theme_customization/.*\.xml) {
        deny all;
    }
    alias $MAGE_ROOT/pub/;
    add_header X-Frame-Options "SAMEORIGIN";
}

location /static/ {
    location ~ ^/static/version {
        rewrite ^/static/(version\d*/)?(.*)$ /static/$2 last;
    }

    location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
        add_header Cache-Control "public";
        add_header X-Frame-Options "SAMEORIGIN";
        expires +1y;

        if (!-f $request_filename) {
            rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
        }
    }
    location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
        add_header Cache-Control "no-store";
        add_header X-Frame-Options "SAMEORIGIN";
        expires    off;

        if (!-f $request_filename) {
           rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
        }
    }
    if (!-f $request_filename) {
        rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
    }
    add_header X-Frame-Options "SAMEORIGIN";
}

location /media/ {
    try_files $uri $uri/ /get.php?$args;

    location ~ ^/media/theme_customization/.*\.xml {
        deny all;
    }

    location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
        add_header Cache-Control "public";
        add_header X-Frame-Options "SAMEORIGIN";
        expires +1y;
        try_files $uri $uri/ /get.php?$args;
    }
    location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
        add_header Cache-Control "no-store";
        add_header X-Frame-Options "SAMEORIGIN";
        expires    off;
        try_files $uri $uri/ /get.php?$args;
    }
    add_header X-Frame-Options "SAMEORIGIN";
}
location /media/customer/ {
    deny all;
}

location /media/downloadable/ {
    deny all;
}
location /media/import/ {
    deny all;
}

===============================================

My project hosts conf in /etc/nginx/sites-available/
file name=>radianstore [Same as my project folder name]

=====================================================

upstream fastcgi_backend {
        server  unix:/var/run/php/php7.0-fpm.sock;
}
server {

        listen 80;
        server_name localhost;
        set $MAGE_ROOT /var/www/html/radianstore;
        set $MAGE_MODE developer;
        include /var/www/html/radianstore/nginx.conf.sample;
}

========================================================
I have set the cgi.fix_pathinfo to 1 in php.ini

Regards,
Rithin

@iget-esoares worked for me like charm.
Thank you very much.

@magenx
Environment is part of the Application, thats just the modern way (DevOps) and it makes sense since

otherwise it's not really opensource.
more something simillar to some hardware manufactures who claim they do/use opensource but then put an encrypted firmware/bootloader in the "environment" that is mandatory.

And only supporting old php versions is just irresponsible in therms of security almost aiding and abetting.

i have this problem with apache server and php5.6;
setting

cgi.fix_pathinfo=0
or
cgi.fix_pathinfo=1

does not work.

In the chrome debugger network tab, i can see that an ajax request is not returning and executed again and again:
Request URL:http://localhost/setup/index.php/session/prolong

it happens in angular.js:7715

Edit:
my problem was that i had two repos in the composer.json after migration from 1.9

Thanks for the solution @iget-esoares

Magento folk, I think it's pretty clear that this is a frequent enough problem that it's something you ought to support.

@iget-esoares nice solution! Same problem.
@magenx @mazhalai Please reconsider this solution

Thanks for the solution @iget-esoares!

@daveyx solution worked for me! composer.json had 2 repos.
Thanks so much for sharing!!

@jsthomas79 you're welcome

Hello,

I stil have this issue after all this time. I managed to solve it with
cgi.fix_pathinfo=1
but the link to setup is missing
My version is ce 2.1.7

One solution that worked was (linux ubuntu operating system with apache2 server):

Access the folder
cd /etc/apache2/sites-available/

Open file as administrator
sudo nano 000-default.conf

Include the following code before finishing the tag VirtualHost
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
</Directory>

Execute the following commands
sudo a2enmod rewrite

sudo service apache2 restart

magento 2.2.1, php-fpm 7, nginx. Same problem... Only @iget-esoares's solution helps.

The same problem for magento 2.2.2 (with sample data). On my ubuntu 16.04 machine with nginx and php7.0-fpm setup.
To solve the problem, I need to do one of this:
Modify 'cgi.fix_pathinfo' to 1 in /etc/php/7.0/fpm/php.ini
or
Add this line 'fastcgi_split_path_info ^(.+?.php)(/.*)$;' just below 'location ~ ^/setup/index.php {' in the config file like @iget-esoares said.
I also add a few lines because I got 'connection timeout' error when the installation is working to install the sample data.

...
location ~ ^/setup/index.php {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    #add a few more lines to fix connection timeout error
    fastcgi_buffers 1024 4k; 
    fastcgi_read_timeout 600s; 
    fastcgi_connect_timeout 600s;
    ...

Experiencing the same problem. The fix provided by @iget-esoares is legit and should be merged into the main configuration sample that is provided by Magento.

Hello @iget-esoares

I have setup server with nginx , php 7.1.19, mysql for magento 2 environment.

I am tyring to setup magento site even trying to install simple magento 2.2.5 showing error in google dve chrome console

GET http://206.189.221.91/setup/index.php/navigation 404 (Not Found)
GET http://206.189.221.91/setup/index.php/navigation/side-menu 404 (Not Found)
GET http://206.189.221.91/setup/index.php/navigation/header-bar 404 (Not Found)

I have setup my magento.conf file on /etc/nginx/sites-available/magento

upstream fastcgi_backend {
server unix:/run/php/php7.1-fpm.sock;
}
server {

 listen 80;
 server_name magento;
 set $MAGE_MODE developer;
 set $MAGE_ROOT /var/www/html;
 include /var/www/html/nginx.conf.sample;

}

My magento root folder nginx.conf.sample file code

set $MAGE_ROOT /var/www/html;
root $MAGE_ROOT/pub;

index index.php;
autoindex off;
charset UTF-8;
error_page 404 403 = /errors/404.php;

add_header "X-UA-Compatible" "IE=Edge";

location ~* ^/setup($|/) {
#root $MAGE_ROOT;
root $MAGE_ROOT/pub;
location ~ ^/setup/index.php {
fastcgi_split_path_info ^(.+?.php)(/.*)$;
fastcgi_pass fastcgi_backend;

    fastcgi_param  PHP_FLAG  "session.auto_start=off \n suhosin.session.cryptua=off";
    fastcgi_param  PHP_VALUE "memory_limit=756M \n max_execution_time=600";
    fastcgi_read_timeout 600s;
    fastcgi_connect_timeout 600s;

    fastcgi_buffers 1024 4k; 


    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    include        fastcgi_params;
}

location ~ ^/setup/(?!pub/). {
    deny all;
}

location ~ ^/setup/pub/ {
    add_header X-Frame-Options "SAMEORIGIN";
}

}

location ~* ^/update($|/) {
root $MAGE_ROOT;

location ~ ^/update/index.php {
    fastcgi_split_path_info ^(/update/index.php)(/.+)$;
    fastcgi_pass   fastcgi_backend;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  PATH_INFO        $fastcgi_path_info;
    include        fastcgi_params;
}

# Deny everything but index.php
location ~ ^/update/(?!pub/). {
    deny all;
}

location ~ ^/update/pub/ {
    add_header X-Frame-Options "SAMEORIGIN";
}

}

location / {
try_files $uri $uri/ /index.php$is_args$args;
}

location /pub/ {
location ~ ^/pub/media/(downloadable|customer|import|theme_customization/.*.xml) {
deny all;
}
alias $MAGE_ROOT/pub/;
add_header X-Frame-Options "SAMEORIGIN";
}

location /static/ {
# expires max;

# Remove signature of the static files that is used to overcome the browser cache
location ~ ^/static/version {
    rewrite ^/static/(version[^/]+/)?(.*)$ /static/$2 last;
}

location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
    add_header Cache-Control "public";
    add_header X-Frame-Options "SAMEORIGIN";
    expires +1y;

    if (!-f $request_filename) {
        rewrite ^/static/?(.*)$ /static.php?resource=$1 last;
    }
}
location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
    add_header Cache-Control "no-store";
    add_header X-Frame-Options "SAMEORIGIN";
    expires    off;

    if (!-f $request_filename) {
       rewrite ^/static/?(.*)$ /static.php?resource=$1 last;
    }
}
if (!-f $request_filename) {
    rewrite ^/static/?(.*)$ /static.php?resource=$1 last;
}
add_header X-Frame-Options "SAMEORIGIN";

}

location /media/ {
try_files $uri $uri/ /get.php$is_args$args;

location ~ ^/media/theme_customization/.*\.xml {
    deny all;
}

location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
    add_header Cache-Control "public";
    add_header X-Frame-Options "SAMEORIGIN";
    expires +1y;
    try_files $uri $uri/ /get.php$is_args$args;
}
location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
    add_header Cache-Control "no-store";
    add_header X-Frame-Options "SAMEORIGIN";
    expires    off;
    try_files $uri $uri/ /get.php$is_args$args;
}
add_header X-Frame-Options "SAMEORIGIN";

}

location /media/customer/ {
deny all;
}

location /media/downloadable/ {
deny all;
}

location /media/import/ {
deny all;
}

location ~ (index|get|static|report|404|503|health_check).php$ {
try_files $uri =404;
fastcgi_pass fastcgi_backend;
fastcgi_buffers 1024 4k;

fastcgi_param  PHP_FLAG  "session.auto_start=off \n suhosin.session.cryptua=off";
fastcgi_param  PHP_VALUE "memory_limit=756M \n max_execution_time=18000";
fastcgi_read_timeout 600s;
fastcgi_connect_timeout 600s;

fastcgi_index  index.php;
fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
include        fastcgi_params;

}

gzip on;
gzip_disable "msie6";

gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/xml+rss
image/svg+xml;
gzip_vary on;

location ~* (.php$|.htaccess$|.git) {
deny all;
}

If any one can help me i would much appreciated.

@webcretatechnologies Have you checked your php.ini file? in case you're using php 7.1.x in linux, it should be in /etc/php/7.1/fpm/php.ini. What is 'cgi.fix_pathinfo' value? You can try to modify the value to 1 like my solution above.

@webcretatechnologies The original issue causes 403 responses, not 404, so I think that my fix can't help.

I really don't understand why do magento team don't fix this with so many reports. using cgi.fix_pathinfo = 0 is a recommendation from nginx itself and many other places.

Actually, the same line of code that I suggest to fix, is used in the nginx.conf.sample bundled with Magento 2 current version for the update/index.php path:

https://github.com/magento/magento2/blob/e89e9bf5ab6bc92aa0f1d8718e72437e87d682b3/nginx.conf.sample#L66

The solution provided by @iget-esoares didn't work for me, maybe because I'm running this on Vagrant/Homestead box, but what really worked for me was this:

Insert this directive after this location ~ ^/setup/index.php {
try_files $uri $uri/ /setup/index.php?$query_string;

That fixed the problem for me.

@iget-esoares thx a lot for that line, it was really tricky to fix this error.
Centos 7.6
nginx 1.15.10
Mysql 5.7.25
Magento 2.3.1
My question is : why the Magento's team didn't merge this fix with the official build ?

@Dannymx thank you. Magento 2.3.1 and Vagrant/Homestead

Solved:

Changed nginx.conf.sample /setup location block to:

location /setup {
    root $MAGE_ROOT;
    location ~ ^/setup/index.php {

        ### This fixes the problem:
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        ################################

        fastcgi_pass   fastcgi_backend;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    location ~ ^/setup/(?!pub/). {
        deny all;
    }

    location ~ ^/setup/pub/ {
        add_header X-Frame-Options "SAMEORIGIN";
    }
}

Worked in Ubuntu 18.04/PHP 7.2/nginx 1.14

5 years later, Magento version 2.3.4 and this issue still persists.
Thanks @iget-esoares for a solution, saved me a ton of time investigating this.

@Dannymx Thank You! It worked for Vagrant/Homestead Magento 2.3.
I am also using Homesteads' Magento "site-type" script instead of provided nginx config provided by Magento.
So it worked when i added the suggested directive into etc/nginx/sites-available/{magentoConfFile}

I have the same problem.. but this solutions was not worked for me =/