NGINX 权限：“sudo nginx”与“sudo service nginx start”

Question

我在这里使用 nginx 1.6.2 和 Unicorn 进行 capistrano 设置。但是在我当前的设置下，nginx 不会创建我在 con 文件中编写的服务器。我确定这是我的用户目录的权限错误，因为 conf 文件位于两个 rails app 目录下。

我的nginx文件如下：

user  mjp nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

   keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

/etc/nginx/conf.d/*.conf; 是空的。

/etc/nginx/sites-enabled/; 目录包含 2 个符号链接：

[mjp@centos nginx]$ ll sites-enabled/
total 4
lrwxrwxrwx. 1 root root 61 Jan  5 06:58 mjp-portal_production -> /home/mjp/apps/mjp-portal_production/shared/config/nginx.conf
lrwxrwxrwx. 1 root root 58 Jan  3 21:03 mjp-portal_staging -> /home/mjp/apps/mjp-portal_staging/shared/config/nginx.conf

导致这些 con 文件的所有权限：

[mjp@centos ~]$ ll
total 4
drwxrwxr-x. 4 mjp nginx 4096 Jan  5 06:58 apps

[mjp@centos ~]$ ll apps/
total 8
drwxr-xr-x. 5 mjp nginx 4096 Jan  5 07:27 mjp-portal_production
drwxrwxr-x. 5 mjp nginx 4096 Jan  3 21:11 mjp-portal_staging


[mjp@centos ~]$ ll apps/mjp-portal_staging/
total 16
lrwxrwxrwx. 1 mjp nginx   57 Jan  3 21:11 current -> /home/mjp/apps/mjp-portal_staging/releases/20150103210756
drwxrwxr-x. 4 mjp nginx 4096 Jan  3 21:07 releases
drwxrwxr-x. 7 mjp nginx 4096 Jan  3 21:04 repo
-rwxrwxr-x. 1 mjp nginx   71 Jan  3 21:11 revisions.log
drwxrwxr-x. 9 mjp nginx 4096 Jan  3 21:05 shared


[mjp@centos ~]$ ll apps/mjp-portal_staging/shared/
total 28
drwxrwxr-x. 2 mjp nginx 4096 Jan  3 21:10 bin
drwxrwxr-x. 3 mjp nginx 4096 Jan  3 21:05 bundle
drwxrwxr-x. 2 mjp nginx 4096 Jan  5 07:46 config
drwxrwxr-x. 2 mjp nginx 4096 Jan  3 21:11 log
drwxrwxr-x. 3 mjp nginx 4096 Jan  3 21:04 public
drwxrwxr-x. 5 mjp nginx 4096 Jan  3 21:04 tmp
drwxrwxr-x. 3 mjp nginx 4096 Jan  3 21:04 vendor

[mjp@centos ~]$ ll apps/mjp-portal_staging/shared/config/
total 24
-rwxrwxr-x. 1 mjp nginx  136 Jan  3 21:03 database.example.yml
-rwxrwxr-x. 1 mjp nginx  155 Jan  3 21:06 database.yml
-rwxrwxr-x. 1 mjp nginx  188 Jan  3 21:03 log_rotation
-rwxrwxr-x. 1 mjp nginx  814 Jan  5 07:46 nginx.conf
-rwxrwxr-x. 1 mjp nginx 1996 Jan  3 21:03 unicorn_init.sh
-rwxrwxr-x. 1 mjp nginx 1327 Jan  3 21:03 unicorn.rb

mjp-portal_production -> /home/mjp/apps/mjp-portal_production/shared/config/nginx.conf：

upstream unicorn1 {
  server unix:/tmp/unicorn.mjp-portal_production.sock fail_timeout=0;
}

server
{
  server_name 185.48.117.98;
  listen 8080 default;
  root /home/mjp/apps/mjp-portal_production/current/public;

  #access_log /home/mjp/apps/mjp-portal_production/shared/log/nginx_access.log;
  #error_log  /home/mjp/apps/mjp-portal_production/shared/log/nginx_error.log;

  location ^~ /assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  try_files $uri/index.html $uri @unicorn;
  location @unicorn {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://unicorn1;
    proxy_buffering off;
  }

  error_page 500 502 503 504 /500.html;
  client_max_body_size 4G;
  keepalive_timeout 10;
}

mjp-portal_staging -> /home/mjp/apps/mjp-portal_staging/shared/config/nginx.conf：

upstream unicorn {
  server unix:/tmp/unicorn.mjp-portal_staging.sock fail_timeout=0;
}

server
{
  server_name 185.48.117.98;
  listen 8081 default;
  root /home/mjp/apps/mjp-portal_staging/current/public;

  #access_log /home/mjp/apps/mjp-portal_staging/shared/log/nginx_access.log;
  #error_log  /home/mjp/apps/mjp-portal_staging/shared/log/nginx_error.log;

  location ^~ /assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  try_files $uri/index.html $uri @unicorn;
  location @unicorn {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://unicorn;
    proxy_buffering off;
  }

  error_page 500 502 503 504 /500.html;
  client_max_body_size 4G;
  keepalive_timeout 10;
}

即使我将 nginx 进程（“worker”）设置为root. nginx 仍然无法创建服务器并开始侦听它。

netstat -anp不显示 nginx 打开的端口。在这种情况下 port 8080 and port 8081。

我究竟做错了什么。所有权限似乎都是正确的。我还缺少什么吗？当我将这两个符号链接的代码放在/etc/nginx/conf.d/. It does opens those ports although i get502 bad gateway` 中时，这让我认为这是一个权限错误。在这些应用程序目录上。

我究竟做错了什么？

Answer 1

这是一个selinux问题。

当你运行sudo nginx它启动nginx的unconfined_t，当你运行sudo service nginx start它开始作为nginx的httpd_t。

最初只从 sudo 开始，它会创建一堆文件并将其状态初始化为unconfined_t. 例如，pid 文件将是错误的上下文。因此，当service nginx stop用于终止它时，没有足够的权限httpd_t来读取unconfined_t.

你真的应该总是开始使用service这将避免这个问题。要更正它，您需要重新标记文件系统中存在的有状态文件，例如运行restorecon /var/run/nginx.pid将更正该 pid 文件上设置的错误标签。

我不确定在创建服务时是否还有其他文件被写出，这些文件也需要更正。您可以获得这些文件可能正在执行的列表ausearch -ts recent -m avc。