权限被拒绝 - nginx和uwsgi套接字

Question

好吧,我目前正在尝试使用nginx和uwsgi来提供我的django应用程序.我目前正在使用安装了uwsgi的虚拟环境.但是,我在尝试访问页面时遇到502错误的网关错误.

我遇到的错误.

2014/02/27 14:20:48 [crit] 29947#0: *20 connect() to unix:///tmp/uwsgi.sock failed (13: Permission denied) while connecting to upstream, client: 144.136.65.176, server: domainname.com.au, request: "GET /favicon.ico HTTP/1.1", upstream: "uwsgi://unix:///tmp/uwsgi.sock:", host: "www.domainname.com.au"

这是我的nginx.conf

    # mysite_nginx.conf

# the upstream component nginx needs to connect to
upstream django {
    server unix:///tmp/uwsgi.sock; # for a file socket
    #server 127.0.0.1:8001; # for a web port socket (we'll use this first)
}

# configuration of the server
server {
    # the port your site will be served on
    listen      80;
    # the domain name it will serve for
    server_name .domainname.com.au; # substitute your machine's IP address or FQDN
    charset     utf-8;

    # max upload size
    client_max_body_size 75M;   # adjust to taste

    # Django media
    location /media  {
        alias /home/deepc/media;  # your Django project's media files - amend as required
    }

    location /static {
        alias /home/deepc/static; # your Django project's static files - amend as required
    }

    # Finally, send all non-media requests to the Django server.
    location / {
        uwsgi_pass  django;
        include     /home/deepc/.virtualenvs/dcwebproj/dcweb/uwsgi_params; # the uwsgi_params file you installed
    }
}

这是我的uwsgi.ini文件

[uwsgi]
socket=/tmp/uwsgi.sock
chmod-socket=644
uid = www-data
gid = www-data

chdir=/home/deepc/.virtualenvs/dcwebproj/dcweb
module=dcweb.wsgi:application
pidfile=/home/deepc/.virtualenvs/dcwebproj/dcweb.pid
vacuum=true

从我在谷歌上看到它与www-data组和/ tmp /目录的权限问题.但是我是新手,并试图改变文件夹的权限级别无济于事.有人能指出我正确的方向吗？这是一个权限问题.

也可以将sock文件放在tmp目录中吗？

谢谢

Answer 1

我认为你只需要将你的套接字文件更改为666(使用www-data就可以了664),或者删除它并再次运行uwsgi服务器.

在我的uwsgi.ini中:

chmod-socket = 664
uid = www-data
gid = www-data

Answer 2

哇,这个问题花了我差不多一整天!

我用 uwsgi 2.0.14, nginx 1.10.1, django 1.10

总而言之,最重要的是要确保以下两个用户都rwx有权socket提交:

1. 用户nginx;
2. 用户uWSGI;

所以,你可以逐个检查它们.

首先,您可以nginx通过刷新URL 来检查Web服务器是否具有权限,例如http://192.168.201.210:8024/morning/,而不运行uwsgi.如果你看到/var/log/nginx/error.log 没有这样的文件或目录,如下所示:

2016/10/14 16:53:49 [crit] 17099#0: *19 connect() to unix:///usr/share/nginx/html/test/helloworld.sock failed (2: No such file or directory) while connecting to upstream, client: 192.168.201.140, server: belter-tuesday.com, request: "GET /morning/ HTTP/1.1", upstream: "uwsgi://unix:///usr/share/nginx/html/test/helloworld.sock:", host: "192.168.201.210:8024"

只需创建一个名为的文件helloworld.sock,然后刷新url并再次检查日志文件,如果在日志文件中看到Permission denied,如下所示:

2016/10/14 17:00:45 [crit] 17099#0: *22 connect() to unix:///usr/share/nginx/html/test/helloworld.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.201.140, server: belter-tuesday.com, request: "GET /morning/ HTTP/1.1", upstream: "uwsgi://unix:///usr/share/nginx/html/test/helloworld.sock:", host: "192.168.201.210:8024"

这意味着Web服务器nginx没有读取,写入和执行的所有权限.所以你可以授予这个文件的权限:

sudo chmod 0777 helloworld.sock

然后,如果 在日志文件中看到Connection refused,请刷新url并再次检查日志文件,如下所示:

2016/10/14 17:09:28 [error] 17099#0: *25 connect() to unix:///usr/share/nginx/html/test/helloworld.sock failed (111: Connection refused) while connecting to upstream, client: 192.168.201.140, server: belter-tuesday.com, request: "GET /morning/ HTTP/1.1", upstream: "uwsgi://unix:///usr/share/nginx/html/test/helloworld.sock:", host: "192.168.201.210:8024"

这是一个好兆头,这意味着您的Web服务器从现在开始nginx拥有使用helloworld.sock文件的权限.

然后运行uwsgi并检查用户uwsgi是否有权使用helloworld.sock.首先,删除helloworld.sock我们之前创建的文件.

运行uwsgi: uwsgi --socket /usr/share/nginx/html/test/helloworld.sock --wsgi-file wsgi.py

如果你看到bind():权限被拒绝[core/socket.c第230行],则表示uwsgi没有绑定权限helloworld.sock.这是目录的问题test,即父目录helloworld.sock.

sudo chmod 0777 test/

现在,你可以uwsgi成功运行.

但也许你仍然会看到502 Bad Gateway,这太糟糕了,我整天都看到了它.如果error.log再次检查文件,您将再次看到:

2016/10/14 17:33:00 [crit] 17099#0: *28 connect() to unix:///usr/share/nginx/html/test/helloworld.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.201.140, server: belter-tuesday.com, request: "GET /morning/ HTTP/1.1", upstream: "uwsgi://unix:///usr/share/nginx/html/test/helloworld.sock:", host: "192.168.201.210:8024"

怎么了？？？

检查helloworld.sock文件的细节,你可以看到:

srwxr-xr-x. 1 belter mslab       0 Oct 14 17:32 helloworld.sock

uWSGI755自动提供此文件权限.

您可以添加--chmod-socket以下内容进行更改:

uwsgi --socket /usr/share/nginx/html/test/helloworld.sock --wsgi-file wsgi.py --chmod-socket=777

好!最后,你可以看到:

带走消息:

1. uwsgi_params 文件的位置并不重要;
2. 由于我的nginx用户和uwsgi用户不一样,甚至不在同一组,所以我需要给予其父级dir的777许可;helloworld.socktest/
3. 如果您将helloworld.sock文件放在主目录中,您将始终获得权限被拒绝.
4. 您需要设置socket文件路径的两个位置,一个在nginx conf文件中,对我来说是这样helloworld_nginx.conf; 一,当你运行uwsgi.
5. 检查SELinux

这是我的helloworld_nginx.conf档案:

# helloworld_nginx.conf
upstream django {
    server unix:///usr/share/nginx/html/test/helloworld.sock; # for a file socket
    # server 127.0.0.1:5902; # for a web port socket (we'll use this first)
}

# configuration of the server
server {
    # the port your site will be served on
    listen      8024;
    # the domain name it will serve for
    server_name .belter-tuesday.com; # substitute your machine's IP address or FQDN
    charset     utf-8;

    # max upload size
    client_max_body_size 75M;   # adjust to taste

    # Finally, send all non-media requests to the Django server.
    location /morning {
        include     uwsgi_params;
        uwsgi_pass  django;
    }
}

Answer 3

在CentOS上,我尝试了所有这些东西,但它仍然没有用.最后,我发现了这篇文章:

https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/

对于开发机器,我们只需运行:

semanage permissive -a httpd_t

但对于真正的生产服务器,我还没想到.您可能需要尝试上面文章中描述的其他内容.

Answer 4

这花了我很多时间来查找权限问题。当然，问题出在权限上。默认用户是nginx。我做了什么：在/etc/nginx/nginx.conf更改用户中：

user  www-data;

接下来将您的用户加入 www-data 组：

usermod -a -G www-data yourusername

接下来设置uwsgi：

[uwsgi]
uid = yourusername
gid = www-data
chmod-socket = 660

然后重启nginx：

sudo systemctl restart nginx

最后重新启动uwsgi。