(13:权限被拒绝)连接上游时:[nginx]

Question

我正在使用nginx和gunicorn配置django项目.当我gunicorn mysite.wsgi:application --bind=127.0.0.1:8001在nginx服务器中访问我的端口时,我在错误日志文件中收到以下错误.

server {
    listen 8080;
    server_name localhost;
    access_log  /var/log/nginx/example.log;
    error_log /var/log/nginx/example.error.log;

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }
}

我的"http://127.0.0.1:8001/"档案

server {
    listen 8080;
    server_name localhost;
    access_log  /var/log/nginx/example.log;
    error_log /var/log/nginx/example.error.log;

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }
}

在我得到的html页面中nginx.conf.

我做错了什么？

Answer 1

我有类似的问题让Fedora 20,Nginx,Node.js和Ghost(博客)工作.事实证明我的问题是由于SELinux.

这应该解决问题:

setsebool -P httpd_can_network_connect 1

细节

我检查了SELinux日志中的错误:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied

并发现运行以下命令修复了我的问题:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
sudo semodule -i mynginx.pp

参考文献:

http://blog.frag-gustav.de/2013/07/21/nginx-selinux-me-mad/

https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details

http://wiki.gentoo.org/wiki/SELinux/Tutorials/Managing_network_port_labels

http://www.linuxproblems.org/wiki/Selinux

Answer 2

我也遇到过这个问题.另一个解决方案是切换httpd网络连接的SELinux布尔值on(Nginx使用httpd标签).

setsebool httpd_can_network_connect on

要使更改保持不变,请使用-P标志.

setsebool httpd_can_network_connect on -P

您可以看到httpd使用的所有SELinux布尔值列表

getsebool -a | grep httpd

Answer 3

在Centos 7上遇到了类似的问题.当我尝试应用Sorin规定的解决方案时,我开始在周期中移动.首先,我获得了{write}拒绝的许可.然后,当我解决了我的权限{connectto}被拒绝.然后再回到权限{write}被拒绝.

在@Sid上面回答使用getsebool -a | grep httpd和切换它们检查标志后,我发现除了httpd_can_network_connect关闭之外.http_anon_write也被关闭导致权限被拒绝写入和权限被拒绝{connectto}

type=AVC msg=audit(1501830505.174:799183): avc:  
denied  { write } for  pid=12144 comm="nginx" name="myroject.sock" 
dev="dm-2" ino=134718735 scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:default_t:s0 tclass=sock_file

使用sudo cat /var/log/audit/audit.log获取 grep nginx | 如上所述,grep被拒绝了.

所以我一次解决了一个,一次一个地切换标志.

setsebool httpd_can_network_connect on -P

然后运行@sorin和@Joseph指定的命令

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | 
audit2allow -M mynginx
sudo semodule -i mynginx.pp

基本上你可以检查在setsebool上设置的权限,并将其与从grepp'ing'audit.log nginx获得的错误相关联,否认

Answer 4

我已经通过运行我的nginx解决了我的问题,因为我现在的工作用户是nginx.conf.By默认用户nginx.conf在我nginx.conf的nginx.conf文件中.我们可以在文件顶部找到该行.

user nginx; # Default Nginx user

将此更改为您当前的工作用户名,如

user mulagala; # Custom Nginx user (as username of the current logged in user)

Answer 5

1. 签入用户/etc/nginx/nginx.conf
2. 将所有权更改为用户。

sudo chown -R nginx:nginx /var/lib/nginx

Answer 6

如果在 nginx 上的 api 网关代理传递的 centos api url 上抛出“502 Bad Gateway”错误，请运行以下命令来解决问题

sudo setsebool -P httpd_can_network_connect 1

Answer 7

1. 首先看看被拒绝的内容：

sudo cat /var/log/audit/audit.log | grep nginx | grep denied

type=AVC msg=audit(1618940614.934:38415): avc:  denied  { connectto } for
pid=18016 comm="nginx" path="/home/deployer/project/tmp/sockets/puma.sock" scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=1

2. 就我而言，它对 CentOS7 有帮助：

sudo setenforce 0

setsebool httpd_can_network_connect on -P
setsebool httpd_can_network_relay on -P

可以看到启用了什么之后：

getsebool -a | grep httpd

httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> on
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> off
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off

Answer 8

我遇到过同样的问题。我尝试了运行以下命令的 @joebarbere 解决方案，它解决了问题，但我担心安全性

setsebool -P httpd_can_network_relay 1

然后我遇到了以下解决方案

https://serverfault.com/questions/634294/nodejs-nginx-error-13-permission-denied-while-connecting-to-upstream

我使用的是非标准端口，而 SELinux 阻止了该端口。使用以下命令检查端口是否允许

sudo semanage port --list | grep 4343

并将端口添加到允许列表中

sudo semanage port --add --type http_port_t --proto tcp 4343

我重启了nginx服务，然后url就可以访问了。我认为这更安全。