Nginx 无法以正确的权限连接到 uWSGI 套接字

Question

我正在尝试将 Nginx 连接到 uWSGI，以便我可以运行用 Ruby 编写的应用程序（我无法使用乘客）。这是我的虚拟主机配置：

server {    
        listen unix:/var/run/nginx/redmine.sock;
        root /var/www/redmine/public;

        location / {
                try_files $uri @uwsgi;
        }

        location @uwsgi {
                include uwsgi_params;
                uwsgi_pass unix:/var/run/uwsgi/redmine.sock;
        }
}

很简单，我试着找一个静态文件，否​​则我传递给 uwsgi 监听 unix socket。这对我来说是“坏网关”的 502 错误。我去阅读错误日志，我有以下内容：

2014/09/09 20:08:56 [crit] 20922#0: *29484 connect() to unix:/var/run/uwsgi/redmine.sock failed (13: Permission denied) while connecting to upstream, client: unix:, server: , request: "GET /redmine HTTP/1.0", upstream: "uwsgi://unix:/var/run/uwsgi/redmine.sock:", host: "localhost"

但是我很确定我已经将 uWSGI 配置为使用 Nginx 所做的相同用户：

user nginx;

和

[uwsgi]
socket = /var/run/uwsgi/redmine.sock
chdir = /var/www/redmine
rails = .
plugins = 0:rack_ruby20
rack = config.ru
idle = 3600

chmod-socket = 660
chown-socket = nginx:nginx
uid = nginx
gid = nginx

插座是：

fenix ~ # ls -lh /var/run/uwsgi/redmine.sock 
srw-rw---- 1 nginx nginx 0 Set  9 20:08 /var/run/uwsgi/redmine.sock

所以 Nginx 甚至不能读写它拥有的套接字？这是什么意思？我不知道该怎么做。

我还注意到，即使套接字权限为 777，Nginx 也无法工作。

Answer 1

我有一个类似的权限问题，这是 SELinux 没有让 nginx 写入套接字的策略的结果

您可以通过查看 SELinux AVC 消息audit2why -al以查看错误的更多详细信息，类似于

type=AVC msg=audit(1414460265.454:2612): avc:  denied  { connectto } for  pid=22107 comm="nginx" path="/tmp/uwsgi.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Was caused by:
    Missing type enforcement (TE) allow rule.

    You can use audit2allow to generate a loadable module to allow this access.

要为 nginx 添加强制策略，首先通过运行来确认强制策略

> grep nginx /var/log/audit/audit.log | audit2allow -m nginx

您应该会看到类似于以下内容的输出

module nginx 1.0;

require {
    type unconfined_t;
    type httpd_t;
    type home_root_t;
    type soundd_port_t;
    class sock_file write;
    class unix_stream_socket connectto;
    class tcp_socket name_connect;
}

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t home_root_t:sock_file write;

#!!!! This avc is allowed in the current policy
allow httpd_t soundd_port_t:tcp_socket name_connect;
allow httpd_t unconfined_t:unix_stream_socket connectto;

最后，您通过运行加载自定义策略

> grep nginx /var/log/audit/audit.log | audit2allow -M nginx
> semodule -i nginx.pp