Wsgi nginx error: permission denied when connecting to upstream
StackOverflow seems to have a lot of questions about this, but unfortunately nothing worked for me.
I get 502 bad gateways on nginx and in the logs: connect() to ...myproject.sock failed (13: Permission denied) while connecting to upstream
I run wsgi
and nginx
on ubuntu
and I follow this tutorial from Digital Ocean.I seem to set it up wsgi
correctly as it uwsgi -s myproject.sock --http 0.0.0.0:8000 --module app --callable app
worked, but I get permission denied all the time nginx
and I have no idea why:
Following this question and this other , I modified the file .ini
and added options chown-socket
, chmod-socket
, uid
and gid
(also just tried to install the first two, or, or, and a couple of different resolution settings - and even the most permissive mode does not work).
This seemed promising , but I don't believe it is selinux
installed on my Ubuntu (launching sudo apt-get remove selinux
gives "Package selinux" not installed, so it doesn't uninstall "and find / -name "selinux"
doesn't show anything). Just in case, however, I tried using this post . Uninstall apparmor
( sudo apt-get install apparmor
) too did not work.
Every time I make a change, I run sudo service nginx restart
, but I only see a Gateway 502 error (and permission denied when reading the logs).
This is my config file nginx
:
server {
listen 80;
server_name 104.131.110.156;
location / {
include uwsgi_params;
uwsgi_pass unix:/home/user/myproject/web_server/myproject.sock;
}
}
.conf
file:
description "uWSGI server instance configured to serve myproject"
start on runlevel [2345]
stop on runlevel [!2345]
setuid user
setgid www-data
env PATH=/root/.virtualenvs/my-env/bin
chdir /home/user/myproject/web_server
exec uwsgi --ini /home/user/myproject/web_server/myproject.ini
.ini
file:
[uwsgi]
module = wsgi
master = true
processes = 5
socket = /home/user/myproject/web_server/myproject.sock
chown-socket=www-data:www-data
chmod-socket = 664
uid = www-data
gid = www-data
vacuum = true
die-on-term = true
(If it helps, this is my car specifications of Ocean the Digital: Linux 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
)
Please let me know if there is anything I can do and thanks a lot.
source to share
I also followed this tutorial and faced the same problem. After some trial and error, the following steps got me running uWSGI and nginx successfully:
My nginx.config
file:
server {
listen 80;
server_name localhost;
location / { try_files @yourapplication; }
location @yourapplication; {
include uwsgi_params;
uwsgi_pass unix:/PATH_TO_PROJECT/PROJECT.sock;
}
}
My file .ini
didn't work very well, so I decided to use uWSGI's extended arguments. This is what I used:
uwsgi -s /PATH_TO_PROJECT/PROJECT.sock -w wsgi:app -H /PATH_TO_PROJECT/venv --http-processes=4 --chmod-socket=666 --master &
Where:
-s /PATH_TO_PROJECT/PROJECT.sock
= my file location .sock
-w wsgi:app
= my file location wsgi.py
and app
is the name of my Flask object
-H /PATH_TO_PROJECT/venv
= location of my virtual environment
--http-processes=4
= number of HTTP processes for uWSGI to create
--chmod-socket=666
= permissions to install on socket
--master
= allow uWSGI to run with the main process manager
&
= run uWSGI in the background
Hope this helps!
source to share
(13: Permission Denied)
This indicates that Nginx was unable to connect to the uWSGI socket due to permission issues. This usually happens when the socket is created in a restricted environment or if the permissions were incorrect. As long as the uWSGI process is able to create the socket file, Nginx cannot access it.
This can happen if there are limited permissions at any point between the root directory (/) of the socket file. We can see the permissions and ownership of the socket file and each of its parent directories by passing the absolute path to our socket file to the namei command:
namei -nom /PATH_TO_YOUR_SOCKET_FILE/YOUR_SOCKET.sock
The result should be similar to this (your case may have a different folder name)
f: /run/uwsgi/firstsite.sock
drwxr-xr-x root root /
drwxr-xr-x root root run
drwxr-xr-x sammy www-data uwsgi
srw-rw---- sammy www-data firstsite.sock
The output displays the permissions for each of the catalog components. By looking at the permissions (first column), owner (second column), and group owner (third column), we can figure out what type of access is allowed for the socket file.
In the above example, each of the directories leading to the socket file has world read and execute permissions (the directory permissions column ends with rx instead of ---). The www-data group has group ownership of the socket itself. With these settings, the Nginx process should be able to access the socket successfully.
If any of the directories leading to the socket do not belong to the www-data group or have world read / execute permission, Nginx will not be able to access the socket. This usually means that the configuration files are in error.
So, you fix this problem, but grant all rights to the top folder with this command:
chmod 755 directory_name
I know it's late, but to help others get around the problem faster, I posted this answer. Hope this helps, good luck.
source to share
To summarize what others have said to resolve the access denied error in nginx (which you can look at in /var/log/nginx/error.log
, it usually happens because of the following:
- you are writing the
.sock
file in a place where nginx has no rights - SELinux is causing the problem
For solution 1: First, don't write the .sock
file in /tmp
as suggested here, the server crash response because different services see different ones /tmp
in fedora. You can write somewhere, for example ~/myproject/mysocket.sock
. The nginx user needs to be able to access our application directory in order to access the socket file. By default, CentOS locks each user's home directory very limitedly, so we'll add the nginx user to our user group so that we can open the minimum permissions needed to grant access.
You can add nginx user to your group using the following command. Replace your username with username in the command:
sudo usermod -a -G $USER nginx
Now we can give our user group execute permissions in our home directory. This will allow the Nginx process to enter and access content within:
chmod 710 / path / to / project / dir
If an error permission denied
in permission denied
still exists: hack sudo setenforce 0
achieve sudo setenforce 0
.
source to share