Clever Geek Handbook

Wsgi nginx error: permission denied when connecting to upstream

StackOverflow seems to have a lot of questions about this, but unfortunately nothing worked for me.

I get 502 bad gateways on nginx and in the logs: connect() to ...myproject.sock failed (13: Permission denied) while connecting to upstream

I run wsgi

and nginx

on ubuntu

and I follow this tutorial from Digital Ocean.I seem to set it up wsgi

correctly as it uwsgi -s myproject.sock --http 0.0.0.0:8000 --module app --callable app

worked, but I get permission denied all the time nginx

and I have no idea why:

Following this question and this other , I modified the file .ini

and added options chown-socket

, chmod-socket

, uid

and gid

(also just tried to install the first two, or, or, and a couple of different resolution settings - and even the most permissive mode does not work).

This seemed promising , but I don't believe it is selinux

installed on my Ubuntu (launching sudo apt-get remove selinux

gives "Package selinux" not installed, so it doesn't uninstall "and find / -name "selinux"

doesn't show anything). Just in case, however, I tried using this post . Uninstall apparmor

( sudo apt-get install apparmor

) too did not work.

Every time I make a change, I run sudo service nginx restart

, but I only see a Gateway 502 error (and permission denied when reading the logs).

This is my config file nginx

:

server {
    listen 80;
    server_name 104.131.110.156;

    location / {
        include uwsgi_params;
        uwsgi_pass unix:/home/user/myproject/web_server/myproject.sock;
    }
}

.conf

file:

description "uWSGI server instance configured to serve myproject"

start on runlevel [2345]
stop on runlevel [!2345]

setuid user
setgid www-data

env PATH=/root/.virtualenvs/my-env/bin
chdir /home/user/myproject/web_server
exec uwsgi --ini /home/user/myproject/web_server/myproject.ini

.ini

file:

[uwsgi]
module = wsgi

master = true
processes = 5

socket = /home/user/myproject/web_server/myproject.sock
chown-socket=www-data:www-data
chmod-socket = 664
uid = www-data
gid = www-data

vacuum = true
die-on-term = true

(If it helps, this is my car specifications of Ocean the Digital: Linux 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

)

Please let me know if there is anything I can do and thanks a lot.

+5


source to share


8 answers


I also followed this tutorial and faced the same problem. After some trial and error, the following steps got me running uWSGI and nginx successfully:

My nginx.config

file:

server {
    listen 80;
    server_name localhost;

    location / { try_files @yourapplication; }
    location @yourapplication; {
        include uwsgi_params;
        uwsgi_pass unix:/PATH_TO_PROJECT/PROJECT.sock;
    }
}

My file .ini

didn't work very well, so I decided to use uWSGI's extended arguments. This is what I used:

uwsgi -s /PATH_TO_PROJECT/PROJECT.sock -w wsgi:app -H /PATH_TO_PROJECT/venv --http-processes=4 --chmod-socket=666 --master &

Where:

-s /PATH_TO_PROJECT/PROJECT.sock

= my file location .sock



-w wsgi:app

= my file location wsgi.py

and app

is the name of my Flask object

-H /PATH_TO_PROJECT/venv

= location of my virtual environment

--http-processes=4

= number of HTTP processes for uWSGI to create

--chmod-socket=666

= permissions to install on socket

--master

= allow uWSGI to run with the main process manager

&

= run uWSGI in the background

Hope this helps!

+7


source


Path: unix:/PATH_TO_PROJECT/PROJECT.sock

should be put in /tmp

, this fixed my problem.



+6


source


After following all the recommendations in this thread, I was still getting permission errors. Finally, the missing item was the nginx fix user

in the file /etc/nginx/nginx.conf

:

# old: user  nginx;
user  www-data;
+4


source


(13: Permission Denied)

This indicates that Nginx was unable to connect to the uWSGI socket due to permission issues. This usually happens when the socket is created in a restricted environment or if the permissions were incorrect. As long as the uWSGI process is able to create the socket file, Nginx cannot access it.

This can happen if there are limited permissions at any point between the root directory (/) of the socket file. We can see the permissions and ownership of the socket file and each of its parent directories by passing the absolute path to our socket file to the namei command:

namei -nom /PATH_TO_YOUR_SOCKET_FILE/YOUR_SOCKET.sock

The result should be similar to this (your case may have a different folder name)

f: /run/uwsgi/firstsite.sock
 drwxr-xr-x root  root     /
 drwxr-xr-x root  root     run
 drwxr-xr-x sammy www-data uwsgi
 srw-rw---- sammy www-data firstsite.sock

The output displays the permissions for each of the catalog components. By looking at the permissions (first column), owner (second column), and group owner (third column), we can figure out what type of access is allowed for the socket file.

In the above example, each of the directories leading to the socket file has world read and execute permissions (the directory permissions column ends with rx instead of ---). The www-data group has group ownership of the socket itself. With these settings, the Nginx process should be able to access the socket successfully.

If any of the directories leading to the socket do not belong to the www-data group or have world read / execute permission, Nginx will not be able to access the socket. This usually means that the configuration files are in error.

So, you fix this problem, but grant all rights to the top folder with this command:

chmod 755 directory_name

I know it's late, but to help others get around the problem faster, I posted this answer. Hope this helps, good luck.

+4


source


If you've tested all the permissions and still doesn't work, it is possible that SELinux is enabled, which will lead to the same behavior.

Run getenforce

it and if the result Enforcing

is not helpful.

The quick fix is ​​to disable it setenforce 0

, but a reboot is required.

+1


source


To summarize what others have said to resolve the access denied error in nginx (which you can look at in /var/log/nginx/error.log

, it usually happens because of the following:

  1. you are writing the .sock

    file in a place where nginx has no rights
  2. SELinux is causing the problem

For solution 1: First, don't write the .sock

file in /tmp

as suggested here, the server crash response because different services see different ones /tmp

in fedora. You can write somewhere, for example ~/myproject/mysocket.sock

. The nginx user needs to be able to access our application directory in order to access the socket file. By default, CentOS locks each user's home directory very limitedly, so we'll add the nginx user to our user group so that we can open the minimum permissions needed to grant access.

You can add nginx user to your group using the following command. Replace your username with username in the command:

sudo usermod -a -G $USER nginx

Now we can give our user group execute permissions in our home directory. This will allow the Nginx process to enter and access content within:

chmod 710 / path / to / project / dir

If an error permission denied

in permission denied

still exists: hack sudo setenforce 0

achieve sudo setenforce 0

.

+1


source


This can happen if the user's www data might not have permission to create new sockets in the given path, so use the root user. Move user www data to user root in nginx.conf;

ex: #nginx.conf
#user www-data;
user root;
worker_processes auto;
pid /var/run/nginx.pid;
.............
0


source


Check the user field in the first line of the nginx.conf file. By default, this is www data. Change the root username in the nginx.conf file if you are logged in as root.

0


source






More articles:


All Articles