Nginx无法在CentOS 7上访问uWSGI Unix套接字 [英] Nginx can't access a uWSGI unix socket on CentOS 7

问题描述

我已经将uWSGI配置为在Unix套接字上提供我的Django应用程序，并且Nginx作为此套接字的代理.该服务器正在运行CentOS7.我想我已经配置了Nginx以便它具有读写uWSGI套接字的权限，但是我仍然收到权限被拒绝的错误. Nginx为什么不能在CentOS 7上访问uWSGI套接字?

I have configured uWSGI to serve my Django app on a unix socket, and Nginx as a proxy to this socket. The server is running CentOS 7. I think I have configured Nginx so that it has permission to read and write to uWSGI's socket, but I'm still getting a permission denied error. Why can't Nginx access the uWSGI socket on CentOS 7?

[uwsgi]
socket=/socket/uwsgi.sock
virtualenv=/home/site/virtsite/
chdir=/home/site/wsgitest/
module=wsgitest.wsgi:application
vhost = true
master=True
workers=8
chmod-socket=666
pidfile=/home/site/wsgitest/uwsgi-master.pid
max-requests=5000
chown-socket=nginx:nginx
uid = nginx
gid = nginx
listen.owner = nginx
listen.group = nginx

server {
    listen 80;

    location / {
        uwsgi_pass unix:///home/site/wsgitest/uwsgi.sock;
        include uwsgi_params;
    }
}

uwsgi --ini uwsgi.ini (as root)

ls -l /home/site/wsgitest/uwsgi.sock
srwxrwxrwx. 1 nginx nginx 0 Oct 13 10:05 uwsgi.sock

2014/10/12 19:01:44 [crit] 19365#0: *10 connect() to unix:///socket/uwsgi.sock failed (13: Permission denied) while connecting to upstream, client: 2.191.102.217, server: , request: "GET / HTTP/1.1", upstream: "uwsgi://unix:///socket/uwsgi.sock:", host: "179.227.126.222"

推荐答案

Nginx和uWSGI配置正确.问题是SELinux拒绝Nginx访问套接字.这会导致Nginx日志中出现通用访问被拒绝错误.重要消息实际上在SELinux的审核日志中.

The Nginx and uWSGI configurations are correct. The problem is that SELinux denied Nginx access to the socket. This results in a generic access denied error in Nginx's log. The important messages are actually in SELinux's audit log.

# show the new rules to be generated
grep nginx /var/log/audit/audit.log | audit2allow

# show the full rules to be applied
grep nginx /var/log/audit/audit.log | audit2allow -m nginx

# generate the rules to be applied
grep nginx /var/log/audit/audit.log | audit2allow -M nginx

# apply the rules
semodule -i nginx.pp

您可能需要多次生成规则，并在每次通过后尝试访问该站点，因为第一个SELinux错误可能不是唯一可以生成的错误.始终检查audit2allow建议创建的策略.

You may need to generate the rules multiple times, trying to access the site after each pass, since the first SELinux error might not be the only one that can be generated. Always inspect the policy that audit2allow suggests creating.

这些步骤来自此博客帖子，其中包含有关如何进行调查以及获得的输出的更多详细信息.

These steps were taken from this blog post which contains more details about how to investigate and what output you'll get.

这篇关于Nginx无法在CentOS 7上访问uWSGI Unix套接字的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！