Nginx + uWsgi + Django'连接到上游时(拒绝)的权限 [英] Nginx+uWsgi+Django 'Permission denied while connecting to upstream' (socket)
问题描述
我已经看到关于这个主题的很多关于SO的问题,我已经尝试了尽可能多的方法,但仍然不能解决我的问题,所以我希望这篇文章可能是有帮助的。 / p>
我正在关注本网站的教程,在Nginx上设置Django,其中包括: http://www.oliverelliott.org/article/computing/tut_setup_nginx_django/
uwsgi.ini文件< br>
[uwsgi]
chdir = / home / ec2-user / project / awssite
module = awssite.wsgi
home = / home / ec2-user / project
master = true
processes = 2
socket = / home / ec2-user / project / awssite / awssite .socket
chmod-socket = 666
vacuum = true
etc / nginx /sites-enabled/awssite_nginx.conf
上游django {
server unix:/// home / ec2-user /project/awssite/awssite.socket;
}
server {
listen 8080;
server_name localhost;
charset utf-8;
#max上传大小
client_max_body_size 75M;
#Django media
location / media {
alias / home / ec2-user / project / awssite / awssite / media;
}
location / static {
alias / home / ec2-user / project / awssite / awssite / static;
}
location /favicon.ico {
log_not_found off;
}
位置/ {
uwsgi_pass django;
include / home / ec2-user / project / awssite / uwsgi_params;
}
}
这是
2016/02/15 01:21 :22 [crit] 22159#0:* 3 connect()to unix:///home/ec2-user/project/awssite/awssite.socket failed(13:Permission denied)while connection to upstream,client:CLIENT_IP,server :localhost,请求:GET / menu / HTTP / 1.1,上游:uwsgi:// unix:///home/ec2-user/project/awssite/awssite.socket:,host:HOST_IP:8080
注意:CLIENT_IP& HOST_IP是ip地址值。
这些是我尝试过的,不工作:
1 chmod 755 主目录并运行 uwsgi --socket awssite.socket --module awssite.wsgi --chmod-socket = 666
2.将用户 nginx 添加到我的用户组并运行 uwsgi --socket awssite.socket --module awssite.wsgi --chmod-socket = 664
3.通过添加这些新行改变ini文件
chown-socket = ec2-user:nginx
uid = nginx
gid = nginx 然后运行 uwsgi --ini uwsgi.ini 这将返回权限被拒绝为chown,但是当我运行命令与 sudo ,我得到 sudo:uwsgi:command not found (uWSGI已安装在系统范围内)
4.放所有文件在不同的目录(在用户 ec2-user 之外),但是不允许我访问它们,除非我以 root 甚至没有工作
5.运行 uwsgi --socket awssite.socket --module awssite.wsgi --chmod-socket = 664/666 参数 - uid nginx - gid nginx chown-socket = nginx:nginx
注意: 664/666 意思是我尝试了两个权限
6.重命名nginx.conf.default和nginx.conf.rpmnew文件(以便只读nginx的conf文件是 nginx.conf )
<有人可以请你解释一下如何解决这个问题?我会继续添加我曾经尝试过的方法,而不是在我处理这个问题时就处理这个问题。感谢:)
编辑:感谢@GwynBleidD答案,我终于得到了它的工作。
这是有效的: p>
将我的套接字文件保存在 / tmp
etc / nginx / sites-enabled / awssite_nginx。 conf
上游django {
服务器unix:///tmp/djangosocket/awssite.socket;
}
....
uwsgi.ini文件
[uwsgi]
chdir = / home / ec2-user / project / awssite
module = awssite.wsgi
home = / home / ec2-user / project
master = true
processes = 2
socket = / tmp / djangosocket / awssite.socket
chmod-socket = 666
vacuum = true
我添加了我的 ec2-user (登录用户)来分组 nginx 。
相应地更改了文件权限
chown -R ec2-user:nginx djangosocket
chmod g + rwx djangosocket
如果您的nginx服务器无法访问uWSGI套接字,请尝试执行以下步骤:
-
不要把你的东西放在系统中任何用户的主目录中,特别是root!一些unix操作系统默认是阻止访问主目录除了该目录和根目录的所有者之外的任何人。将nginx用户添加到该用户的私有组(对于大多数系统,每个用户拥有自己的主组)可以帮助,但是几乎不会为root使用。
-
检查您的套接字的权限是否至少为660.不需要为任何人授予权限,所以不要这样做。
-
您的nginx和uWSGI有权访问放置套接字的目录,以及所有父目录。
检查您的nginx服务器(或您使用的任何其他http服务器)运行的用户和组。有时是
www-data ,有时是 nginx ,有时候是其他的东西。当创建套接字时,请确保用户名与uWSGI服务器上运行的用户名匹配,uWSGI上的组名匹配组运行(或者可以交换)。 您的套接字的文件是 / var / run 目录(对于某些系统,它是 / run 或两者)。它通常作为ramdisk(tmpfs)安装,对于系统中的任何人都是可写的,所以每个用户都可以在此处创建套接字(并访问它们)。如果由于某些原因您的系统无法访问,您还可以尝试 / tmp 目录。
如果您还直接从主目录中的nginx提供静态文件,请考虑将nginx添加到您的个人组,以便它们可以读取您的主目录和静态文件。
I've seen alot of questions on SO regarding this topic and I've tried out as many methods as I could but it still isn't solving the issue for me so I'm hoping this post might be helpful.
I'm following the tutorial from this site to set up Django on Nginx wtih uWSGI: http://www.oliverelliott.org/article/computing/tut_setup_nginx_django/
uwsgi.ini file
[uwsgi]
chdir=/home/ec2-user/project/awssite
module=awssite.wsgi
home=/home/ec2-user/project
master=true
processes=2
socket=/home/ec2-user/project/awssite/awssite.socket
chmod-socket=666
vacuum=true
etc/nginx/sites-enabled/awssite_nginx.conf
upstream django {
server unix:///home/ec2-user/project/awssite/awssite.socket;
}
server {
listen 8080;
server_name localhost;
charset utf-8;
#max upload size
client_max_body_size 75M;
#Django media
location /media {
alias /home/ec2-user/project/awssite/awssite/media;
}
location /static {
alias /home/ec2-user/project/awssite/awssite/static;
}
location /favicon.ico {
log_not_found off;
}
location / {
uwsgi_pass django;
include /home/ec2-user/project/awssite/uwsgi_params;
}
}
This is the error code in /var/log/nginx/error.log
2016/02/15 01:21:22 [crit] 22159#0: *3 connect() to unix:///home/ec2-user/project/awssite/awssite.socket failed (13: Permission denied) while connecting to upstream, client: CLIENT_IP, server: localhost, request: "GET /menu/ HTTP/1.1", upstream: "uwsgi://unix:///home/ec2-user/project/awssite/awssite.socket:", host: "HOST_IP:8080"
Note: CLIENT_IP & HOST_IP are ip address values.
These are what I have tried and not worked:
1. chmod 755 home directory and running uwsgi --socket awssite.socket --module awssite.wsgi --chmod-socket=666
2. Adding user nginx to my user group and running uwsgi --socket awssite.socket --module awssite.wsgi --chmod-socket=664
3. change ini file by adding these new lines
chown-socket=ec2-user:nginx
uid=nginx
gid=nginx and then running uwsgi --ini uwsgi.ini This returns with 'Permission denied for chown' but when I run the command with sudo, i get sudo: uwsgi: command not found (uWSGI is installed system-wide)
4. Put all the files in a different directory (outside of user ec2-user) but that does not allow me to access them unless I run as root and even then it does not work
5. running uwsgi --socket awssite.socket --module awssite.wsgi --chmod-socket=664/666 with parameters --uid nginx --gid nginx --chown-socket=nginx:nginx
Note: 664/666 meaning I tried both permissions
6. Renamed nginx.conf.default and nginx.conf.rpmnew files (so that the only conf file for nginx to read off is nginx.conf)
Could someone please shed some light on how I may resolve this issue? I will continue to add on methods that I've tried and not worked on this question while I work on it. Thanks :)
EDIT: Thanks to @GwynBleidD answer, I finally got it working. This is what works:
kept my socket file in /tmp
etc/nginx/sites-enabled/awssite_nginx.conf
upstream django {
server unix:///tmp/djangosocket/awssite.socket;
}
....
uwsgi.ini file
[uwsgi]
chdir=/home/ec2-user/project/awssite
module=awssite.wsgi
home=/home/ec2-user/project
master=true
processes=2
socket=/tmp/djangosocket/awssite.socket
chmod-socket=666
vacuum=true
I added my ec2-user (logged in user) to group nginx.
I changed the file permissions accordingly
chown -R ec2-user:nginx djangosocket
chmod g+rwx djangosocket
If your nginx server can't access uWSGI socket, try to fulfill following steps:
don't put your socked in home directory of any user in your system, especially root! Some of unix operating systems are blocking by default access to home directory for anyone except owner of that directory and root. Adding nginx user to private group of that user (for most of systems, each user has it's own, main group) can help with that, but it will almost never work for root.
check on what user and group your nginx server (or any other http server that you're using) runs. Sometimes is
www-data, sometimesnginx, sometimes something other. When creating socket, make sure that username will match username on which uWSGI server runs and group name match group on uWSGI runs (or you can swap it).Check that your socket's permissions are at least 660. There is no need to give permissions to it for anyone, so don't do that.
Check that both your nginx and uWSGI have permission to access directory on which socket is put, and all parent directories.
Good place for your socket's file is /var/run directory (for some systems it is /run or both). It is most often mounted as ramdisk (tmpfs) and it is write'able for anyone in system, so every user can create sockets here (and access them). If it's for some reason not accessible in your system, you can also try /tmp directory.
If you're also serving static files directly from nginx from your home directory, consider adding nginx to your personal group, so it will have read access to your home directory and static files.
这篇关于Nginx + uWsgi + Django'连接到上游时(拒绝)的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
