Question

正如标题所说，我在运行centos 7的服务器上部署了一个烧瓶api。我尝试了关于DigitalOcean的this指南，但有一些细微差别。一个是我使用conda而不是pip作为我的包管理器。当我设置了所有内容时，如下所述，并尝试从另一台机器连接，我得到502 Bad Gateway（错误日志在本文末尾提供）。这是我的第一个gunicorn / nginx部署，所以欢迎任何帮助或sugestions。我试图查看类似的帖子，但收效甚微。

这是我到目前为止所做的工作

我已将项目放在/home/apps/myproject...，我的conda也安装在/home/apps/anaconda3...。

我看起来像这样的系统服务单元文件

/etc/systemd/system/myproject.service

[Unit]
Description=Gunicorn instance to serve myproject
After=network.target

[Service]
User=apps
Group=nginx
WorkingDirectory=/home/apps/myproject
Environment="PATH=/home/apps/anaconda3/envs/myproject/bin"
ExecStart=/home/apps/anaconda3/envs/myproject/bin/gunicorn --workers 3 --bind unix:myproject.sock -m 007 wsgi

[Install]
WantedBy=multi-user.target

当我创建这个时，我启动了服务

sudo systemctl start myproject
sudo systemctl enable myproject

我修改了我的nginx配置文件后看起来像这样

/etc/nginx/nginx.conf

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen 80;
        server_name xx.xxx.xxx.xx;

        location / {
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass http://unix:/home/apps/myproject/myproject.sock;
        }
    }

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2 default_server;
#        listen       [::]:443 ssl http2 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers HIGH:!aNULL:!MD5;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }

}

我根据guid

更改权限

sudo usermod -a -G apps nginx
chmod 710 /home/apps

开始使用nginx服务

sudo systemctl start nginx
sudo systemctl enable nginx

并运行这些命令以允许在http和https

上进行交通

sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

当我现在尝试在另一台机器上公开访问服务器时，我得到502 Bad Gateway。我试过了

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
sudo semodule -i mynginx.pp

根据多个帖子的建议，例如： here，但这些变化没有帮助。我得到以下内容：

/var/log/nginx/error.log

2016/11/29 08:49:25 [crit] 55119#0: *8 connect() to unix:/home/apps/myproject/myproject.sock failed (13: Permission denied) while connecting to upstream, client: yyy.yy.yyy.yyy, server: xx.xx.xxx.xx, request: "GET / HTTP/1.1", upstream: "http://unix:/home/apps/myproject/myproject.sock:/", host: "xx.xx.xxx.xx"
2016/11/29 08:49:25 [crit] 55119#0: *8 connect() to unix:/home/apps/myproject/myproject.sock failed (13: Permission denied) while connecting to upstream, client: yyy.yy.yyy.yyy, server: xx.xx.xxx.xx, request: "GET /favicon.ico HTTP/1.1", upstream: "http://unix:/home/apps/myproject/myproject.sock:/favicon.ico", host: "xx.xx.xxx.xx", referrer: "http://xx.xx.xxx.xx/"

cat /var/log/audit/audit.log | grep nginx | grep denied

type=AVC msg=audit(1480345112.140:161350): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345125.819:161351): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345399.544:161714): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345399.691:161715): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345405.091:161716): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345405.183:161717): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345441.732:161721): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345441.842:161722): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345576.952:161729): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480345577.064:161730): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480346023.191:161731): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480346023.301:161732): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480346190.944:161733): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480346191.056:161734): avc:  denied  { search } for  pid=40475 comm="nginx" name="apps" dev="dm-2" ino=1207960576 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1480347303.258:161771): avc:  denied  { search } for  pid=40475 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347303.431:161772): avc:  denied  { search } for  pid=40475 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347325.749:161776): avc:  denied  { search } for  pid=41569 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347325.843:161777): avc:  denied  { search } for  pid=41569 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347355.366:161783): avc:  denied  { search } for  pid=41605 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347355.518:161784): avc:  denied  { search } for  pid=41605 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347357.792:161785): avc:  denied  { search } for  pid=41605 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347357.890:161786): avc:  denied  { search } for  pid=41605 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347892.301:161796): avc:  denied  { search } for  pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480347892.417:161797): avc:  denied  { search } for  pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480403397.905:166856): avc:  denied  { search } for  pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480403398.043:166857): avc:  denied  { search } for  pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480404482.896:166913): avc:  denied  { search } for  pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480404482.988:166914): avc:  denied  { search } for  pid=41764 comm="nginx" name="myproject" dev="dm-2" ino=805842944 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1480404733.790:166933): avc:  denied  { write } for  pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480404733.898:166934): avc:  denied  { write } for  pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480404806.283:166935): avc:  denied  { write } for  pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480404806.376:166936): avc:  denied  { write } for  pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480405765.395:167002): avc:  denied  { write } for  pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1480405765.507:167003): avc:  denied  { write } for  pid=55119 comm="nginx" name="myproject.sock" dev="dm-2" ino=805843006 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=sock_file

你们中是否有人知道这可能意味着什么，如何解决它。

Answer 1

经过一番戏弄后，我厌倦了许可错误。

我最终决定将gunicorn绑定到http://127.0.0.1:8000，如：

[Unit]
Description=Gunicorn instance to serve myproject
After=network.target

[Service]
User=apps
Group=nginx
WorkingDirectory=/home/apps/myproject
Environment="PATH=/home/apps/anaconda3/envs/myproject/bin"

# Old
ExecStart=/home/apps/anaconda3/envs/myproject/bin/gunicorn --workers 3 --bind unix:myproject.sock -m 007 wsgi

# New
ExecStart=/home/apps/anaconda3/envs/myproject/bin/gunicorn --workers 3 --bind 127.0.0.1 -m 007 wsgi

[Install]
WantedBy=multi-user.target

并改变

proxy_pass http://unix:/home/apps/myproject/myproject.sock;

到

proxy_pass http://127.0.0.1:8000;

在我的nginx配置

中

糟糕的网关502 - 在centos 7上使用gunicorn nginx部署Flask（python 3.5.2）

1 个答案: