Nginx无法访问CentOS 7上的uWSGI unix套接字

时间:2014-10-13 07:02:57

标签: sockets nginx uwsgi selinux

我已将uWSGI配置为在unix套接字上提供我的Django应用程序,并将Nginx配置为此套接字的代理。服务器正在运行CentOS 7.我想我已经配置了Nginx,因此它有权读取和写入uWSGI的套接字,但我仍然得到一个权限被拒绝错误。为什么Nginx无法访问CentOS 7上的uWSGI套接字?

[uwsgi]
socket=/socket/uwsgi.sock
virtualenv=/home/site/virtsite/
chdir=/home/site/wsgitest/
module=wsgitest.wsgi:application
vhost = true
master=True
workers=8
chmod-socket=666
pidfile=/home/site/wsgitest/uwsgi-master.pid
max-requests=5000
chown-socket=nginx:nginx
uid = nginx
gid = nginx
listen.owner = nginx
listen.group = nginx
server {
    listen 80;

    location / {
        uwsgi_pass unix:///home/site/wsgitest/uwsgi.sock;
        include uwsgi_params;
    }
}
uwsgi --ini uwsgi.ini (as root)

ls -l /home/site/wsgitest/uwsgi.sock
srwxrwxrwx. 1 nginx nginx 0 Oct 13 10:05 uwsgi.sock
2014/10/12 19:01:44 [crit] 19365#0: *10 connect() to unix:///socket/uwsgi.sock failed (13: Permission denied) while connecting to upstream, client: 2.191.102.217, server: , request: "GET / HTTP/1.1", upstream: "uwsgi://unix:///socket/uwsgi.sock:", host: "179.227.126.222"

3 个答案:

答案 0 :(得分:15)

Nginx和uWSGI配置是正确的。问题是SELinux拒绝Nginx访问套接字。这导致Nginx的日志中出现通用访问被拒绝错误。重要的消息实际上在SELinux的审计日志中。

# show the new rules to be generated
grep nginx /var/log/audit/audit.log | audit2allow

# show the full rules to be applied
grep nginx /var/log/audit/audit.log | audit2allow -m nginx

# generate the rules to be applied
grep nginx /var/log/audit/audit.log | audit2allow -M nginx

# apply the rules
semodule -i nginx.pp

您可能需要多次生成规则,尝试在每次传递后访问该站点,因为第一个SELinux错误可能不是唯一可以生成的错误。始终检查audit2allow建议创建的政策。

这些步骤取自this blog post,其中包含有关如何调查以及您将获得的输出的详细信息。

答案 1 :(得分:1)

使用uid和gid用户配置uwsgi.ini。

#uwsgi.ini
uid = nginx
gid = nginx

此致

答案 2 :(得分:0)

我希望我能发表评论:( 除了unix套接字路径

之外,一切看起来都很好
unix:///socket/uwsgi.sock failed (2: No such file or directory)

Docs说它只有一个斜杠

uwsgi_pass unix:/tmp/uwsgi.socket;