我已将uWSGI配置为在unix套接字上提供我的Django应用程序,并将Nginx配置为此套接字的代理。服务器正在运行CentOS 7.我想我已经配置了Nginx,因此它有权读取和写入uWSGI的套接字,但我仍然得到一个权限被拒绝错误。为什么Nginx无法访问CentOS 7上的uWSGI套接字?
[uwsgi]
socket=/socket/uwsgi.sock
virtualenv=/home/site/virtsite/
chdir=/home/site/wsgitest/
module=wsgitest.wsgi:application
vhost = true
master=True
workers=8
chmod-socket=666
pidfile=/home/site/wsgitest/uwsgi-master.pid
max-requests=5000
chown-socket=nginx:nginx
uid = nginx
gid = nginx
listen.owner = nginx
listen.group = nginx
server {
listen 80;
location / {
uwsgi_pass unix:///home/site/wsgitest/uwsgi.sock;
include uwsgi_params;
}
}
uwsgi --ini uwsgi.ini (as root)
ls -l /home/site/wsgitest/uwsgi.sock
srwxrwxrwx. 1 nginx nginx 0 Oct 13 10:05 uwsgi.sock
2014/10/12 19:01:44 [crit] 19365#0: *10 connect() to unix:///socket/uwsgi.sock failed (13: Permission denied) while connecting to upstream, client: 2.191.102.217, server: , request: "GET / HTTP/1.1", upstream: "uwsgi://unix:///socket/uwsgi.sock:", host: "179.227.126.222"
答案 0 :(得分:15)
Nginx和uWSGI配置是正确的。问题是SELinux拒绝Nginx访问套接字。这导致Nginx的日志中出现通用访问被拒绝错误。重要的消息实际上在SELinux的审计日志中。
# show the new rules to be generated
grep nginx /var/log/audit/audit.log | audit2allow
# show the full rules to be applied
grep nginx /var/log/audit/audit.log | audit2allow -m nginx
# generate the rules to be applied
grep nginx /var/log/audit/audit.log | audit2allow -M nginx
# apply the rules
semodule -i nginx.pp
您可能需要多次生成规则,尝试在每次传递后访问该站点,因为第一个SELinux错误可能不是唯一可以生成的错误。始终检查audit2allow建议创建的政策。
这些步骤取自this blog post,其中包含有关如何调查以及您将获得的输出的详细信息。
答案 1 :(得分:1)
使用uid和gid用户配置uwsgi.ini。
#uwsgi.ini
uid = nginx
gid = nginx
此致
答案 2 :(得分:0)
我希望我能发表评论:( 除了unix套接字路径
之外,一切看起来都很好unix:///socket/uwsgi.sock failed (2: No such file or directory)
Docs说它只有一个斜杠
uwsgi_pass unix:/tmp/uwsgi.socket;