Nginx 无法以正确的权限连接到 uWSGI 套接字

tag-icon tag-icon nginx sockets
Nginx 无法以正确的权限连接到 uWSGI 套接字

我正在尝试将 Nginx 连接到 uWSGI,以便可以运行用 Ruby 编写的应用程序(我无法使用 Passenger)。这是我的虚拟主机配置:

server {    
        listen unix:/var/run/nginx/redmine.sock;
        root /var/www/redmine/public;

        location / {
                try_files $uri @uwsgi;
        }

        location @uwsgi {
                include uwsgi_params;
                uwsgi_pass unix:/var/run/uwsgi/redmine.sock;
        }
}

这很简单,我尝试找到一个静态文件,否​​则我会传递给 uwsgi 监听 unix 套接字。这对我来说是一个“坏网关”的 502 错误。我去阅读错误日志,得到了以下内容:

2014/09/09 20:08:56 [crit] 20922#0: *29484 connect() to unix:/var/run/uwsgi/redmine.sock failed (13: Permission denied) while connecting to upstream, client: unix:, server: , request: "GET /redmine HTTP/1.0", upstream: "uwsgi://unix:/var/run/uwsgi/redmine.sock:", host: "localhost"

但我很确定我已经将 uWSGI 配置为使用与 Nginx 相同的用户:

user nginx;


[uwsgi]
socket = /var/run/uwsgi/redmine.sock
chdir = /var/www/redmine
rails = .
plugins = 0:rack_ruby20
rack = config.ru
idle = 3600

chmod-socket = 660
chown-socket = nginx:nginx
uid = nginx
gid = nginx

并且插座是:

fenix ~ # ls -lh /var/run/uwsgi/redmine.sock 
srw-rw---- 1 nginx nginx 0 Set  9 20:08 /var/run/uwsgi/redmine.sock

那么 Nginx 甚至无法读取和写入它拥有的套接字?这是什么意思?我不知道该怎么做。

我还注意到,即使套接字权限为 777,Nginx 也无法工作。

答案1

我遇到了类似的权限问题,这是因为 SELinux 没有为 nginx 制定写入套接字的策略

您可以通过以下方式检查 SELinux AVC 消息,audit2why -al以查看错误的更多详细信息,如下所示

type=AVC msg=audit(1414460265.454:2612): avc:  denied  { connectto } for  pid=22107 comm="nginx" path="/tmp/uwsgi.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Was caused by:
    Missing type enforcement (TE) allow rule.

    You can use audit2allow to generate a loadable module to allow this access.

要添加 nginx 的执行策略,首先通过运行以下命令确认执行策略:

> grep nginx /var/log/audit/audit.log | audit2allow -m nginx

您应该看到类似如下的输出

module nginx 1.0;

require {
    type unconfined_t;
    type httpd_t;
    type home_root_t;
    type soundd_port_t;
    class sock_file write;
    class unix_stream_socket connectto;
    class tcp_socket name_connect;
}

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t home_root_t:sock_file write;

#!!!! This avc is allowed in the current policy
allow httpd_t soundd_port_t:tcp_socket name_connect;
allow httpd_t unconfined_t:unix_stream_socket connectto;

最后,通过运行来加载自定义策略

> grep nginx /var/log/audit/audit.log | audit2allow -M nginx
> semodule -i nginx.pp

相关内容