我正在尝试使用 Nginx 和 Unicorn 设置我的 Rails 应用程序。
Nginx 在访问我的 Rails 应用程序的根 URL 时抛出以下错误:
2 月 14 日 23:39:42 servercentos7 python[5604]: SELinux 阻止 /usr/sbin/nginx 对 sock_file /var/www/amily_photo/shared/tmp/sockets/unicorn.sock 进行写访问。
***** Plugin catchall (100. confidence) suggests ************************** If you believe that nginx should be allowed write access on the unicorn.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep nginx /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
我已经执行了错误报告中提到的两个命令,但是没有起作用
grep nginx /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
nginx.conf:
worker_processes 1;
user root root; # for systems with a "nogroup"
# Feel free to change all paths to suite your needs here, of course
pid /tmp/nginx.pid;
error_log /tmp/nginx.error.log;
events {
worker_connections 1024; # increase if you have lots of clients
accept_mutex off; # "on" if nginx worker_processes > 1
# use epoll; # enable for Linux 2.6+
# use kqueue; # enable for FreeBSD, OSX
}
http {
# nginx will find this file in the config directory set at nginx build time
include mime.types;
# fallback in case we can't determine a type
default_type application/octet-stream;
# click tracking!
access_log /tmp/nginx.access.log combined;
sendfile on;
tcp_nopush on; # off may be better for *some* Comet/long-poll stuff
tcp_nodelay off; # on may be better for some Comet/long-poll stuff
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 500;
gzip_disable "MSIE [1-6]\.";
gzip_types text/plain text/html text/xml text/css
text/comma-separated-values
text/javascript application/x-javascript
application/atom+xml;
include /etc/nginx/sites-enabled/*;
##########################################################
# Catch all requests to server ip so just hitting the ip
# won't render anything.
##########################################################
server {
listen 80 default;
server_name everythingelse;
# Everything is a 404
location / {
return 404;
}
}
}
应用程序的 Nginx 配置:
##############################################################
# Upstream must have unique name and unique socket. #
# The socket must match what is in the app's unicorn.rb file #
##############################################################
upstream amily_photo_server {
server unix:/tmp/unicorn_amily_photo.sock fail_timeout=0;
}
##############################
# Server configs go here #
##############################
server {
listen 80;
client_max_body_size 4G;
server_name XN--80AA1ABXAPNQ1A.XN--P1AI;
keepalive_timeout 5;
#########################################################
# This should go to the public folder of your rails app #
#########################################################
root /var/www/amily_photo/current/public;
try_files $uri/index.html $uri.html $uri @app;
location @amily_photo_server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
#############################################
# This should be http://upstream; with the #
# upstream specified above. #
#############################################
proxy_pass http://amily_photo_server;
}
error_page 500 502 503 504 /500.html;
location = /500.html {
#########################################################
# This should go to the public folder of your rails app #
#########################################################
root /var/www/amily_photo/current/public;
}
}
这些帖子没有帮助:
我不知道该怎么做…
请帮忙。
答案1
要检查 SELinux 中是否存在这种情况,您可以禁用它
sudo setenforce 0
但关闭它并不安全,当你重新启动时问题会再次出现
很好的详细文章https://nts.strzibny.name/allowing-nginx-to-use-a-pumaunicorn-unix-socket-with-selinux/
简而言之,您需要执行命令并将输出保存到 nginx.te 文件中
sudo grep nginx /var/log/audit/audit.log | audit2allow -m nginx
module nginx 1.0;
require {
type httpd_t;
type initrc_t;
class unix_stream_socket connectto;
}
#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
然后检查、编译并减去
sudo checkmodule -M -m -o nginx.mod nginx.te
sudo semodule_package -o nginx.pp -m nginx.mod
sudo semodule -i nginx.pp