我在这里使用 nginx 1.6.2 和 Unicorn 进行 capistrano 设置。但在我当前的设置下,nginx 不会创建我在 con 文件中写入的服务器。我确信这是我的用户目录的权限错误,因为 conf 文件位于两个 rails app 目录下。
我的 nginx 文件如下:
user mjp nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
/etc/nginx/conf.d/*.conf;是空的。
/etc/nginx/sites-enabled/;目录包含 2 个符号链接:
[mjp@centos nginx]$ ll sites-enabled/
total 4
lrwxrwxrwx. 1 root root 61 Jan 5 06:58 mjp-portal_production -> /home/mjp/apps/mjp-portal_production/shared/config/nginx.conf
lrwxrwxrwx. 1 root root 58 Jan 3 21:03 mjp-portal_staging -> /home/mjp/apps/mjp-portal_staging/shared/config/nginx.conf
所有权限都指向这些文件:
[mjp@centos ~]$ ll
total 4
drwxrwxr-x. 4 mjp nginx 4096 Jan 5 06:58 apps
[mjp@centos ~]$ ll apps/
total 8
drwxr-xr-x. 5 mjp nginx 4096 Jan 5 07:27 mjp-portal_production
drwxrwxr-x. 5 mjp nginx 4096 Jan 3 21:11 mjp-portal_staging
[mjp@centos ~]$ ll apps/mjp-portal_staging/
total 16
lrwxrwxrwx. 1 mjp nginx 57 Jan 3 21:11 current -> /home/mjp/apps/mjp-portal_staging/releases/20150103210756
drwxrwxr-x. 4 mjp nginx 4096 Jan 3 21:07 releases
drwxrwxr-x. 7 mjp nginx 4096 Jan 3 21:04 repo
-rwxrwxr-x. 1 mjp nginx 71 Jan 3 21:11 revisions.log
drwxrwxr-x. 9 mjp nginx 4096 Jan 3 21:05 shared
[mjp@centos ~]$ ll apps/mjp-portal_staging/shared/
total 28
drwxrwxr-x. 2 mjp nginx 4096 Jan 3 21:10 bin
drwxrwxr-x. 3 mjp nginx 4096 Jan 3 21:05 bundle
drwxrwxr-x. 2 mjp nginx 4096 Jan 5 07:46 config
drwxrwxr-x. 2 mjp nginx 4096 Jan 3 21:11 log
drwxrwxr-x. 3 mjp nginx 4096 Jan 3 21:04 public
drwxrwxr-x. 5 mjp nginx 4096 Jan 3 21:04 tmp
drwxrwxr-x. 3 mjp nginx 4096 Jan 3 21:04 vendor
[mjp@centos ~]$ ll apps/mjp-portal_staging/shared/config/
total 24
-rwxrwxr-x. 1 mjp nginx 136 Jan 3 21:03 database.example.yml
-rwxrwxr-x. 1 mjp nginx 155 Jan 3 21:06 database.yml
-rwxrwxr-x. 1 mjp nginx 188 Jan 3 21:03 log_rotation
-rwxrwxr-x. 1 mjp nginx 814 Jan 5 07:46 nginx.conf
-rwxrwxr-x. 1 mjp nginx 1996 Jan 3 21:03 unicorn_init.sh
-rwxrwxr-x. 1 mjp nginx 1327 Jan 3 21:03 unicorn.rb
mjp-portal_production -> /home/mjp/apps/mjp-portal_production/shared/config/nginx.conf:
upstream unicorn1 {
server unix:/tmp/unicorn.mjp-portal_production.sock fail_timeout=0;
}
server
{
server_name 185.48.117.98;
listen 8080 default;
root /home/mjp/apps/mjp-portal_production/current/public;
#access_log /home/mjp/apps/mjp-portal_production/shared/log/nginx_access.log;
#error_log /home/mjp/apps/mjp-portal_production/shared/log/nginx_error.log;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri @unicorn;
location @unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unicorn1;
proxy_buffering off;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
mjp-portal_staging -> /home/mjp/apps/mjp-portal_staging/shared/config/nginx.conf:
upstream unicorn {
server unix:/tmp/unicorn.mjp-portal_staging.sock fail_timeout=0;
}
server
{
server_name 185.48.117.98;
listen 8081 default;
root /home/mjp/apps/mjp-portal_staging/current/public;
#access_log /home/mjp/apps/mjp-portal_staging/shared/log/nginx_access.log;
#error_log /home/mjp/apps/mjp-portal_staging/shared/log/nginx_error.log;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri @unicorn;
location @unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unicorn;
proxy_buffering off;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
即使我设置以 方式运行 nginx 进程 (“worker”) root。nginx 仍然无法创建服务器并开始监听它。
netstat -anp不显示 nginx 打开的端口。在这种情况下 port 8080 and port 8081。
我做错了什么。所有权限似乎都是正确的。我还遗漏了什么吗?当我将这两个符号链接的代码放在/etc/nginx/conf.d/. It does opens those ports although i get502 bad gateway` 中时,这让我认为这是一个权限错误。在那些应用程序目录中。
我究竟做错了什么?
答案1
这是一个 selinux 问题。
当您运行时,sudo nginx它nginx以 的形式启动unconfined_t,当您运行时,sudo service nginx start它以 的形式启动 nginx httpd_t。
最初仅使用 sudo 启动,它会创建一堆文件并将其状态初始化为unconfined_t。例如,pid 文件将是错误的上下文。因此,当使用service nginx stop终止它时,没有足够的权限httpd_t读取由 写入的文件unconfined_t。
您确实应该始终开始使用,service这将避免此问题。要纠正此问题,您需要重新标记文件系统中存在的状态文件,例如,运行restorecon /var/run/nginx.pid将纠正该 pid 文件上设置的错误标签。
我不确定在创建服务时是否还有其他文件需要更正。您可以获取这些文件可能正在执行的操作的列表ausearch -ts recent -m avc。
答案2
对于那些想要扩展一些 selinux 知识并调试 selinux 问题的人来说,还有一些额外的信息:
https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
总结
调试 SElinux 权限问题:
- 设置宽容模式(在 audit.log 中告知安全漏洞并执行操作)
- 检查 audit.log (对于 centos 和可能所有 RH 系列 /var/log/audit/audit.log )
- 在 SElinux 或文件上应用适当的权限
工具:
ausearch -i -m avc
将有助于以人类可读的格式读取 audit.log 中的任何 AVC(SElinux)问题
您还可以尝试添加:
-ts recent
-ts today
来缩小搜索范围。