I am working with configuring django project with nginx and gunicorn. While I am accessing my port gunicorn mysite.wsgi:application --bind=127.0.0.1:8001 in nginx server I am getting the following error in my error log file.
2014/05/30 11:59:42 [crit] 4075#0: *6 connect() to 127.0.0.1:8001 failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8001/", host: "localhost:8080"
My nginx.conf file
server {
listen 8080;
server_name localhost;
access_log /var/log/nginx/example.log;
error_log /var/log/nginx/example.error.log;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
}
In the html page I am getting 502 Bad Gateway.
What mistake am I doing?
I had a similar issue getting Fedora 20, Nginx, Node.js, and Ghost (blog) to work. It turns out my issue was due to SELinux.
This should solve the problem:
setsebool -P httpd_can_network_connect 1
Details
I checked for errors in the SELinux logs:
sudo cat /var/log/audit/audit.log | grep nginx | grep denied
And found that running the following commands fixed my issue:
sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
sudo semodule -i mynginx.pp
References:
http://blog.frag-gustav.de/2013/07/21/nginx-selinux-me-mad/
https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details
http://wiki.gentoo.org/wiki/SELinux/Tutorials/Managing_network_port_labels
I’ve run into this problem too. Another solution is to toggle the SELinux boolean value for httpd network connect to on (Nginx uses the httpd label).
setsebool httpd_can_network_connect on
To make the change persist use the -P flag.
setsebool httpd_can_network_connect on -P
You can see a list of all available SELinux booleans for httpd using
getsebool -a | grep httpd
Had a similar problem on Centos 7. When I tried to apply the solution prescribed by Sorin, I started moving in cycles. First I had a permission {write} denied. Then when I solved that I had a permission { connectto } denied. Then back again to permission {write } denied.
Following @Sid answer above of checking the flags using getsebool -a | grep httpd and toggling them I found that in addition to the httpd_can_network_connect being off. http_anon_write was also off resulting in permission denied write and permission denied {connectto}
type=AVC msg=audit(1501830505.174:799183): avc:
denied { write } for pid=12144 comm="nginx" name="myroject.sock"
dev="dm-2" ino=134718735 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=sock_file
Obtained using sudo cat /var/log/audit/audit.log | grep nginx | grep denied as explained above.
So I solved them one at a time, toggling the flags on one at a time.
setsebool httpd_can_network_connect on -P
Then running the commands specified by @sorin and @Joseph above
sudo cat /var/log/audit/audit.log | grep nginx | grep denied |
audit2allow -M mynginx
sudo semodule -i mynginx.pp
Basically you can check the permissions set on setsebool and correlate that with the error obtained from grepp'ing' audit.log nginx, denied
I have solved my problem by running my nginx as my present working user that is mulagala.By default the user as nginx in my nginx.conf file.We can find that line at the top of the nginx.conf file.
user nginx;
change this to your current working user name like
user mulagala;
I’ve run into this problem too. I'm using Nginx with HHVM, below solution fixed my issue:
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/etc/nginx/fastcgi_temp(/.*)?"
sudo restorecon -R -v /etc/nginx/fastcgi_temp
- Check the user in
/etc/nginx/nginx.conf - Change ownership to user.
sudo chown -R nginx:nginx /var/lib/nginx
Now see the magic.
if "502 Bad Gateway" error throws on centos api url for api gateway proxy pass on nginx , run following command to solve the issue
sudo setsebool -P httpd_can_network_connect 1
Thanks, guys :) now I am able to use Nginx proxy for my Kibana URL
really useful command :) setsebool -P httpd_can_network_connect 1
sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
sudo semodule -i mynginx.pp
来源:https://stackoverflow.com/questions/23948527/13-permission-denied-while-connecting-to-upstreamnginx