CentOS 7 – Why Can’t Nginx Access Puma Socket?

centos-7nginxpermissionsrailsruby

So I have a Ruby on Rails app in /var/www/ owned by nginx with 755 permissions. Said app is intended to be deployed via puma.

Like so:

rvmsudo -u nginx bundle exec puma -e production -d -b unix:///var/www/my_app/tmp/sockets/my_app.socket

The permissions for the socket are:

srwxrwxrwx. 1 nginx nginx 0 Nov  6 09:43 tmp/sockets/my_app.sock

The process is, of course, owned by nginx:

nginx     7335  0.0  8.8 536744 90388 ?        Sl   09:43   0:00 puma 2.9.2 (unix:///var/www/my_app/tmp/sockets/my_app.sock)

My nginx configuration configuration is as follows:

upstream my_app {
  server unix:///var/www/my_app/tmp/sockets/my_app.sock;
}

server {
  listen 80;
  server_name www.example.com example.com;
  root /var/www/my_app/public;

  location / {
    proxy_pass http://my_app;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

All of this and my application is still denied permissions.

connect() to unix:///var/www/my_app/tmp/sockets/my_app.sock failed (13: Permission denied) while connecting to upstream,

I have tried all of this as the root user, also. But it still does not work.

Does anyone know what I am doing wrong?

Best Answer

Hallelujah! This all turned out to be an SELinux policy issue specifically pertaining to nginx. After hours of digging, I discovered such denials by running:

sudo grep nginx /var/log/audit/audit.log

The messages looked like so:

type=AVC msg=audit(1415283617.227:1386): avc:  denied  { write } for  pid=1683 comm="nginx" name="my_app.sock" dev="tmpfs" ino=20657 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

In order to fix this, I found a wonderful article by Axilleas.

To create the policy containing the necessary permissions, I had to install audit2allow and run:

grep nginx /var/log/audit/audit.log | audit2allow -M nginx

Once done, I finalized the policy with:

semodule -i nginx.pp

Unfortunately, I had to run this process twice before being able to access my application because further policies were needed. Nonetheless, here was the solution.

Also, there is another nice article by Sergiy Krylkov.

Moral of the story: learn SELinux.

Related Solutions

Nginx & UserDir & PHP

I would change root dir rather than using alias in location. It could look like this:

listen          8083;                                
server_name     sid0.local;
index           index.php index.html;

# Here is magic
set $root_dir /data/www/sid0.local;
rewrite ^(/~[^/]+)$ $1/ redirect;
rewrite ^/~(?<user>[^/]+)(.+) $2;
if ($user) {
    set $root_dir /home/$user/www;
}
root $root_dir;

# PHP-FPM
location ~ \.php$ {
    try_files $uri =404;
    include         fastcgi_params;
    fastcgi_pass    unix:/var/run/php5-fpm.sock;
    fastcgi_index   index.php;
}

Another version without rewrite:

listen          8083;                                
server_name     sid0.local;
index           index.php index.html;

root /data/www/sid0.local;

location ~ ^/~(?<user>[\w-]+)(?<path>/.*)$ {
    alias /home/lynn/tmp/site/$user/www$path;
    autoindex on;

    # PHP-FPM
    location ~ \.php$ {
        try_files $uri =404;
        include         fastcgi_params;
        fastcgi_pass    unix:/var/run/php5-fpm.sock;
        fastcgi_index   index.php;
    }
}

For some reason alias with named captures working, while with numeric references it fails. My guess, that numeric references are cleared somehow in nested location.

Nginx can’t connect to uWSGI socket with correct permissions

I had a similar issue with permissions and it was a result of SELinux not having the policy for nginx to write to sockets

You can check SELinux AVC messages via audit2why -al to see more details of the error, something along the lines of

type=AVC msg=audit(1414460265.454:2612): avc:  denied  { connectto } for  pid=22107 comm="nginx" path="/tmp/uwsgi.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Was caused by:
    Missing type enforcement (TE) allow rule.

    You can use audit2allow to generate a loadable module to allow this access.

To add the enforcement policy for nginx, first confirm the enforcement policy by running

> grep nginx /var/log/audit/audit.log | audit2allow -m nginx

You should see an output similar to

module nginx 1.0;

require {
    type unconfined_t;
    type httpd_t;
    type home_root_t;
    type soundd_port_t;
    class sock_file write;
    class unix_stream_socket connectto;
    class tcp_socket name_connect;
}

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t home_root_t:sock_file write;

#!!!! This avc is allowed in the current policy
allow httpd_t soundd_port_t:tcp_socket name_connect;
allow httpd_t unconfined_t:unix_stream_socket connectto;

Finally you load the custom policy by running

> grep nginx /var/log/audit/audit.log | audit2allow -M nginx
> semodule -i nginx.pp

Best Answer

Related Solutions

Nginx & UserDir & PHP

Nginx can’t connect to uWSGI socket with correct permissions

Related Question