Nginx can’t connect to uWSGI socket with correct permissions

nginxsockets

I'm trying to connect Nginx to uWSGI so I can run an application written in Ruby (where I am not able to use passenger). This is my virtual host configuration:

server {    
        listen unix:/var/run/nginx/redmine.sock;
        root /var/www/redmine/public;

        location / {
                try_files $uri @uwsgi;
        }

        location @uwsgi {
                include uwsgi_params;
                uwsgi_pass unix:/var/run/uwsgi/redmine.sock;
        }
}

It's easy, I try to find a static file, otherwise I pass to uwsgi listening on unix socket. This regards me a 502 error of "bad gateway". I went to read the error logs and I have the following:

2014/09/09 20:08:56 [crit] 20922#0: *29484 connect() to unix:/var/run/uwsgi/redmine.sock failed (13: Permission denied) while connecting to upstream, client: unix:, server: , request: "GET /redmine HTTP/1.0", upstream: "uwsgi://unix:/var/run/uwsgi/redmine.sock:", host: "localhost"

But I was pretty sure I have configured uWSGI to use the same user Nginx does:

user nginx;

and

[uwsgi]
socket = /var/run/uwsgi/redmine.sock
chdir = /var/www/redmine
rails = .
plugins = 0:rack_ruby20
rack = config.ru
idle = 3600

chmod-socket = 660
chown-socket = nginx:nginx
uid = nginx
gid = nginx

And the socket is:

fenix ~ # ls -lh /var/run/uwsgi/redmine.sock 
srw-rw---- 1 nginx nginx 0 Set  9 20:08 /var/run/uwsgi/redmine.sock

So Nginx can't even read and write to a socket it owns? What is this supposed to mean? I can't figure out how to do it.

I noticed also that Nginx won't work even if the socket permissions are 777.

Best Answer

I had a similar issue with permissions and it was a result of SELinux not having the policy for nginx to write to sockets

You can check SELinux AVC messages via audit2why -al to see more details of the error, something along the lines of

type=AVC msg=audit(1414460265.454:2612): avc:  denied  { connectto } for  pid=22107 comm="nginx" path="/tmp/uwsgi.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Was caused by:
    Missing type enforcement (TE) allow rule.

    You can use audit2allow to generate a loadable module to allow this access.

To add the enforcement policy for nginx, first confirm the enforcement policy by running

> grep nginx /var/log/audit/audit.log | audit2allow -m nginx

You should see an output similar to

module nginx 1.0;

require {
    type unconfined_t;
    type httpd_t;
    type home_root_t;
    type soundd_port_t;
    class sock_file write;
    class unix_stream_socket connectto;
    class tcp_socket name_connect;
}

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t home_root_t:sock_file write;

#!!!! This avc is allowed in the current policy
allow httpd_t soundd_port_t:tcp_socket name_connect;
allow httpd_t unconfined_t:unix_stream_socket connectto;

Finally you load the custom policy by running

> grep nginx /var/log/audit/audit.log | audit2allow -M nginx
> semodule -i nginx.pp

Related Solutions

Nginx & UserDir & PHP

I would change root dir rather than using alias in location. It could look like this:

listen          8083;                                
server_name     sid0.local;
index           index.php index.html;

# Here is magic
set $root_dir /data/www/sid0.local;
rewrite ^(/~[^/]+)$ $1/ redirect;
rewrite ^/~(?<user>[^/]+)(.+) $2;
if ($user) {
    set $root_dir /home/$user/www;
}
root $root_dir;

# PHP-FPM
location ~ \.php$ {
    try_files $uri =404;
    include         fastcgi_params;
    fastcgi_pass    unix:/var/run/php5-fpm.sock;
    fastcgi_index   index.php;
}

Another version without rewrite:

listen          8083;                                
server_name     sid0.local;
index           index.php index.html;

root /data/www/sid0.local;

location ~ ^/~(?<user>[\w-]+)(?<path>/.*)$ {
    alias /home/lynn/tmp/site/$user/www$path;
    autoindex on;

    # PHP-FPM
    location ~ \.php$ {
        try_files $uri =404;
        include         fastcgi_params;
        fastcgi_pass    unix:/var/run/php5-fpm.sock;
        fastcgi_index   index.php;
    }
}

For some reason alias with named captures working, while with numeric references it fails. My guess, that numeric references are cleared somehow in nested location.

CentOS 7 – Why Can’t Nginx Access Puma Socket?

Hallelujah! This all turned out to be an SELinux policy issue specifically pertaining to nginx. After hours of digging, I discovered such denials by running:

sudo grep nginx /var/log/audit/audit.log

The messages looked like so:

type=AVC msg=audit(1415283617.227:1386): avc:  denied  { write } for  pid=1683 comm="nginx" name="my_app.sock" dev="tmpfs" ino=20657 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

In order to fix this, I found a wonderful article by Axilleas.

To create the policy containing the necessary permissions, I had to install audit2allow and run:

grep nginx /var/log/audit/audit.log | audit2allow -M nginx

Once done, I finalized the policy with:

semodule -i nginx.pp

Unfortunately, I had to run this process twice before being able to access my application because further policies were needed. Nonetheless, here was the solution.

Also, there is another nice article by Sergiy Krylkov.

Moral of the story: learn SELinux.

Best Answer

Related Solutions

Nginx & UserDir & PHP

CentOS 7 – Why Can’t Nginx Access Puma Socket?

Related Question