Gunicorn Nginx 权限在连接到上游时被拒绝

Question

使用 gunicorn 和 nginx 设置 django 站点

项目的 gunicorn 设置：

[Unit]
Description=gunicorn daemon
After=network.target

[Service]
User=username
Group=nginx
WorkingDirectory=/home/username/my_project
ExecStart=/home/username/my_project/bin/gunicorn --access-logfile - --workers 3 --bind unix:/home/username/my_project/my_project.sock my_project.wsgi:application

[Install]
WantedBy=multi-user.target

项目的 Nginx 配置文件：

user nginx;

server {
    listen       80;
        server_name  192.168.66.106;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location = /favicon.ico { access_log off; log_not_found off; }
        location /static {
            alias /home/username/my_project;
        }

        location / {
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass http://unix:/home/username/my_project/my_project.sock;
       }
    }

我有我的项目的这些权限

drwxrwxr-x. 5 username nginx 4.0K Apr  4 10:20 modulo1
-rwxrwxr-x. 1 username nginx  823 Apr  4 10:13 manage.py
drwxrwxr-x. 4 username nginx 4.0K Apr  4 10:20 modulo2
drwxrwxr-x. 2 username nginx  249 Apr  4 10:29 my_project
srwxrwxrwx. 1 username nginx    0 Apr  4 10:47 my_project.sock
-rw-rw-r--. 1 username nginx  565 Apr  4 10:13 README.md
-rw-rw-r--. 1 username nginx  228 Apr  4 10:14 requirements.txt
drwxrwxr-x. 5 username nginx   38 Apr  4 10:13 static
drwxrwxr-x. 3 username nginx   88 Apr  4 10:14 templates

这是来自 /var/log/nginx/error.log

的日志错误

2018/04/04 10:54:03 [crit] 14238#0: *4 connect() to unix:/home/username/my_project/my_project.sock failed (13: Permission denied) while connecting to upstream client: 192.168.66.50, server: 192.168.66.106, request: "GET / HTTP/1.1", upstream: "http://unix:/home/username/my_project/my_project.sock:/", host: "192.168.66.106"

Answer 1

我有一个 centos 7 OS，无论如何我通过安装解决了问题：

sudo yum install policycoreutils-python 
sudo semanage permissive -a httpd_t 

Answer 2

除了您的答案之外，基于 CentOS/RHEL 的 Linux 操作系统具有 SELinux（安全增强 Linux) 默认 。

SELinux can be either in the enabled or disabled state. When disabled, only DAC rules are used. When enabled, SELinux can run in one of the following modes:

• Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules. This is the default. In enforcing mode, if something is against the defined policy, the action will be both blocked and logged. Hence, the permission denied issue you were facing
• Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode.

注意：以下操作需要在root

中执行

选项 1:

• 使用getenforce实用工具查看当前SELinux模式
• 使用 setenforce 实用程序在强制模式和许可模式之间切换。
  • 使用setenforce 1进入强制模式。 [默认]
  • 使用setenforce 0进入宽容模式

选项 2： 使用 policycoreutils-python

等实用程序创建策略

policycoreutils-python provides utilities such as semanage, audit2allow, audit2why, and chcat, for operating and managing SELinux.

编辑：

• 通常创建如下特定策略（我使用 uwsgi 套接字）：

policy_name.te

module <NAME_OF_THE_POLICY> 1.0;

require {
    type var_run_t;
    type httpd_t;
    type initrc_t;
    class sock_file write;
    class unix_stream_socket connectto;
}

#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;

#!!!! This avc is allowed in the current policy
allow httpd_t var_run_t:sock_file write;

然后从 te 创建 pp 模块：

checkmodule -M -m -o policy_name.mod /path/to/your/policy/policy_name.te

一旦我们从 policy_name.te 配置中创建了模块 policy_name.mod，运行 下面的命令将创建已编译的 SE 模块

semodule_package -m policy_name.mod -o policy_name.pp

最后，使用以下命令安装编译的 SE 模块 policy_name.pp：

semodule -i policy_name.pp