我正在使用Nginx和Gunicorn配置Django项目。
当我进入gunicorn端口时。在Nginx服务器中,我在错误日志文件中得到以下错误;
2014/05/30 11:59:42 [crit] 4075#0: *6 connect()到127.0.0.1:8001失败(13:权限被拒绝)而连接到上游,客户端:127.0.0.1,服务器:localhost,请求:“GET / HTTP/1.1”,上游:“http://127.0.0.1:8001/”,主机:“localhost:8080”
下面是我的nginx.conf文件的内容;
server {
listen 8080;
server_name localhost;
access_log /var/log/nginx/example.log;
error_log /var/log/nginx/example.error.log;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
}
在HTML页面中,我得到502坏网关。
我犯了什么错误?
我已经解决了我的问题,通过运行我的Nginx作为我目前登录的用户,mulagala。
默认情况下,用户作为nginx被定义在nginx.conf文件的最上面部分,如下所示;
user nginx; # Default Nginx user
将nginx更改为当前用户的名称-这里,mulagala。
user mulagala; # Custom Nginx user (as username of the current logged in user)
然而,这可能不能解决实际的问题,实际上可能会有偶然的副作用。
有效的解决方案,请参考约瑟夫·巴贝尔的解决方案。
我也遇到过这个问题。另一个解决方案是将httpd网络连接的SELinux布尔值切换为on (Nginx使用httpd标签)。
setsebool httpd_can_network_connect on
要保持更改,请使用-P标志。
setsebool httpd_can_network_connect on -P
您可以看到httpd使用的所有可用SELinux布尔值的列表
getsebool -a | grep httpd
首先看看被否定的是什么:
sudo cat /var/log/audit/audit.log | grep nginx | grep denied
type=AVC msg=audit(1618940614.934:38415): avc: denied { connectto } for
pid=18016 comm="nginx" path="/home/deployer/project/tmp/sockets/puma.sock" scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=1
在我的情况下,它有助于CentOS7:
sudo setenforce 0
setsebool httpd_can_network_connect on -P
setsebool httpd_can_network_relay on -P
之后你可以看到什么是启用的:
getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> on
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> off
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
