我正在使用Nginx和Gunicorn配置Django项目。

当我进入gunicorn端口时。在Nginx服务器中,我在错误日志文件中得到以下错误;

2014/05/30 11:59:42 [crit] 4075#0: *6 connect()到127.0.0.1:8001失败(13:权限被拒绝)而连接到上游,客户端:127.0.0.1,服务器:localhost,请求:“GET / HTTP/1.1”,上游:“http://127.0.0.1:8001/”,主机:“localhost:8080”

下面是我的nginx.conf文件的内容;

server {
    listen 8080;
    server_name localhost;
    access_log  /var/log/nginx/example.log;
    error_log /var/log/nginx/example.error.log;

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }
}

在HTML页面中,我得到502坏网关。

我犯了什么错误?


当前回答

如果nginx上的api网关代理通道的centos api url抛出“502 Bad Gateway”错误,执行以下命令解决此问题

sudo setsebool -P httpd_can_network_connect 1

其他回答

在Centos 7上也有类似的问题。当我试着使用索林开出的溶液时,我开始循环运动。首先,我的权限{写}被拒绝了。然后,当我解决了,我有一个权限{连接}拒绝。然后回到权限{write}被拒绝。

以下@Sid回答上面使用getsebool -a | grep httpd检查标志并切换它们,我发现除了httpd_can_network_connect关闭之外。Http_anon_write也关闭,导致写入权限被拒绝,{connectto}权限被拒绝

type=AVC msg=audit(1501830505.174:799183): avc:  
denied  { write } for  pid=12144 comm="nginx" name="myroject.sock" 
dev="dm-2" ino=134718735 scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:default_t:s0 tclass=sock_file

获得使用 Sudo cat /var/log/audit/audit.log | grep nginx | grep denied 如上所述。

所以我一次解决了一个问题,一次切换一个旗帜。

setsebool httpd_can_network_connect on -P

然后运行上面的@sorin和@Joseph指定的命令

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | 
audit2allow -M mynginx
sudo semodule -i mynginx.pp

基本上你可以检查setsebool上的权限设置,并将其与grepp'ing' audit.log nginx中获得的错误关联起来,拒绝

检查/etc/nginx/nginx.conf中的用户 将所有权变更为用户。

sudo chown -R nginx:nginx /var/lib/nginx

首先看看被否定的是什么:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied
type=AVC msg=audit(1618940614.934:38415): avc:  denied  { connectto } for
pid=18016 comm="nginx" path="/home/deployer/project/tmp/sockets/puma.sock" scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=1

在我的情况下,它有助于CentOS7:

sudo setenforce 0

setsebool httpd_can_network_connect on -P
setsebool httpd_can_network_relay on -P

之后你可以看到什么是启用的:

getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> on
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> off
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off

我也遇到过这个问题。我使用Nginx与HHVM,下面的解决方案修复了我的问题:

sudo semanage fcontext -a -t httpd_sys_rw_content_t "/etc/nginx/fastcgi_temp(/.*)?"

sudo restorecon -R -v /etc/nginx/fastcgi_temp

如果nginx上的api网关代理通道的centos api url抛出“502 Bad Gateway”错误,执行以下命令解决此问题

sudo setsebool -P httpd_can_network_connect 1