Trying to proxy a gunicorn socket with nginx.
/etc/systemd/system/gunicorn.service file
[Unit]
Description=gunicorn daemon
After=network.target
[Service]
User=www-data
Group=www-data
WorkingDirectory=/root/PSite/blog
ExecStart=/root/PSite/blog/blog/venv/bin/gunicorn --access-logfile - --workers 3 --bind unix:/root/PSite/blog/blog.sock blog.wsgi:application
[Install]
WantedBy=multi-user.target
/etc/nginx/sites-available/blog file
server {
listen 80;
server_name server_domain_or_IP;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /root/PSite/blog;
}
location / {
include proxy_params;
proxy_pass http://unix:/root/PSite/blog/blog.sock;
}
}
Then I start the daemon : systemctl start gunicorn
After running systemctl status gunicorn it throws and error:
EXEC spawning /root/PSite/blog/blog/venv/bin/gunicorn: Permission denied
All folders and files are owned by www-data:www-data.
If I change the gunicorn user to root it create the proxy, yet the nginx log say it doesn't have permissions.
What is the problem?
It's good security to run your service as a non-root user. However, you are complicating the issue by trying to store files under "/root", which is intended only for the "root"user to access.
Try moving your "PSite" site folder from "/root" to a neutral location like "/var/www/PSite".
Related
I tried to configure nginx as image server as below
create myapp.conf and put it at /etc/nginx/conf.d
server {
listen 80;
listen [::]:80;
#here you could also use subdomain
server_name image.mydomain.com ;
#here you could also use context,e.g. location /<context>
location / {
root /myapp/imageServer/;
autoindex on;
}
}
The file exists at /myapp/imageServer/card/3cdad37c5a394567b53283321f6af9e9.png
But when i browse this file via https://image.mydomain.com/card/3cdad37c5a394567b53283321f6af9e9.png. I got 403 forbidden from nginx. There is any mistake of my nginx config?
i found the reason
go to /etc/nginx/nginx.conf
edit line as below
#user www-data;
user root;
I'm currently testing a perl cgi application in nginx and fcgiwrap. It's partially working. However I'm having issues getting errors back in the response.
All requests return 200. If the cgi errors, it just returns blank content.
I'm running both nginx and fcgiwrap from supervisord.
This is my supervisord.conf file...
[supervisord]
logfile=/tmp/supervisord.log
nodaemon=true
[fcgi-program:fcgiwrap]
command = /usr/sbin/fcgiwrap
user = www-data
socket = unix:///var/run/supervisor/%(program_name)s.sock
socket_owner = www-data:www-data
socket_mode = 0770
autorestart=true
autostart=true
startsecs=1
startretries=3
stopsignal=QUIT
stopwaitsecs=10
environment=PATH='/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin'
redirect_stderr=false
stdout_logfile=/var/log/fcgiwrap_out.log
stderr_logfile=/var/log/fcgiwrap_err.log
[program:nginx]
command=/usr/sbin/nginx -g 'daemon off;'
I get the errors appearing in /var/log/fcgiwrap_err.log. However the error message, and more importantly the status, aren't returned to nginx.
This is my nginx config...
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/web;
index index.html index.cgi;
server_name _;
location / {
try_files $uri $uri/ =404;
}
location ~ \.cgi$ {
gzip off;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/supervisor/fcgiwrap.sock;
fastcgi_index index.cgi;
fastcgi_param SCRIPT_FILENAME /var/www/web$fastcgi_script_name;
}
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
}
I'm not sure whether the issue is due to a misconfiguration of fcgiwrap, nginx, or supervisord.
You said to supervisord to monitor a socket (/var/run/supervisor/fcgiwrap.sock) but didn't say to fcgiwrap to use that socket.
So PHP connection through this empty socket will never reach fcgiwrap process, and hence you have no error message from fcgiwrap.
You need to change the fcgiwrap command to specify the socket, using -s parameter.
I have configured uWSGI to serve my Django app on a unix socket, and Nginx as a proxy to this socket. The server is running CentOS 7. I think I have configured Nginx so that it has permission to read and write to uWSGI's socket, but I'm still getting a permission denied error. Why can't Nginx access the uWSGI socket on CentOS 7?
[uwsgi]
socket=/socket/uwsgi.sock
virtualenv=/home/site/virtsite/
chdir=/home/site/wsgitest/
module=wsgitest.wsgi:application
vhost = true
master=True
workers=8
chmod-socket=666
pidfile=/home/site/wsgitest/uwsgi-master.pid
max-requests=5000
chown-socket=nginx:nginx
uid = nginx
gid = nginx
listen.owner = nginx
listen.group = nginx
server {
listen 80;
location / {
uwsgi_pass unix:///home/site/wsgitest/uwsgi.sock;
include uwsgi_params;
}
}
uwsgi --ini uwsgi.ini (as root)
ls -l /home/site/wsgitest/uwsgi.sock
srwxrwxrwx. 1 nginx nginx 0 Oct 13 10:05 uwsgi.sock
2014/10/12 19:01:44 [crit] 19365#0: *10 connect() to unix:///socket/uwsgi.sock failed (13: Permission denied) while connecting to upstream, client: 2.191.102.217, server: , request: "GET / HTTP/1.1", upstream: "uwsgi://unix:///socket/uwsgi.sock:", host: "179.227.126.222"
The Nginx and uWSGI configurations are correct. The problem is that SELinux denied Nginx access to the socket. This results in a generic access denied error in Nginx's log. The important messages are actually in SELinux's audit log.
# show the new rules to be generated
grep nginx /var/log/audit/audit.log | audit2allow
# show the full rules to be applied
grep nginx /var/log/audit/audit.log | audit2allow -m nginx
# generate the rules to be applied
grep nginx /var/log/audit/audit.log | audit2allow -M nginx
# apply the rules
semodule -i nginx.pp
You may need to generate the rules multiple times, trying to access the site after each pass, since the first SELinux error might not be the only one that can be generated. Always inspect the policy that audit2allow suggests creating.
These steps were taken from this blog post which contains more details about how to investigate and what output you'll get.
Configure your uwsgi.ini with uid and gid user.
#uwsgi.ini
uid = nginx
gid = nginx
Regards,
I wished I could comment :(
Everything looks fine from here except unix socket path
unix:///socket/uwsgi.sock failed (2: No such file or directory)
Docs says it has just one slash
uwsgi_pass unix:/tmp/uwsgi.socket;
I'm setting up an ubuntu server using nginx and uwsgi. Yesterday, running
sudo service nginx restart
and
sudo service uwsgi restart
would generate this socket: /run/uwsgi/app/recoapi/recoapi.socket
I installed uwsgi using pip rather than apt-get, and ever since around that time, the recoapi.socket file hasn't been generated. I find the following error in my nginx error.log when I try to curl my server.
2013/09/01 13:59:12 [crit] 29712#0: *1 connect() to unix:///run/uwsgi/app/recoapi/recoapi.socket failed (2: No such file or directory) while connecting to upstream
The result of this error is that the output of my curl is
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.2.6 (Ubuntu)</center>
</body>
</html>
My uwsgi config file looks like this. The lines regarding the socket permissions seem to have no effect.
<uwsgi>
<plugin>python</plugin>
<uid>www-data</uid>
<gid>www-data</gid>
<chmod-socket>777</chmod-socket>
<chown-socket>www-data</chown-socket>
<socket>/run/uwsgi/app/recoapi/recoapi.socket</socket>
<pythonpath>/var/www/recoapi/application/</pythonpath>
<wsgi-file>/var/www/recoapi/application/wsgi_configuration_module.py</wsgi_file>
<app mountpoint="/">
<script>wsgi_configuration_module</script>
</app>
<processes>4</processes>
<harakiri>60</harakiri>
<reload-mercy>8</reload-mercy>
<cpu-affinity>1</cpu-affinity>
<stats>/tmp/stats.socket</stats>
<max-requests>2000</max-requests>
<limit-as>512</limit-as>
<reload-on-as>256</reload-on-as>
<reload-on-rss>192</reload-on-rss>
<no-orphans/>
<vacuum/>
</uwsgi>
I'm working from this tutorial.
This is my nginx configuration file:
server {
listen 80;
server_name $hostname;
access_log /var/www/recoapi/logs/access.log;
error_log /var/www/recoapi/logs/error.log;
location / {
#uwsgi_pass 127.0.0.1:9001;
uwsgi_pass unix:///run/uwsgi/app/recoapi/recoapi.socket;
include uwsgi_params;
uwsgi_param UWSGI_SCHEME $scheme;
uwsgi_param SERVER_SOFTWARE nginx/$nginx_version;
}
location /static {
root /var/www/recoapi/public_html/static/;
}
}
The problem was invalid syntax in my xml uwsgi file.
The socket wasn't being created because the server wasn't being started because it couldn't read the uwsgi config file, because I had mismatched xml tags: wsgi-file and wsgi_file. That line was unnecessary anyway, so I deleted it and the socket was created again.
I need to use nginx as a mail proxy. I am completely new to nginx and need some help with the configuration.
Here is what I did:
First I built a service that mocks the authentication services described here: http://wiki.nginx.org/NginxMailCoreModule. For example,
curl -v -H "Host:auth.server.hostname" -H "Auth-Method:plain" -H "Auth-User:user" -H "Auth-pass:123" -H "Auth-Protocol:imap" -H "Auth-Login-Attempt:1" -H "Client-IP: 192.168.1.1" http://localhost:8080/authorize
returns the following response header:
< HTTP/1.1 200 OK
< Content-Type: text/html;charset=ISO-8859-1
< Auth-Status: OK
< Auth-Server: 192.168.1.10
< Auth-Port: 110
Second I installed nginx on my mac after installing macports:
$ sudo port -d selfupdate
$ sudo port install nginx
Third I created an nginx.conf with the following:
worker_processes 1;
error_log /var/log/nginx/error.log info;
mail {
server_name <my mail server here>;
auth_http http://localhost:8080/authorize;
pop3_auth plain apop cram-md5;
pop3_capabilities "LAST" "TOP" "USER" "PIPELINING" "UIDL";
xclient off;
server {
listen 110;
protocol pop3;
proxy on;
proxy_pass_error_message on;
}
}
Here is what I got running nginx:
$ nginx -V
nginx version: nginx/1.2.4
configure arguments: --prefix=/opt/local --with-cc-opt='-I/opt/local/include -O2' --with-ld-opt=-L/opt/local/lib --conf-path=/opt/local/etc/nginx/nginx.conf --error-log-path=/opt/local/var/log/nginx/error.log --http-log-path=/opt/local/var/log/nginx/access.log --pid-path=/opt/local/var/run/nginx/nginx.pid --lock-path=/opt/local/var/run/nginx/nginx.lock --http-client-body-temp-path=/opt/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/opt/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/opt/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/opt/local/var/run/nginx/uwsgi_temp --with-ipv6
$ nginx
nginx: [emerg] unknown directive "mail" in /opt/local/etc/nginx/nginx.conf:6
The only mention of that error on the web brings up a discussion in Russian...
My questions:
Why am I getting this unknow directive?
Does my config look correct at first sight or am I missing some key component for the mail proxy to work using the authentication approach described here: http://wiki.nginx.org/NginxMailCoreModule?
I got the mail proxy working so I will answer my own questions for future reference:
nginx doesn't install support for mail by default
The following is needed for nginx to process the mail directive:
$ sudo port edit nginx
==> add --with-mail at the end of the config parameters
Then (re)install nginx
In the config I included, I was missing the events:
events {
worker_connections 1024;
}
An important clarification that got me stuck for a while: the authentication service (specified with auth_http) needs to return the mail server expressed as an IP address, not a host name.
Obviously for nginx to proxy on both inbound and outbound traffic, the smtp listener needs to be added. Similar approach as with the pop3 configuration. In my case, I used port 2525, so I had
server {
listen 2525;
protocol smtp;
}