Nginx can't access a uWSGI unix socket on CentOS 7

sockets nginx uwsgi selinux
hosein picture hosein · Oct 13, 2014 · Viewed 8.2k times · Source

I have configured uWSGI to serve my Django app on a unix socket, and Nginx as a proxy to this socket. The server is running CentOS 7. I think I have configured Nginx so that it has permission to read and write to uWSGI's socket, but I'm still getting a permission denied error. Why can't Nginx access the uWSGI socket on CentOS 7?

[uwsgi]
socket=/socket/uwsgi.sock
virtualenv=/home/site/virtsite/
chdir=/home/site/wsgitest/
module=wsgitest.wsgi:application
vhost = true
master=True
workers=8
chmod-socket=666
pidfile=/home/site/wsgitest/uwsgi-master.pid
max-requests=5000
chown-socket=nginx:nginx
uid = nginx
gid = nginx
listen.owner = nginx
listen.group = nginx

server {
    listen 80;

    location / {
        uwsgi_pass unix:///home/site/wsgitest/uwsgi.sock;
        include uwsgi_params;
    }
}

uwsgi --ini uwsgi.ini (as root)

ls -l /home/site/wsgitest/uwsgi.sock
srwxrwxrwx. 1 nginx nginx 0 Oct 13 10:05 uwsgi.sock

2014/10/12 19:01:44 [crit] 19365#0: *10 connect() to unix:///socket/uwsgi.sock failed (13: Permission denied) while connecting to upstream, client: 2.191.102.217, server: , request: "GET / HTTP/1.1", upstream: "uwsgi://unix:///socket/uwsgi.sock:", host: "179.227.126.222"

Answer

hosein picture hosein · Oct 13, 2014

The Nginx and uWSGI configurations are correct. The problem is that SELinux denied Nginx access to the socket. This results in a generic access denied error in Nginx's log. The important messages are actually in SELinux's audit log.

# show the new rules to be generated
grep nginx /var/log/audit/audit.log | audit2allow

# show the full rules to be applied
grep nginx /var/log/audit/audit.log | audit2allow -m nginx

# generate the rules to be applied
grep nginx /var/log/audit/audit.log | audit2allow -M nginx

# apply the rules
semodule -i nginx.pp

You may need to generate the rules multiple times, trying to access the site after each pass, since the first SELinux error might not be the only one that can be generated. Always inspect the policy that audit2allow suggests creating.

These steps were taken from this blog post which contains more details about how to investigate and what output you'll get.

Related questions

NGINX: connect() to unix:/var/run/php7.2-fpm.sock failed (2: No such file or directory)

I've just recently moved my websites from apache2 to Nginx as my new web server backend. got to love problems aha. HTML files in the web host director work prior to php files making there way main directory then I …

Read More
Nginx cannot find unix socket file with Unicorn (no such file or directory)

I am deploying a Rails 4 app to a Fedora 19 x64 server using Nginx and Unicorn. The problem is that I get an error when visiting the address: "We're sorry, but something went wrong." My Nginx error log (/var/log/nginx/…

Read More
Nginx connect() to unix:/var/run/fcgiwrap.socket failed

I'm trying to install Gitweb on my Nginx server. Everything seems to be configured correctly, but I seem to be getting the following error in the gitweb.log: `2015/06/08 08:42:05 [crit] 29135#0: *5 connect() to unix:/var/run/fcgiwrap.socket failed (13: Permission denied) while …

Read More