尝试访问 Puma 套接字时，nginx 权限被拒绝答案

【问题标题】：nginx permission denied when attempting to access Puma socket尝试访问 Puma 套接字时，nginx 权限被拒绝
【发布时间】：2018-09-27 19:22:35
【问题描述】：

我正在使用 Puma 运行我的 rails 应用程序，并试图让我的 nginx 配置指向它。我的 nginx 错误日志中出现以下错误：

2016/05/15 15:18:41 [crit] 1611#0: *31 stat() "/home/rails/acceptable-trader/current/public//index.html" failed (13: Permission denied), client: 66.253.181.206, server: , request: "GET / HTTP/1.1", host: "trade.acceptableice.com"
2016/05/15 15:18:41 [crit] 1611#0: *31 stat() "/home/rails/acceptable-trader/current/public/" failed (13: Permission denied), client: 66.253.181.206, server: , request: "GET / HTTP/1.1", host: "trade.acceptableice.com"
2016/05/15 15:18:41 [crit] 1611#0: *31 connect() to unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock failed (13: Permission denied) while connecting to upstream, client: 66.253.181.206, server: , request: "GET / HTTP/1.1", upstream: "http://unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock:/", host: "trade.acceptableice.com"
2016/05/15 15:18:41 [crit] 1611#0: *31 stat() "/home/rails/acceptable-trader/current/public/500.html/index.html" failed (13: Permission denied), client: 66.253.181.206, server: , request: "GET / HTTP/1.1", upstream: "http://unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock/", host: "trade.acceptableice.com"
2016/05/15 15:18:41 [crit] 1611#0: *31 stat() "/home/rails/acceptable-trader/current/public/500.html" failed (13: Permission denied), client: 66.253.181.206, server: , request: "GET / HTTP/1.1", upstream: "http://unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock/", host: "trade.acceptableice.com"
2016/05/15 15:18:41 [crit] 1611#0: *31 connect() to unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock failed (13: Permission denied) while connecting to upstream, client: 66.253.181.206, server: , request: "GET / HTTP/1.1", upstream: "http://unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock:/500.html", host: "trade.acceptableice.com"
2016/05/15 15:18:41 [crit] 1611#0: *31 stat() "/home/rails/acceptable-trader/current/public//index.html" failed (13: Permission denied), client: 66.253.181.206, server: , request: "GET / HTTP/1.1", host: "trade.acceptableice.com"
2016/05/15 15:18:41 [crit] 1611#0: *31 stat() "/home/rails/acceptable-trader/current/public/" failed (13: Permission denied), client: 66.253.181.206, server: , request: "GET / HTTP/1.1", host: "trade.acceptableice.com"
2016/05/15 15:18:41 [crit] 1611#0: *31 connect() to unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock failed (13: Permission denied) while connecting to upstream, client: 66.253.181.206, server: , request: "GET / HTTP/1.1", upstream: "http://unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock:/", host: "trade.acceptableice.com"
2016/05/15 15:18:41 [crit] 1611#0: *31 stat() "/home/rails/acceptable-trader/current/public/500.html/index.html" failed (13: Permission denied), client: 66.253.181.206, server: , request: "GET / HTTP/1.1", upstream: "http://unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock/", host: "trade.acceptableice.com"
2016/05/15 15:18:41 [crit] 1611#0: *31 stat() "/home/rails/acceptable-trader/current/public/500.html" failed (13: Permission denied), client: 66.253.181.206, server: , request: "GET / HTTP/1.1", upstream: "http://unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock/", host: "trade.acceptableice.com"
2016/05/15 15:18:41 [crit] 1611#0: *31 connect() to unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock failed (13: Permission denied) while connecting to upstream, client: 66.253.181.206, server: , request: "GET / HTTP/1.1", upstream: "http://unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock:/500.html", host: "trade.acceptableice.com"

我尝试将可接受的交易者-puma.sock 及其父文件夹更改为由 www-data 拥有，但这似乎没有任何作用。

我的 nginx 站点文件是：

upstream puma {
  server unix:///home/rails/acceptable-trader/shared/tmp/sockets/acceptable-trader-puma.sock;
}

server {
  listen 80 default_server deferred;
  # server_name example.com;

  root /home/rails/acceptable-trader/current/public;
  access_log /home/rails/acceptable-trader/current/log/nginx.access.log;
  error_log /home/rails/acceptable-trader/current/log/nginx.error.log info;

  location ^~ /assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  try_files $uri/index.html $uri @puma;
  location @puma {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;

    proxy_pass http://puma;
  }

  error_page 500 502 503 504 /500.html;
  client_max_body_size 10M;
  keepalive_timeout 10;
}

【问题讨论】：

标签： ruby-on-rails nginx puma

【解决方案1】：

这些错误是由于 nginx 没有访问这些文件夹的权限而引起的。如果您通过

更改用户

chown -R nginx:nginx /文件夹/路径

这仍然不起作用，那么它更可能是 SELinux 错误。作为一种快速解决方法，您可以尝试

setenforce 许可

不推荐这样做，但它是一个测试天气是否与 SELinux 相关。如果它在此之后工作，您需要编辑您的 SELinux 策略以允许 nginx 具有访问这些文件夹的正确权限。此链接不适用于 puma，但仍然是有关如何修复此错误的好读物： nginx error 13

【讨论】：

当我尝试 setenforce permissive 时，我收到“当前未安装程序 'setenforce'。您可以通过键入：apt-get install selinux-utils 来安装它”，这让我觉得我没有'没有安装 SELinux。我还给了套接字文件夹权限：drwxrwxr-x 2 www-data www-data 4096 May 15 14:48 sockets
好吧，我将所有 chown 命令都作为 group:user 执行，而不是 user:group。做对了就解决了。感谢您尝试帮助我！

【解决方案2】：

面临同样的问题。解决了以下

然后用 setenforce 0 设置许可模式添加 nginx semodule 并使用 setenforce 1 再次启用 SELinux；

sudo setenforce 0 sudo yum install -y policycoreutils-{python,devel} sudo grep nginx /var/log/audit/audit.log | audit2allow -M nginx sudo semodule -i nginx.pp sudo setenforce 1

【讨论】：