Menu
Setting up a django site with gunicorn & nginx
gunicorn settings for projects :
[Unit]
Description=gunicorn daemon
After=network.target
[Service]
User=username
Group=nginx
WorkingDirectory=/home/username/my_project
ExecStart=/home/username/my_project/bin/gunicorn --access-logfile - --workers 3 --bind unix:/home/username/my_project/my_project.sock my_project.wsgi:application
[Install]
WantedBy=multi-user.target
Nginx configuration file for project:
user nginx;
server {
listen 80;
server_name 192.168.66.106;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location = /favicon.ico { access_log off; log_not_found off; }
location /static {
alias /home/username/my_project;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/home/username/my_project/my_project.sock;
}
}
I have these permission of my projects
drwxrwxr-x. 5 username nginx 4.0K Apr 4 10:20 modulo1
-rwxrwxr-x. 1 username nginx 823 Apr 4 10:13 manage.py
drwxrwxr-x. 4 username nginx 4.0K Apr 4 10:20 modulo2
drwxrwxr-x. 2 username nginx 249 Apr 4 10:29 my_project
srwxrwxrwx. 1 username nginx 0 Apr 4 10:47 my_project.sock
-rw-rw-r--. 1 username nginx 565 Apr 4 10:13 README.md
-rw-rw-r--. 1 username nginx 228 Apr 4 10:14 requirements.txt
drwxrwxr-x. 5 username nginx 38 Apr 4 10:13 static
drwxrwxr-x. 3 username nginx 88 Apr 4 10:14 templates
this is a log error from /var/log/nginx/error.log
2018/04/04 10:54:03 [crit] 14238#0: *4 connect() to unix:/home/username/my_project/my_project.sock failed (13: Permission denied) while connecting to upstream client: 192.168.66.50, server: 192.168.66.106, request: "GET / HTTP/1.1", upstream: "http://unix:/home/username/my_project/my_project.sock:/", host: "192.168.66.106"
810
i have a centos 7 OS, anyway i resolve the issue with installing:
sudo yum install policycoreutils-python
sudo semanage permissive -a httpd_t
To add on top of your answer, CentOS/RHEL based Linux operating systems has SELinux (Security Enhanced Linux) by default.
SELinux can be either in the enabled or disabled state. When disabled, only DAC rules are used. When enabled, SELinux can run in one of the following modes:
- Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules. This is the default. In enforcing mode, if something is against the defined policy, the action will be both blocked and logged. Hence, the permission denied issue you were facing
- Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode.
Note : Below operations are to be executed while being root
Option 1:
setenforce 1 to enter enforcing mode. [Default]setenforce 0 to enter permissive modeOption 2: Create a policy using utils such as policycoreutils-python
policycoreutils-python provides utilities such as semanage, audit2allow, audit2why, and chcat, for operating and managing SELinux.
EDIT :
policy_name.te
module <NAME_OF_THE_POLICY> 1.0;
require {
type var_run_t;
type httpd_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
#!!!! This avc is allowed in the current policy
allow httpd_t var_run_t:sock_file write;
and then Create pp module from te :
checkmodule -M -m -o policy_name.mod /path/to/your/policy/policy_name.te
once we have the module policy_name.mod created from policy_name.te configurations, run the below command to create compiled SE Module
semodule_package -m policy_name.mod -o policy_name.pp
Finally, install the compiles SE Module policy_name.pp using below command :
semodule -i policy_name.pp
26
answered Nov 13 '22 04:11
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With