Nginx: Permission denied to Gunicorn socket on CentOS 7

Question

I'm working in a Django project deployment. I'm working in a CentOS 7 server provided ma EC2 (AWS). I have tried to fix this bug by many ways but I cant understand what am I missing.

I'm using ningx and gunicorn to deploy my project. I have created my /etc/systemd/system/myproject.servicefile with the following content:

[Unit]
Description=gunicorn daemon
After=network.target

[Service]
User=centos
Group=nginx
WorkingDirectory=/home/centos/myproject_app
ExecStart=/home/centos/myproject_app/django_env/bin/gunicorn --workers 3 --bind unix:/home/centos/myproject_app/django.sock app.wsgi:application
[Install]
WantedBy=multi-user.target

When I run sudo systemctl restart myproject.serviceand sudo systemctl enable myproject.service, the django.sock file is correctly generated into /home/centos/myproject_app/.

I have created my nginx conf flie in the folder /etc/nginx/sites-available/ with the following content:

server {
    listen       80;
    server_name  my_ip;
    charset      utf-8;

    client_max_body_size       10m;
    client_body_buffer_size    128k;

    # serve static files
    location /static/ {
        alias /home/centos/myproject_app/app/static/;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/centos/myproject_app/django.sock;
    }
}

After, I restart nginx with the following command:

sudo systemctl restart nginx

If I run the command sudo nginx -t, the reponse is:

nginx: configuration file /etc/nginx/nginx.conf test is successful

When I visit my_ip in a web browser, I'm getting a 502 bad gateway response.

If I check the nginx error log, I see the following message:

1 connect() to unix:/home/centos/myproject_app/django.sock failed (13: Permission denied) while connecting to upstream

I really have tried a lot of solutions changing the sock file permissions. But I cant understand how to fix it. How can I fix this permissions bug?... Thank you so much

Answer 1

If all the permissions under the myproject_app folder are correct, and centos user or nginx group have access to the files, I would say it looks like a Security Enhanced Linux (SELinux) issue.

I had a similar problem, but with RHEL 7. I managed to solve it by executing the following command:

sudo semanage permissive -a httpd_t

It's related to the security policies of SELinux, you have to add the httpd_t to the list of permissive domains.

This post from the NGINX blog may be helpful: NGINX: SELinux Changes when Upgrading to RHEL 6.6 / CentOS 6.6

Motivated by a similar issue, I wrote a tutorial a while ago on How to Deploy a Django Application on RHEL 7. It should be very similar for CentOS 7.