Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Nginx+uWsgi+Django 'Permission denied while connecting to upstream' (socket)

I've seen alot of questions on SO regarding this topic and I've tried out as many methods as I could but it still isn't solving the issue for me so I'm hoping this post might be helpful.

I'm following the tutorial from this site to set up Django on Nginx wtih uWSGI: http://www.oliverelliott.org/article/computing/tut_setup_nginx_django/

uwsgi.ini file

[uwsgi]
chdir=/home/ec2-user/project/awssite
module=awssite.wsgi
home=/home/ec2-user/project
master=true
processes=2
socket=/home/ec2-user/project/awssite/awssite.socket
chmod-socket=666
vacuum=true

etc/nginx/sites-enabled/awssite_nginx.conf

upstream django {
    server unix:///home/ec2-user/project/awssite/awssite.socket;
}
server {
listen          8080;
    server_name     localhost;
    charset utf-8;

    #max upload size
    client_max_body_size 75M;

    #Django media
    location /media {
            alias /home/ec2-user/project/awssite/awssite/media;
    }

    location /static {
            alias /home/ec2-user/project/awssite/awssite/static; 
    }

    location /favicon.ico {
            log_not_found off;
    }

    location / {
            uwsgi_pass django;
            include /home/ec2-user/project/awssite/uwsgi_params;
    }
}

This is the error code in /var/log/nginx/error.log

2016/02/15 01:21:22 [crit] 22159#0: *3 connect() to unix:///home/ec2-user/project/awssite/awssite.socket failed (13: Permission denied) while connecting to upstream, client: CLIENT_IP, server: localhost, request: "GET /menu/ HTTP/1.1", upstream: "uwsgi://unix:///home/ec2-user/project/awssite/awssite.socket:", host: "HOST_IP:8080"

Note: CLIENT_IP & HOST_IP are ip address values.

These are what I have tried and not worked:
1. chmod 755 home directory and running uwsgi --socket awssite.socket --module awssite.wsgi --chmod-socket=666

2. Adding user nginx to my user group and running uwsgi --socket awssite.socket --module awssite.wsgi --chmod-socket=664

3. change ini file by adding these new lines
chown-socket=ec2-user:nginx uid=nginx gid=nginx and then running uwsgi --ini uwsgi.ini This returns with 'Permission denied for chown' but when I run the command with sudo, i get sudo: uwsgi: command not found (uWSGI is installed system-wide)

4. Put all the files in a different directory (outside of user ec2-user) but that does not allow me to access them unless I run as root and even then it does not work

5. running uwsgi --socket awssite.socket --module awssite.wsgi --chmod-socket=664/666 with parameters --uid nginx --gid nginx --chown-socket=nginx:nginx Note: 664/666 meaning I tried both permissions

6. Renamed nginx.conf.default and nginx.conf.rpmnew files (so that the only conf file for nginx to read off is nginx.conf)

Could someone please shed some light on how I may resolve this issue? I will continue to add on methods that I've tried and not worked on this question while I work on it. Thanks :)

EDIT: Thanks to @GwynBleidD answer, I finally got it working. This is what works:

kept my socket file in /tmp
etc/nginx/sites-enabled/awssite_nginx.conf

upstream django {
    server unix:///tmp/djangosocket/awssite.socket;
}
....

uwsgi.ini file

[uwsgi]
chdir=/home/ec2-user/project/awssite
module=awssite.wsgi
home=/home/ec2-user/project
master=true
processes=2
socket=/tmp/djangosocket/awssite.socket
chmod-socket=666
vacuum=true

I added my ec2-user (logged in user) to group nginx.
I changed the file permissions accordingly
chown -R ec2-user:nginx djangosocket
chmod g+rwx djangosocket

like image 945
carol Alex Avatar asked Feb 15 '16 01:02

carol Alex


1 Answers

If your nginx server can't access uWSGI socket, try to fulfill following steps:

  1. don't put your socked in home directory of any user in your system, especially root! Some of unix operating systems are blocking by default access to home directory for anyone except owner of that directory and root. Adding nginx user to private group of that user (for most of systems, each user has it's own, main group) can help with that, but it will almost never work for root.

  2. check on what user and group your nginx server (or any other http server that you're using) runs. Sometimes is www-data, sometimes nginx, sometimes something other. When creating socket, make sure that username will match username on which uWSGI server runs and group name match group on uWSGI runs (or you can swap it).

  3. Check that your socket's permissions are at least 660. There is no need to give permissions to it for anyone, so don't do that.

  4. Check that both your nginx and uWSGI have permission to access directory on which socket is put, and all parent directories.

Good place for your socket's file is /var/run directory (for some systems it is /run or both). It is most often mounted as ramdisk (tmpfs) and it is write'able for anyone in system, so every user can create sockets here (and access them). If it's for some reason not accessible in your system, you can also try /tmp directory.

If you're also serving static files directly from nginx from your home directory, consider adding nginx to your personal group, so it will have read access to your home directory and static files.

like image 184
GwynBleidD Avatar answered Nov 02 '22 03:11

GwynBleidD