Centos

NGINX 權限:‘sudo nginx’ vs ‘sudo service nginx start’

  • January 26, 2016

我在這裡使用 nginx 1.6.2 和 Unicorn 進行 capistrano 設置。但是在我目前的設置下,nginx 不會創建我在 con 文件中編寫的伺服器。我確定這是我使用者目錄的權限錯誤,因為 conf 文件位於兩個 rails app 目錄下。

我的 nginx 文件如下:

user  mjp nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
   worker_connections  1024;
}


http {
   include       /etc/nginx/mime.types;
   default_type  application/octet-stream;

   log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                 '$status $body_bytes_sent "$http_referer" '
                 '"$http_user_agent" "$http_x_forwarded_for"';

   access_log  /var/log/nginx/access.log  main;

   sendfile        on;
   #tcp_nopush     on;

  keepalive_timeout  65;

   #gzip  on;

   include /etc/nginx/conf.d/*.conf;
   include /etc/nginx/sites-enabled/*;
}

/etc/nginx/conf.d/*.conf;是空的。

/etc/nginx/sites-enabled/;目錄包含 2 個符號連結:

[mjp@centos nginx]$ ll sites-enabled/
total 4
lrwxrwxrwx. 1 root root 61 Jan  5 06:58 mjp-portal_production -> /home/mjp/apps/mjp-portal_production/shared/config/nginx.conf
lrwxrwxrwx. 1 root root 58 Jan  3 21:03 mjp-portal_staging -> /home/mjp/apps/mjp-portal_staging/shared/config/nginx.conf

導致這些 con 文件的所有權限:

[mjp@centos ~]$ ll
total 4
drwxrwxr-x. 4 mjp nginx 4096 Jan  5 06:58 apps

[mjp@centos ~]$ ll apps/
total 8
drwxr-xr-x. 5 mjp nginx 4096 Jan  5 07:27 mjp-portal_production
drwxrwxr-x. 5 mjp nginx 4096 Jan  3 21:11 mjp-portal_staging


[mjp@centos ~]$ ll apps/mjp-portal_staging/
total 16
lrwxrwxrwx. 1 mjp nginx   57 Jan  3 21:11 current -> /home/mjp/apps/mjp-portal_staging/releases/20150103210756
drwxrwxr-x. 4 mjp nginx 4096 Jan  3 21:07 releases
drwxrwxr-x. 7 mjp nginx 4096 Jan  3 21:04 repo
-rwxrwxr-x. 1 mjp nginx   71 Jan  3 21:11 revisions.log
drwxrwxr-x. 9 mjp nginx 4096 Jan  3 21:05 shared


[mjp@centos ~]$ ll apps/mjp-portal_staging/shared/
total 28
drwxrwxr-x. 2 mjp nginx 4096 Jan  3 21:10 bin
drwxrwxr-x. 3 mjp nginx 4096 Jan  3 21:05 bundle
drwxrwxr-x. 2 mjp nginx 4096 Jan  5 07:46 config
drwxrwxr-x. 2 mjp nginx 4096 Jan  3 21:11 log
drwxrwxr-x. 3 mjp nginx 4096 Jan  3 21:04 public
drwxrwxr-x. 5 mjp nginx 4096 Jan  3 21:04 tmp
drwxrwxr-x. 3 mjp nginx 4096 Jan  3 21:04 vendor

[mjp@centos ~]$ ll apps/mjp-portal_staging/shared/config/
total 24
-rwxrwxr-x. 1 mjp nginx  136 Jan  3 21:03 database.example.yml
-rwxrwxr-x. 1 mjp nginx  155 Jan  3 21:06 database.yml
-rwxrwxr-x. 1 mjp nginx  188 Jan  3 21:03 log_rotation
-rwxrwxr-x. 1 mjp nginx  814 Jan  5 07:46 nginx.conf
-rwxrwxr-x. 1 mjp nginx 1996 Jan  3 21:03 unicorn_init.sh
-rwxrwxr-x. 1 mjp nginx 1327 Jan  3 21:03 unicorn.rb

mjp-portal_production -> /home/mjp/apps/mjp-portal_production/shared/config/nginx.conf:

upstream unicorn1 {
 server unix:/tmp/unicorn.mjp-portal_production.sock fail_timeout=0;
}

server
{
 server_name 185.48.117.98;
 listen 8080 default;
 root /home/mjp/apps/mjp-portal_production/current/public;

 #access_log /home/mjp/apps/mjp-portal_production/shared/log/nginx_access.log;
 #error_log  /home/mjp/apps/mjp-portal_production/shared/log/nginx_error.log;

 location ^~ /assets/ {
   gzip_static on;
   expires max;
   add_header Cache-Control public;
 }

 try_files $uri/index.html $uri @unicorn;
 location @unicorn {
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header Host $http_host;
   proxy_redirect off;
   proxy_pass http://unicorn1;
   proxy_buffering off;
 }

 error_page 500 502 503 504 /500.html;
 client_max_body_size 4G;
 keepalive_timeout 10;
}

mjp-portal_staging -> /home/mjp/apps/mjp-portal_staging/shared/config/nginx.conf:

upstream unicorn {
 server unix:/tmp/unicorn.mjp-portal_staging.sock fail_timeout=0;
}

server
{
 server_name 185.48.117.98;
 listen 8081 default;
 root /home/mjp/apps/mjp-portal_staging/current/public;

 #access_log /home/mjp/apps/mjp-portal_staging/shared/log/nginx_access.log;
 #error_log  /home/mjp/apps/mjp-portal_staging/shared/log/nginx_error.log;

 location ^~ /assets/ {
   gzip_static on;
   expires max;
   add_header Cache-Control public;
 }

 try_files $uri/index.html $uri @unicorn;
 location @unicorn {
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header Host $http_host;
   proxy_redirect off;
   proxy_pass http://unicorn;
   proxy_buffering off;
 }

 error_page 500 502 503 504 /500.html;
 client_max_body_size 4G;
 keepalive_timeout 10;
}

即使我將 nginx 程序(“worker”)設置為root. 仍然 nginx 無法創建伺服器並開始監聽它。

netstat -anp不顯示 nginx 打開的埠。在這種情況下 port 8080 and port 8081

我究竟做錯了什麼。所有權限似乎都是正確的。我還缺少什麼嗎?當我將這兩個符號連結的程式碼放在/etc/nginx/conf.d/. It does opens those ports although i get502 bad gateway` 中時,這讓我認為這是一個權限錯誤。在那些應用程序目錄上。

我究竟做錯了什麼?

這是一個selinux問題。

執行時sudo nginxnginx以. _unconfined_t``sudo service nginx start``httpd_t

最初從 sudo 開始,它會創建一堆文件並將其狀態初始化為unconfined_t. 例如 pid 文件將是錯誤的上下文。因此,當使用service nginx stop終止它時,沒有足夠的權限httpd_t來讀取由unconfined_t.

你真的應該總是開始使用servicewhich 將避免這個問題。要更正它,您需要重新標記文件系統中存在的有狀態文件,例如執行restorecon /var/run/nginx.pid將更正該 pid 文件上設置的不正確標籤。

我不確定在創建服務時是否還有更多文件需要更正。您可以獲得這些可能正在執行的文件的列表ausearch -ts recent -m avc

引用自:https://serverfault.com/questions/656299