NGINX 權限:‘sudo nginx’ vs ‘sudo service nginx start’
我在這裡使用 nginx 1.6.2 和 Unicorn 進行 capistrano 設置。但是在我目前的設置下,nginx 不會創建我在 con 文件中編寫的伺服器。我確定這是我使用者目錄的權限錯誤,因為 conf 文件位於兩個 rails app 目錄下。
我的 nginx 文件如下:
user mjp nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; }
/etc/nginx/conf.d/*.conf;
是空的。
/etc/nginx/sites-enabled/;
目錄包含 2 個符號連結:[mjp@centos nginx]$ ll sites-enabled/ total 4 lrwxrwxrwx. 1 root root 61 Jan 5 06:58 mjp-portal_production -> /home/mjp/apps/mjp-portal_production/shared/config/nginx.conf lrwxrwxrwx. 1 root root 58 Jan 3 21:03 mjp-portal_staging -> /home/mjp/apps/mjp-portal_staging/shared/config/nginx.conf
導致這些 con 文件的所有權限:
[mjp@centos ~]$ ll total 4 drwxrwxr-x. 4 mjp nginx 4096 Jan 5 06:58 apps [mjp@centos ~]$ ll apps/ total 8 drwxr-xr-x. 5 mjp nginx 4096 Jan 5 07:27 mjp-portal_production drwxrwxr-x. 5 mjp nginx 4096 Jan 3 21:11 mjp-portal_staging [mjp@centos ~]$ ll apps/mjp-portal_staging/ total 16 lrwxrwxrwx. 1 mjp nginx 57 Jan 3 21:11 current -> /home/mjp/apps/mjp-portal_staging/releases/20150103210756 drwxrwxr-x. 4 mjp nginx 4096 Jan 3 21:07 releases drwxrwxr-x. 7 mjp nginx 4096 Jan 3 21:04 repo -rwxrwxr-x. 1 mjp nginx 71 Jan 3 21:11 revisions.log drwxrwxr-x. 9 mjp nginx 4096 Jan 3 21:05 shared [mjp@centos ~]$ ll apps/mjp-portal_staging/shared/ total 28 drwxrwxr-x. 2 mjp nginx 4096 Jan 3 21:10 bin drwxrwxr-x. 3 mjp nginx 4096 Jan 3 21:05 bundle drwxrwxr-x. 2 mjp nginx 4096 Jan 5 07:46 config drwxrwxr-x. 2 mjp nginx 4096 Jan 3 21:11 log drwxrwxr-x. 3 mjp nginx 4096 Jan 3 21:04 public drwxrwxr-x. 5 mjp nginx 4096 Jan 3 21:04 tmp drwxrwxr-x. 3 mjp nginx 4096 Jan 3 21:04 vendor [mjp@centos ~]$ ll apps/mjp-portal_staging/shared/config/ total 24 -rwxrwxr-x. 1 mjp nginx 136 Jan 3 21:03 database.example.yml -rwxrwxr-x. 1 mjp nginx 155 Jan 3 21:06 database.yml -rwxrwxr-x. 1 mjp nginx 188 Jan 3 21:03 log_rotation -rwxrwxr-x. 1 mjp nginx 814 Jan 5 07:46 nginx.conf -rwxrwxr-x. 1 mjp nginx 1996 Jan 3 21:03 unicorn_init.sh -rwxrwxr-x. 1 mjp nginx 1327 Jan 3 21:03 unicorn.rb
mjp-portal_production -> /home/mjp/apps/mjp-portal_production/shared/config/nginx.conf
:upstream unicorn1 { server unix:/tmp/unicorn.mjp-portal_production.sock fail_timeout=0; } server { server_name 185.48.117.98; listen 8080 default; root /home/mjp/apps/mjp-portal_production/current/public; #access_log /home/mjp/apps/mjp-portal_production/shared/log/nginx_access.log; #error_log /home/mjp/apps/mjp-portal_production/shared/log/nginx_error.log; location ^~ /assets/ { gzip_static on; expires max; add_header Cache-Control public; } try_files $uri/index.html $uri @unicorn; location @unicorn { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://unicorn1; proxy_buffering off; } error_page 500 502 503 504 /500.html; client_max_body_size 4G; keepalive_timeout 10; }
mjp-portal_staging -> /home/mjp/apps/mjp-portal_staging/shared/config/nginx.conf
:upstream unicorn { server unix:/tmp/unicorn.mjp-portal_staging.sock fail_timeout=0; } server { server_name 185.48.117.98; listen 8081 default; root /home/mjp/apps/mjp-portal_staging/current/public; #access_log /home/mjp/apps/mjp-portal_staging/shared/log/nginx_access.log; #error_log /home/mjp/apps/mjp-portal_staging/shared/log/nginx_error.log; location ^~ /assets/ { gzip_static on; expires max; add_header Cache-Control public; } try_files $uri/index.html $uri @unicorn; location @unicorn { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://unicorn; proxy_buffering off; } error_page 500 502 503 504 /500.html; client_max_body_size 4G; keepalive_timeout 10; }
即使我將 nginx 程序(“worker”)設置為
root
. 仍然 nginx 無法創建伺服器並開始監聽它。
netstat -anp
不顯示 nginx 打開的埠。在這種情況下port 8080 and port 8081
。我究竟做錯了什麼。所有權限似乎都是正確的。我還缺少什麼嗎?當我將這兩個符號連結的程式碼放在
/etc/nginx/conf.d/. It does opens those ports although i get
502 bad gateway` 中時,這讓我認為這是一個權限錯誤。在那些應用程序目錄上。我究竟做錯了什麼?
這是一個selinux問題。
執行時
sudo nginx
它nginx
以. _unconfined_t``sudo service nginx start``httpd_t
最初從 sudo 開始,它會創建一堆文件並將其狀態初始化為
unconfined_t
. 例如 pid 文件將是錯誤的上下文。因此,當使用service nginx stop
終止它時,沒有足夠的權限httpd_t
來讀取由unconfined_t
.你真的應該總是開始使用
service
which 將避免這個問題。要更正它,您需要重新標記文件系統中存在的有狀態文件,例如執行restorecon /var/run/nginx.pid
將更正該 pid 文件上設置的不正確標籤。我不確定在創建服務時是否還有更多文件需要更正。您可以獲得這些可能正在執行的文件的列表
ausearch -ts recent -m avc
。