Nginx Permission denied error

nginxruby-on-railsunicorn

I'm runnning nginx and unicorn to serve Rails application.
Unicorn and Rails app works fine, but nginx can't open rails public directory with permission error and return 502 Bad Gateway.

curl http://localhost/
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.6.1</center>
</body>
</html>

var/log/nginx/error.log

014/09/18 18:16:16 [crit] 16619#0: *1 stat() "/home/rails/public_html/rails_app/current/public//index.html" failed (13: Permission denied), client: 127.0.0.1, server: , request: "GET / HTTP/1.1", host: "localhost"
2014/09/18 18:16:16 [crit] 16619#0: *1 stat() "/home/rails/public_html/rails_app/current/public/" failed (13: Permission denied), client: 127.0.0.1, server: , request: "GET / HTTP/1.1", host: "localhost"
2014/09/18 18:16:16 [crit] 16619#0: *1 connect() to unix:/tmp/unicorn.rails_app.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/unicorn.rails_app.sock:/", host: "localhost"
2014/09/18 18:16:16 [crit] 16619#0: *1 stat() "/home/rails/public_html/rails_app/current/public/500.html/index.html" failed (13: Permission denied), client: 127.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/unicorn.rails_app.sock/", host: "localhost"
2014/09/18 18:16:16 [crit] 16619#0: *1 stat() "/home/rails/public_html/rails_app/current/public/500.html" failed (13: Permission denied), client: 127.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/unicorn.rails_app.sock/", host: "localhost"
2014/09/18 18:16:16 [crit] 16619#0: *1 connect() to unix:/tmp/unicorn.rails_app.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/unicorn.rails_app.sock:/500.html", host: "localhost"

nginx.conf

user    nginx;
worker_processes        1;

error_log       /var/log/nginx/error.log warn;
pid                     /var/run/nginx.pid;

events {
        worker_connections 1024; # increase if you have lots of clients
        # accept_mutex off; # "on" if nginx worker_processes > 1
}

http {
        include       /etc/nginx/mime.types;
        default_type  application/octet-stream;

        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
        '$status $body_bytes_sent "$http_referer" '
        '"$http_user_agent" "$http_x_forwarded_for"';

        access_log  /var/log/nginx/access.log  main;

        sendfile                on;
        # tcp_nopush    on;
        # tcp_nodelay   off;

        upstream unicorn {
                server unix:/tmp/unicorn.rails_app.sock fail_timeout=0;
        }

        server {
                listen 80 default deferred;
                # server_name example.com;
                root /home/rails/public_html/rails_app/current/public;

                try_files $uri/index.html $uri @unicorn;
                location @unicorn {
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header Host $http_host;
                        proxy_redirect off;
                        proxy_pass http://unicorn;
                }

                error_page 500 502 503 504 /500.html;
                client_max_body_size 4G;
                keepalive_timeout 10;
        }
}

The permissions for rails public directories are 775 or 775.
nginx is executed by 'nginx' user and rails public directories are owned by 'rails' user.
I've tried to execute nginx by 'rails' user and root user but the same errors occurred.
I have no idea what's wrong with this errors.
nginx works fine if I set root directory to /usr/share/nginx/html/.
My environment is Centos7 on Vagrant and rails 2.2.2 with unicorn gem 4.8.3.

[note]I know that /tmp/unicorn.rails_app.sock need to be placed another directory by this question, but I guess it's not the problem.

Best Answer

nginx runs as nginxuser as your configuration states. You say your directories are owned by root:root.

Ensure that each and every directory from the root to the file attempting to be accessed by nginx has the right execution (and maybe reading?) permission. In your case, the other permission group (chmod o+(r)x <recursive list of dirs>).

If that is not enough, try to add the reading permission for others on socket files.

Normally now nginx will be able to stat() those files.

The fact that everything runs fine with nginx root being set to /usr/share/nginx/html is that those files have been created by the nginx package with an adequate mix of user/group/permissions...

Now, I see another (and bigger) problem: you try to work with nginx workers running as nginx:nginx and files owned by root:root, for which there is no write permission for nginx whatsoever. Any attempt by nginx to write on a socket will thus ultimately fail...

You should really rethink the whole construction of yours. Make nginx user/group and directories/files ones match in some way so nginx can open what it need to open (execution right on directories), read what it needs to read and write what it needs to write without relying on the other permission group which basically allows any user to do the same.

Related Topic