服务器 Gind.cn
  1. 服务器 Gind.cn
  3. NGINX权限:“sudo nginx”vs“sudo服务nginx开始”
Intereting Posts
在PowerShell中奇怪的电子邮件行为 Windows VDI – 删除RDP下载的保存凭据 当通过HTTP访问时,域会自动强制HTTPS 自动查找DNS服务器 变更pipe理的简单testing计划模板 无法通过\\服务器名称访问共享,但是\\ IP工作 如何根据RFC 1035validationDNS区域文件? 哪些SMTP服务器支持隐式SSL? 当接口上join不相关的组播组时,STP报文将丢弃(每2秒1个报文) IIS发布的网站提供HTTP 500错误 如何使用debconf-set-selections预先configuration软件包? Cronatab在CentOS上失踪 Powershell DSC:无法获得httpstream 组策略从个人存储中删除证书 Windows 10的p2p更新将能够提供更新主机没有互联网接入?

NGINX权限:“sudo nginx”vs“sudo服务nginx开始”

我正在用nginx 1.6.2和Unicorn做一个capistrano安装程序。 但在我目前的设置下,nginx不会创build我已经写在con文件中的服务器。 我确定其权限错误为我的用户的目录,因为这是conf文件位于两个rails应用程序目录下。

我的nginx文件如下: 

user mjp nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; }

/etc/nginx/conf.d/*.conf; 是空的。

/etc/nginx/sites-enabled/; 目录包含2个符号链接: 

 [mjp@centos nginx]$ ll sites-enabled/ total 4 lrwxrwxrwx. 1 root root 61 Jan 5 06:58 mjp-portal_production -> /home/mjp/apps/mjp-portal_production/shared/config/nginx.conf lrwxrwxrwx. 1 root root 58 Jan 3 21:03 mjp-portal_staging -> /home/mjp/apps/mjp-portal_staging/shared/config/nginx.conf

所有权限导致这些con文件: 

 [mjp@centos ~]$ ll total 4 drwxrwxr-x. 4 mjp nginx 4096 Jan 5 06:58 apps [mjp@centos ~]$ ll apps/ total 8 drwxr-xr-x. 5 mjp nginx 4096 Jan 5 07:27 mjp-portal_production drwxrwxr-x. 5 mjp nginx 4096 Jan 3 21:11 mjp-portal_staging [mjp@centos ~]$ ll apps/mjp-portal_staging/ total 16 lrwxrwxrwx. 1 mjp nginx 57 Jan 3 21:11 current -> /home/mjp/apps/mjp-portal_staging/releases/20150103210756 drwxrwxr-x. 4 mjp nginx 4096 Jan 3 21:07 releases drwxrwxr-x. 7 mjp nginx 4096 Jan 3 21:04 repo -rwxrwxr-x. 1 mjp nginx 71 Jan 3 21:11 revisions.log drwxrwxr-x. 9 mjp nginx 4096 Jan 3 21:05 shared [mjp@centos ~]$ ll apps/mjp-portal_staging/shared/ total 28 drwxrwxr-x. 2 mjp nginx 4096 Jan 3 21:10 bin drwxrwxr-x. 3 mjp nginx 4096 Jan 3 21:05 bundle drwxrwxr-x. 2 mjp nginx 4096 Jan 5 07:46 config drwxrwxr-x. 2 mjp nginx 4096 Jan 3 21:11 log drwxrwxr-x. 3 mjp nginx 4096 Jan 3 21:04 public drwxrwxr-x. 5 mjp nginx 4096 Jan 3 21:04 tmp drwxrwxr-x. 3 mjp nginx 4096 Jan 3 21:04 vendor [mjp@centos ~]$ ll apps/mjp-portal_staging/shared/config/ total 24 -rwxrwxr-x. 1 mjp nginx 136 Jan 3 21:03 database.example.yml -rwxrwxr-x. 1 mjp nginx 155 Jan 3 21:06 database.yml -rwxrwxr-x. 1 mjp nginx 188 Jan 3 21:03 log_rotation -rwxrwxr-x. 1 mjp nginx 814 Jan 5 07:46 nginx.conf -rwxrwxr-x. 1 mjp nginx 1996 Jan 3 21:03 unicorn_init.sh -rwxrwxr-x. 1 mjp nginx 1327 Jan 3 21:03 unicorn.rb

mjp-portal_production -> /home/mjp/apps/mjp-portal_production/shared/config/nginx.conf

 upstream unicorn1 { server unix:/tmp/unicorn.mjp-portal_production.sock fail_timeout=0; } server { server_name 185.48.117.98; listen 8080 default; root /home/mjp/apps/mjp-portal_production/current/public; #access_log /home/mjp/apps/mjp-portal_production/shared/log/nginx_access.log; #error_log /home/mjp/apps/mjp-portal_production/shared/log/nginx_error.log; location ^~ /assets/ { gzip_static on; expires max; add_header Cache-Control public; } try_files $uri/index.html $uri @unicorn; location @unicorn { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://unicorn1; proxy_buffering off; } error_page 500 502 503 504 /500.html; client_max_body_size 4G; keepalive_timeout 10; }

mjp-portal_staging -> /home/mjp/apps/mjp-portal_staging/shared/config/nginx.conf

 upstream unicorn { server unix:/tmp/unicorn.mjp-portal_staging.sock fail_timeout=0; } server { server_name 185.48.117.98; listen 8081 default; root /home/mjp/apps/mjp-portal_staging/current/public; #access_log /home/mjp/apps/mjp-portal_staging/shared/log/nginx_access.log; #error_log /home/mjp/apps/mjp-portal_staging/shared/log/nginx_error.log; location ^~ /assets/ { gzip_static on; expires max; add_header Cache-Control public; } try_files $uri/index.html $uri @unicorn; location @unicorn { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://unicorn; proxy_buffering off; } error_page 500 502 503 504 /500.html; client_max_body_size 4G; keepalive_timeout 10; }

即使当我设置运行nginx进程(“工人”)作为root 。 仍然nginx不能创build服务器,并开始收听。

netstat -anp不显示由nginx打开的端口。 在这种情况下, port 8080 and port 8081

我究竟做错了什么。 所有的权限似乎是正确的。 我还错过了什么? 当我把这两个符号链接的代码放在/etc/nginx/conf.d/. It does opens those ports although i get /etc/nginx/conf.d/. It does opens those ports although i get 502坏网关,这使我认为它的权限错误。 在这些应用程序目录。

我究竟做错了什么?

这是一个selinux问题。

当你运行sudo nginx它启动nginxunconfined_t ,当你运行sudo service nginx start nginx作为httpd_t

通过最初从sudo开始,它会创build一堆文件并将其状态初始化为unconfined_t 。 例如,pid文件将是错误的上下文。 因此,当使用service nginx stop来终止它时, httpd_t没有足够的权限来读取由unconfined_t写入的文件。

你应该总是开始使用service ,这将避免这个问题。 要更正它,您需要重新标记文件系统中存在的有状态文件,例如,运行restorecon /var/run/nginx.pid将更正该pid文件上设置的错误标签。

我不确定在创build服务时是否还有更多的文件被写出来,这也需要更正。 你可以得到这些文件的列表,这些文件可能在做ausearch -ts recent -m avc

一些额外的信息给那些想要扩展一些selinux知识并用selinuxdebugging问题的人:

https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/

TL;博士

与SElinux权限debugging问题:

  1. 设置许可模式(通知audit.log中的安全漏洞并执行操作)
  2. 检查audit.log(对于centos和probaly所有RH familly /var/log/audit/audit.log)
  3. 在SElinux或文件上应用适当的权限

工具: 

 ausearch -i -m avc

将有助于以任何AVC(SElinux)问题以可读格式读取audit.log

您也可以尝试添加:
最近
今天

缩小search范围。