如何让nginx执行python代码_python – 如何在执行模式下使用SELinux运行Flask Nginx uWSGI？...

最新推荐文章于 2023-06-30 13:49:49 发布

weixin_39936388

最新推荐文章于 2023-06-30 13:49:49 发布

阅读量71

点赞数

文章标签：如何让nginx执行python代码

我正在关注this tutorial在Nginx服务器上运行Flask.我几乎让它工作,其中当SELinux设置为Permissive时页面加载,但当SELinux处于Enforcing模式时显示502 Bad Gateway.

以下是一些相关文件：

myproject.ini

[uwsgi]

module = wsgi

master = true

processes = 5

socket = myproject.sock

chmod-socket = 660

vacuum = true

die-on-term = true

myproject.service

[Unit]

Description=uWSGI instance to serve myproject

After=network.target

[Service]

User=thisuser

Group=nginx

WorkingDirectory=/home/thisuser/public_html

Environment="PATH=/home/thisuser/thisuser_env/bin"

ExecStart=/home/thisuser/thisuser_env/bin/uwsgi --ini myproject.ini

[Install]

WantedBy=multi-user.target

thisuser.com.conf(Nginx配置)

server {

listen 80;

server_name thisuser.com www.thisuser.com;

access_log /home/thisuser/logs/access.log;

error_log /home/thisuser/logs/error.log;

location / {

include uwsgi_params;

uwsgi_pass unix:/home/thisuser/public_html/myproject.sock;

try_files $uri $uri/ =404;

}

Flask文件目录的位置是/ home / thisuser /,它的上下文设置如下：

[root@dev ~]# ls -ldZ /home/thisuser/

drwx--x--x. thisuser thisuser unconfined_u:object_r:user_home_dir_t:s0 /home/thisuser/

[root@dev ~]# ls -ldZ /home/thisuser/public_html/

drwxrwxr-x. thisuser thisuser unconfined_u:object_r:httpd_sys_content_t:s0 /home/thisuser/public_html/

错误如下：

/var/log/audit/audit.log

type=AVC msg=audit(1498880449.864:156): avc: denied { write } for pid=2667 comm="nginx" name="myproject.sock" dev="dm-2" ino=67165858 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1498880449.864:156): arch=c000003e syscall=42 success=no exit=-13 a0=f a1=7f526e12e548 a2=6e a3=7ffdf52991b0 items=0 ppid=2666 pid=2667 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)

和

/home/thisuser/logs/error.log

2017/06/30 23:40:49 [crit] 2667#0: *1 connect() to unix:/home/thisuser/public_html/myproject.sock failed (13: Permission denied) while connecting to upstream,client: 192.168.1.15,server: thisuser.com,request: "GET / HTTP/1.1",upstream: "uwsgi://unix:/home/thisuser/public_html/myproject.sock:",host: "thisuser.com"

试过的步骤：

>尝试将sock权限更改为chmod-socket = 666

>使用了setsebool -P httpd_can_network_connect 1

>将FROM = thisuser更改为user = nginx

>将此用户添加到nginx组

唯一有效的方法是将SELinux更改为Permissive.我可以进行一些更改/添加,以便SELinux继续执行吗？

编辑：在firewalld中已经允许http(s)

[root@dev ~]# firewall-cmd --permanent --zone=public --add-service=https

[root@dev ~]# firewall-cmd --permanent --zone=public --add-service=http

[root@dev ~]# firewall-cmd --reload