wsgi nginx error: permission denied while connecting to upstream

After following all the advice in this thread I was still getting permission errors. The finally missing piece was to correct the nginx user in the /etc/nginx/nginx.conf file:

# old: user  nginx;
user  www-data;

To summarize what others have said to solve permission denied error in nginx (which you can look into /var/log/nginx/error.log is usually due to the following:

  1. you are writing .sock file at a place nginx does not have permission
  2. SELinux is causing the problem

To solve 1: First, don't write .sock file at /tmp as suggested here server fault answer because different services see different /tmp in fedora. You can write at some place such as ~/myproject/mysocket.sock. The nginx user must have access to our application directory in order to access the socket file there. By default, CentOS locks down each user's home directory very restrictively, so we will add the nginx user to our user's group so that we can then open up the minimum permissions necessary to grant access.

You can add the nginx user to your user group with the following command. Substitute your own username for the user in the command:

sudo usermod -a -G $USER nginx

Now, we can give our user group execute permissions on our home directory. This will allow the Nginx process to enter and access content within:

chmod 710 /path/to/project/dir

If the permission denied error is still there: then the hack sudo setenforce 0 will do the trick.


I also followed that tutorial and ran into the same issue. After quite a bit of trial and error, the following steps allowed me to run uWSGI and nginx successfully:

My nginx.config file:

server {
    listen 80;
    server_name localhost;

    location / { try_files @yourapplication; }
    location @yourapplication; {
        include uwsgi_params;
        uwsgi_pass unix:/PATH_TO_PROJECT/PROJECT.sock;
    }
}

My .ini file wasn't working very well, so I decided to take advantage of uWSGI's extensive arguments that are available. Here's what I used:

uwsgi -s /PATH_TO_PROJECT/PROJECT.sock -w wsgi:app -H /PATH_TO_PROJECT/venv --http-processes=4 --chmod-socket=666 --master &

Where:

-s /PATH_TO_PROJECT/PROJECT.sock = the location of my .sock file

-w wsgi:app = the location of my wsgi.py file and app being the name of my Flask object

-H /PATH_TO_PROJECT/venv = the location of my virtual environment

--http-processes=4 = the number of http processes for uWSGI to create

--chmod-socket=666 = the permissions to set on the socket

--master = allow uWSGI to run with its master process manager

& = run uWSGI in the background


The path: unix:/PATH_TO_PROJECT/PROJECT.sock should be placed in /tmp this fixed my problem.