By Mulagala


2014-05-30 06:37:10 8 Comments

I am working with configuring django project with nginx and gunicorn. While I am accessing my port gunicorn mysite.wsgi:application --bind=127.0.0.1:8001 in nginx server I am getting the following error in my error log file.

2014/05/30 11:59:42 [crit] 4075#0: *6 connect() to 127.0.0.1:8001 failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8001/", host: "localhost:8080"

My nginx.conf file

server {
    listen 8080;
    server_name localhost;
    access_log  /var/log/nginx/example.log;
    error_log /var/log/nginx/example.error.log;

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }
}

In the html page I am getting 502 Bad Gateway.

What mistake am I doing?

10 comments

@kumar 2019-08-21 12:14:19

13-permission-denied-while-connecting-to-upstreamnginx on centos server -

setsebool -P httpd_can_network_connect 1

@Abhishek Jalan 2019-07-25 08:52:10

Thanks, guys :) now I am able to use Nginx proxy for my Kibana URL

really useful command :) setsebool -P httpd_can_network_connect 1

@Harsh Wardhan 2019-07-25 09:20:02

Please write to the point answers.

@Ezhil Arasan 2019-07-08 07:32:21

if "502 Bad Gateway" error throws on centos api url for api gateway proxy pass on nginx , run following command to solve the issue

sudo setsebool -P httpd_can_network_connect 1

@Anjaneyulu Batta 2019-05-02 05:38:09

  1. Check the user in /etc/nginx/nginx.conf
  2. Change ownership to user.
sudo chown -R nginx:nginx /var/lib/nginx

Now see the magic.

@joebarbere 2014-07-18 17:35:14

I had a similar issue getting Fedora 20, Nginx, Node.js, and Ghost (blog) to work. It turns out my issue was due to SELinux.

This should solve the problem:

setsebool -P httpd_can_network_connect 1

Details

I checked for errors in the SELinux logs:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied

And found that running the following commands fixed my issue:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
sudo semodule -i mynginx.pp

References:

http://blog.frag-gustav.de/2013/07/21/nginx-selinux-me-mad/

https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details

http://wiki.gentoo.org/wiki/SELinux/Tutorials/Managing_network_port_labels

http://www.linuxproblems.org/wiki/Selinux

@Jahan Zinedine 2014-09-04 16:35:48

Thanks, that fixed my issue too, I'm on CentOS 7.

@gross.jonas 2014-11-13 09:57:27

thanks. I needed to yum install policycoreutils-python in order to get audit2allow first. Reference: centos.org/forums/viewtopic.php?t=5012

@BlaShadow 2014-11-26 20:37:10

Thanks a lot it's work for me using a node server. (Redhat 7)

@user113397 2015-04-13 16:51:15

See also here. In my case I had to add nginx to the group of the user in whose home directory the wwwroot was stored.

@josdem 2015-09-29 02:35:47

Thank you! setsebool -P httpd_can_network_connect 1 solve my problem in RedHat 7.1

@Mike Purcell 2015-10-06 13:59:38

Sid's answer should be the accepted answer, it's better to use built-in policies rather than create your own, much less overhead, especially when dealing with multiple servers.

@Joseph N. 2016-01-31 13:29:22

On Fedora 23 installing the policycoreutils-python did not provide the command audit2allow. After some research I found you should install the devel packageyum install policycoreutils-devel. Reference: danwalsh.livejournal.com/61710.html

@Kuberchaun 2016-04-05 23:24:38

I ran into a similar issue getting nginx and artifactory working on redhat 6.5. This solved my problem, 5 hip hip hurrays for you!

@po5i 2016-10-24 21:13:28

I sincerely love you, but nobody can return me the hours I spend finding this.

@johhny B 2016-12-18 10:03:22

Can someone please tell me how someone would reverse these policy changes?

@edencorbin 2017-08-07 03:44:02

amazing, and also very criptic (not your answer, but that this is required). I installed two centos instances and one required it the other didn't, confusing. Also are there any security implications to this to be aware of?

@ashish.gd 2017-08-18 10:55:05

I was on RHEL 7.2 and the "setsebool -P httpd_can_network_connect 1" saved me. Big thank you!

@Gank 2017-11-04 10:47:59

After wasting all one day, I solved by this one line code.

@xji 2018-06-30 12:17:52

Just never could have imagined that when the default welcome page is displayed but proxying an upstream server doesn't work, it is still the fault of a third-party security policy. I just focused my debugging effort on the config file... Though should have been able to find the error log earlier indeed.

@iRamesh 2018-08-28 22:11:51

This saved me. after wasting couple of days trying all different solutions

@AlEmerich 2018-10-25 11:46:56

It worked for me either but just to precise, I had to reboot

@Vivekanandan Sakthivelu 2019-08-07 17:38:48

It worked like a charm !! ( Centos 7) . It was useful

@NIK 2019-08-14 13:45:36

Excellent answer with issue investigation steps and refs. Thanks a lot.

@unlockme 2017-08-04 07:45:22

Had a similar problem on Centos 7. When I tried to apply the solution prescribed by Sorin, I started moving in cycles. First I had a permission {write} denied. Then when I solved that I had a permission { connectto } denied. Then back again to permission {write } denied.

Following @Sid answer above of checking the flags using getsebool -a | grep httpd and toggling them I found that in addition to the httpd_can_network_connect being off. http_anon_write was also off resulting in permission denied write and permission denied {connectto}

type=AVC msg=audit(1501830505.174:799183): avc:  
denied  { write } for  pid=12144 comm="nginx" name="myroject.sock" 
dev="dm-2" ino=134718735 scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:default_t:s0 tclass=sock_file

Obtained using sudo cat /var/log/audit/audit.log | grep nginx | grep denied as explained above.

So I solved them one at a time, toggling the flags on one at a time.

setsebool httpd_can_network_connect on -P

Then running the commands specified by @sorin and @Joseph above

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | 
audit2allow -M mynginx
sudo semodule -i mynginx.pp

Basically you can check the permissions set on setsebool and correlate that with the error obtained from grepp'ing' audit.log nginx, denied

@TitaniuM 2017-03-06 20:20:35

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx

sudo semodule -i mynginx.pp

@sule 2015-12-15 08:45:03

I’ve run into this problem too. I'm using Nginx with HHVM, below solution fixed my issue:

sudo semanage fcontext -a -t httpd_sys_rw_content_t "/etc/nginx/fastcgi_temp(/.*)?"

sudo restorecon -R -v /etc/nginx/fastcgi_temp

@Sid 2015-07-14 10:18:00

I’ve run into this problem too. Another solution is to toggle the SELinux boolean value for httpd network connect to on (Nginx uses the httpd label).

setsebool httpd_can_network_connect on

To make the change persist use the -P flag.

setsebool httpd_can_network_connect on -P

You can see a list of all available SELinux booleans for httpd using

getsebool -a | grep httpd

@kikicarbonell 2015-10-01 14:41:47

this work on CentOS 6 too, thks

@Mike Purcell 2015-10-06 14:04:40

This worked, thanks. I updated from CentOS 6.5 -> 6.7 and it must have defaulted the value to off during the update, because it was working fine before the update. Simple fix.

@Soman Dubey 2016-01-04 16:41:07

Solved for me on RHEL

@Ehsan Aghaei 2017-08-18 14:24:31

Great, solved my problem on CentOS 7.3

@Mulagala 2014-06-04 10:52:32

I have solved my problem by running my nginx as my present working user that is mulagala.By default the user as nginx in my nginx.conf file.We can find that line at the top of the nginx.conf file.

user nginx;

change this to your current working user name like

user  mulagala;

@MIguelele 2015-04-10 17:55:20

Bad idea, changing user. It works, but think about it as a casual side effect. You are note solving the real problem. Joseph Barbere solution is better.

Related Questions

Sponsored Content

5 Answered Questions

11 Answered Questions

[SOLVED] Node.js + Nginx - What now?

  • 2011-02-15 20:49:02
  • Van Coding
  • 331919 View
  • 941 Score
  • 11 Answer
  • Tags:   node.js nginx concept

6 Answered Questions

[SOLVED] Nginx reverse proxy causing 504 Gateway Timeout

2 Answered Questions

Keycloak Redirect url with nginx is going to http rather than https

  • 2018-04-03 12:02:15
  • Atulya Nair
  • 1193 View
  • 3 Score
  • 2 Answer
  • Tags:   nginx jboss

2 Answered Questions

0 Answered Questions

gunicorn 19.0: SERVER_NAME in request header is 127.0.0.1

  • 2018-10-24 19:09:30
  • Nadeem
  • 85 View
  • 0 Score
  • 0 Answer
  • Tags:   django gunicorn

2 Answered Questions

[SOLVED] Express - req.ip returns 127.0.0.1

1 Answered Questions

NGINX+NODE JS - no live upstreams while connecting to upstream, client: 127.0.0.1

  • 2017-10-06 14:03:50
  • Rupali
  • 1951 View
  • 1 Score
  • 1 Answer
  • Tags:   node.js nginx

2 Answered Questions

1 Answered Questions

Wordpress constant redirect with nginx upstream

Sponsored Content