Forum: NGINX nginx permission denied for upstream unix socket

9906aefb1625e0ba919bd1fd27a31deb?d=identicon&s=25 Tim (Guest)
on 2014-08-25 15:22
(Received via mailing list)
Hi,

I'm running nginx under CentOS 7 as a local proxy for a puppetmaster. I
get the following error for every agent trying to connect to the master:

"[crit] 8543#0: *13 connect() to
unix:/var/run/puppet/puppetmaster_puma.sock failed (13: Permission
denied) while connecting to upstream, client: 192.168.122.189, server: ,
request: "PUT /production/report/master.puppet.local HTTP/1.1",
upstream:
"http://unix:/var/run/puppet/puppetmaster_puma.sock...,
host: "master.puppet.local:8140""


But:
srwxrwxrwx. 1 puppet puppet 0 25. Aug 10:35
/var/run/puppet/puppetmaster_puma.sock

The socket seems to be read/write able for everyone on the system? Why
throws nginx a "permission denied" massage?

And here is my nginx config:

# define our puma backend
upstream puppetmaster_puma {
         server unix:/var/run/puppet/puppetmaster_puma.sock;
}

# define our proxy for breaking up SSL
server {
         ssl on;
         ssl_certificate
/var/lib/puppet/ssl/certs/master.puppet.local.pem;
         ssl_certificate_key
/var/lib/puppet/ssl/private_keys/master.puppet.local.pem;
         ssl_verify_client optional;
         ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
         listen 192.168.122.189:8140 ssl;
         root /var/empty;
         location / {
                 proxy_pass http://puppetmaster_puma;
         }
}

nginx is running in version 1.6.1,
40b4c848b8fcd63b0cb60b9d170c3a77?d=identicon&s=25 Valentin V. Bartenev (Guest)
on 2014-08-25 15:46
(Received via mailing list)
On Monday 25 August 2014 15:21:44 Tim wrote:
>
"http://unix:/var/run/puppet/puppetmaster_puma.sock...,
> host: "master.puppet.local:8140""
>
>
> But:
> srwxrwxrwx. 1 puppet puppet 0 25. Aug 10:35
> /var/run/puppet/puppetmaster_puma.sock
>
> The socket seems to be read/write able for everyone on the system? Why
> throws nginx a "permission denied" massage?
>
[..]

What about the /var/run/puppet/ directory?

  wbr, Valentin V. Bartenev
9906aefb1625e0ba919bd1fd27a31deb?d=identicon&s=25 Tim (Guest)
on 2014-08-25 15:51
(Received via mailing list)
Am 2014-08-25 15:46, schrieb Valentin V. Bartenev:
>> denied) while connecting to upstream, client: 192.168.122.189, server:
>> /var/run/puppet/puppetmaster_puma.sock
>>
>> The socket seems to be read/write able for everyone on the system? Why
>> throws nginx a "permission denied" massage?
>>
> [..]
>
> What about the /var/run/puppet/ directory?

seems to be fine:

drwxr-xr-x.  2 puppet   puppet    100 25. Aug 10:35 /var/run/puppet

(the nginx user is in the puppet group btw). Even setting the
permissions to 777 didn't fix the issue.
Df74c4a0f71e72d104f72b7e1387365c?d=identicon&s=25 Edwin (Guest)
on 2014-08-25 16:26
(Received via mailing list)
Le 2014-08-25 09:51, Tim a écrit :
>>> unix:/var/run/puppet/puppetmaster_puma.sock failed (13: Permission
>>> srwxrwxrwx. 1 puppet puppet 0 25. Aug 10:35
> seems to be fine:
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Hi,

Have you checked your SELinux permissions? According to your "ls -l",
you would have SELinux enabled on those files/sockets (the "." in the
output). I would check SELinux settings to allow access from nginx to
the socket.

Sincerely,
---
Edwin
9906aefb1625e0ba919bd1fd27a31deb?d=identicon&s=25 Tim (Guest)
on 2014-08-25 16:27
(Received via mailing list)
I found the issue by myself. selinux was blocking the access to the
socket. This is now fixed.

Am 2014-08-25 15:51, schrieb Tim:
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.