I'm trying to connect uWSGI Flask application on CentOS 7 with nginx, nginx error log at /var/log/nginx/error.log gives:
2017/10/04 22:35:29 [crit] 24381#0: *54 connect() to unix:/var/www/html/CON29Application1/socket.sock failed
(13: Permission denied) while connecting to upstream, client: 80.44.138.51,
server: 188.226.174.121, request: "GET /favicon.ico HTTP/1.1", upstream: "uwsgi://unix:/var/www/html/CON29Application1/socket.sock:",
host: "188.226.174.121", referrer: "http://188.226.174.121/"
uWSGI error log shows I think that uWSGI running correctly:
WSGI app 0 (mountpoint='') ready in 1 seconds on interpreter 0x1a1ebd0 pid: 26364 (default app)
This is my first deployment on Linux, but read another SO answer here: Nginx can't access a uWSGI unix socket on CentOS 7
This guy answered his own question, and referred to blog post on SE Linux http://axilleas.me/en/blog/2013/selinux-policy-for-nginx-and-gitlab-unix-socket-in-fedora-19/, saying SE Linux was the problem. I don't really understand what is running where on SE Linux, and solution seems to involve altering "AVC" messages in nginx audit.log, I'm getting in over my head!
As the blog post referred, I do get AVC messages mentioning denied write and nginx at /var/log/audit/audit.log:
type=AVC msg=audit(1507153878.777:559609): avc: denied { write } for pid=24381
comm="nginx" name="socket.sock" dev="vda1" ino=715975
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=sock_file
But being a newbie, is there perhaps something simpler perhaps I did wrong and can fix with chmod permissions or chown? Thanks any ideas.
Socket permissions:
ls -l socket.sock
srwxrwxrwx. 1 will nginx 0 Oct 4 17:02 socket.sock
Well, my SELinux settings did make a difference in the end, and changing this has got my web application actually working! I looked at another tutorial: https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts
I must say from a Linux newbie's point of view, I have seen a few other posts mentioning how good Digital Ocean's tutorials are (I certainly don't have any affiliation with them whatsoever..).
For other newbies reading this, SELinux stands for Security Enhanced Linux, and is something included with many distributions of Linux now apparently, including CentOS 7. It's there for added security of some kind. I ran the simplest command they list on this page: getenforce
which output
enforcing
As the Digital Ocean tutorial states, "SELinux should currently be disabled", mine wasn't - no idea why, I hadn't touched anything on SELinux as had no idea what it was until 2 days ago.
Anyway, trying for simplest fix, as their advice did:
vi /etc/sysconfig/selinux
Or actually I think I didnt have permission to do this as my user, had to do it as root:
sudo vi /etc/sysconfig/selinux
There's only actually 2 settings in this file. So reset:
SELINUX=permissive
Then tried reboot as their advice to restart server, so apparently then SE Linux will start logging some security mumbo jumbo stuff, ie I think this means it records security booboos and people hacking into the system rather than stopping them. Reboot then asked me for Cloud something password, which I thought must be my sudo password, it wasn't, then crashed after trying this couple times anyway, so restarted it I think this is reboot yes? And my website now works.
As the other post I mentioned here, I think this means SELinux doing something to stop nginx running when it is set to enforcing. But the other post here seemed bit more complex for a newbie than to just change one setting as I have done here, more potential to create further problems. If I can ever develop this or another app further, i think need to find someone with more Linux experience.
Related
I've been trying to send a https request using ssl.https library in Lua, however no matter what url I give, I alway get permission denied and no other values like headers, etc. The linux I am using is CentOS Linux version 7.
Here is the example code:
local httpsocket = require("socket.http")
local httpssocket = require ("ssl.https")
local ltn12 = require("ltn12")
local res, code, response_headers, status = httpssocket.request("https://www.google.com")
module:log("info","%s %s",code.."",response_headers);
The code itself is part of a prosody plugin and the last line in this example prints this out:
permission denied <nil>
My question is how do I fix this issue so that I can access the page?
EDIT: It seem that the problem might be the user that the service is run under and needs root privilages otherwise it throws ACCES error for ports lower than 1024. Does anyone know what to do in this case?
So... after attempting fix this issue again, I finally found the solution. If you are having trouble with services not being able to send http/https request on centOS, there is a single command that has to be run to fix this issue:
setsebool -P nis_enabled 1
For those who might have similar issues but not quite the same as me, look into the /var/log/audit/audit.log for anything related to your program, process, service, etc. then use this command:
grep <pattern_to_match_specific_log> /var/log/audit/audit.log | audit2why
This will give you a reason why it failed and how to fix it
I am trying to run an application on debian 8 32 bits OS.
It has an inbuilt httpd server and when i try to start it i get error:
httpd: bad group name nobody
httpd/bin/httpd.rc startssl: httpd could not be started
Is there any standard way to enable this group (it looks similar to guest user access)
As per the documentation of Debian 8, nobody user is used by processes which do not require any privileges.
Found the answer on this post: https://askubuntu.com/questions/138972/what-is-the-equivalent-user-for-nobodynobody-from-centos
changed httpd.conf group name from nobody to nogroup
I have this problem because the group didnt exist in /etc/group.
I created and it worked
So, I tried to set up a public SMB share with Samba on CentOS 7. Now, I have it set up, and I have a headache. But, sweet victory. I'm posting this here for all y'all so that you don't need to waste your time. It's actually easy, you just need to know the hoops you need to jump through. I'll also edit the Samba wiki.
The first problem was that it wouldn't connect at all, except locally:
Remote Connection (my Linux desktop):
-------
[root#my-desktop ~]# smbclient //sambaserver/PublicDocs -N
Error connecting to 192.168.100.97 (No route to host)
Connection to cgybkp01 failed (Error NT_STATUS_HOST_UNREACHABLE)
On Windows 8, using Windows Explorer, after typing "\\sambaserver" into the address bar, the progress bar would wait, wait, wait, then time out. The error message was:
Remote Connection (my Windows 8 desktop):
Windows cannot access \\sambaserver
Check the spelling of the name. Otherwise, there might be a problem with your network. To
try to identify and resolve network problems, click Diagnose.
This ended up being a problem with firewalld. To unblock Samba, I needed to add this line to /etc/firewalld/zones/public.xml :
<service name="samba"/>
Perfect, now I can connect!
But, I was actually mounting an NFS share, so I had one more issue, with SELinux. Now, when I attempt to connect with smbclient...
smbclient //sambaserver/PublicDocs -N
I can connect, but when I try to ls, I get the error: "NT_STATUS_ACCESS_DENIED" in CentOS 7. So, how do I connect?
The first thing everyone recommended that I try was file permissions. If you're not familiar with file permissions in Linux, I'd recommend trying those first. But for me, that didn't work, because SELinux was blocking me.
To see all of the SELinux options for Samba, type:
getsebool -a | grep samba
getsebool -a | grep smb
The one I needed to change was samba_share_nfs, because I was sharing an NFS mounted directory:
setsebool -P samba_share_nfs on
CentOS maintains a list of these booleans here.
I have installed nagios successfully on fedora 17. but when I am trying to connect to nagios like http://mylocalhost.com/nagios. It asks for username and password. After putting these information I am found out forbidden 403 error with message , You dont have permission to access /nagios/ on this server.
I am bit confused how to resolve this issue. I read some post. they were saying to create empty index.html inside http root directory. i tried but same error is there.
http://www.unixmen.com/nagios-http-warning-http11-403-forbidden-solved/
If I am not wrong http root directory is /var/www/html?
oops ... sorry it was problem with my httpd service which was running actually but not accessible for publicly.
simply I flushed out iptables. then Checked out httpd service whether it is running properly or not.
Now its working great.
I think you create file index.html in /var/www/html.
After you can restart service nagios and httpd
I have a fresh, text-only installation of openSuSe 13.1 (physical server, old Samsung netbook), and I'm trying to get OTRS up and running. I've installed OTRS using the below commands. I don't think they're all necessary, but someone in the OtterHub forums had a successful installation with the software versions I'm targeting using this sequence, so I was trying to piggyback on that success.
zypper in otrs-3.3.4-01.noarch.rpm gcc make mysql-community-server perl-Crypt-SSLeay perl-JSON-XS perl-YAML-LibYAML
zypper in perl-Text-CSV_XS perl-PDF-API2 perl-GDGraph perl-Encode-HanExtra postfix perl-DBD-mysql
cd ~otrs && bin/otrs.SetPermissions.pl --otrs-user=otrs --web-user=wwwrun --otrs-group=www --web-group=www /opt/otrs
rcmysql start
systemctl start apache2.service
mysqladmin --user=root password password
All of that works fine. I'm able to get to the OTRS web installer, but that's where I get hung up. I get to the part of the web installer that creates the database, and it times out. The script successfully creates the database and updates Config.pm with the new password. I can't tell from installer.pl what it tries to do next.
Here's the error from /var/log/apache2/error_log:
[Tue Jan 28 20:53:23.136306 2014] [cgi:warn] [pid 6856] [client 192.168.1.10:52732] AH01220: Timeout waiting for output from CGI script /opt/otrs/bin/cgi-bin/installer.pl, referer: http://svr-clptest/otrs/installer.pl
[Tue Jan 28 20:53:23.136470 2014] [cgi:error] [pid 6856] [client 192.168.1.10:52732] Script timed out before returning headers: installer.pl, referer: http://svr-clptest/otrs/installer.pl
The browser displays the following:
The gateway did not receive a timely response from the upstream server or application.
This is on a local network at home. I'm accessing the Linux server using PuTTY from a Windows 8 machine. I'm using a wireless connection from the Windows 8 machine, but the server has a hard line connection to the router, if that makes any difference. I don't have any trouble executing anything from PuTTY or accessing the index page through the browser (Firefox 26). I've tried connecting from a computer on my network, and one off of my network. In both cases, I'm able to get to my domain and the web installer. But I can't make a PuTTY connection to the server from outside my network.
I've spent a couple of hours researching the error, and I can't figure out what the next step should be.
Right now, a text-only version of openSUSE and OTRS are the only things running on the machine. I haven't done anything else with it. I'm open to starting the installation from scratch again--OS and all. I'm thinking that the timeout error has something to do with my firewall settings, but I'm not a network guy. Really have no idea how to diagnose this.
UPDATE
I tried reinstalling everything fresh tonight, but then added KDE so I could walk through the web installer on the host. I get exactly the same errors. It's not a problem between server and client. Something's wrong with OTRS... Or maybe with apache?
I eventually just had to follow the steps for manual installation instead of using the web installer. Not sure where the problem was exactly, but no matter what I tried, I couldn't get the database setup to work through the web installer. If you're having a similar problem, once you get to the part of the instructions that tell you to move to the web installer, you can switch over to the instructions to install from source and pick it up from manual installation of the database.