I have a django app, python 2.7 with gunicorn and nginx.
Nginx is throwing a 403 Forbidden Error, if I try to view anything in my static folder #:
/home/ubuntu/virtualenv/myapp/myapp/homelaunch/static
nginx config(/etc/nginx/sites-enabled/myapp) contains:
server {
listen 80;
server_name *.myapp.com;
access_log /home/ubuntu/virtualenv/myapp/error/access.log;
error_log /home/ubuntu/virtualenv/myapp/error/error.log warn;
connection_pool_size 2048;
fastcgi_buffer_size 4K;
fastcgi_buffers 64 4k;
root /home/ubuntu/virtualenv/myapp/myapp/homelaunch/;
location /static/ {
alias /home/ubuntu/virtualenv/myapp/myapp/homelaunch/static/;
}
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
}
}
error.log contains:
2013/11/24 23:00:16 [error] 18243#0: *277 open() "/home/ubuntu/virtualenv/myapp/myapp/homelaunch/static/img/templated/home/img.png" failed (13: Permission denied), client: xx.xx.xxx.xxx, server: *.myapp.com, request: "GET /static/img/templated/home/img2.png HTTP/1.1", host: "myapp.com", referrer: "http://myapp.com/"
access.log contains
xx.xx.xx.xxx - - [24/Nov/2013:23:02:02 +0000] "GET /static/img/templated/base/animg.png HTTP/1.1" 403 141 "http://myapp.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:25.0) Gecko/20100101 Firefox/25.0"
xx.xx.xx.xxx - - [24/Nov/2013:23:02:07 +0000] "-" 400 0 "-" "-"
I tried just viewing say a .css file in /static/ and it throws an error like this in source:
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.1.19</center>
</body>
</html>
MacOs El Capitan: At the top of nginx.conf write user username group_name
My user name is Kamil so i write:
user Kamil staff;
(word 'staff' is very important in macOS). This do the trick. After that you don't need to change any permission in your project folder and files.
It appears the user nginx is running as (nginx?) is missing privileges to read the local file /home/ubuntu/virtualenv/myapp/myapp/homelaunch/static/img/templated/home/img.png. You probably wanna check file permissions as well as permissions on the directories in the hierarchy.
It seems the web server user doesn't have read permissions to the static files.
You can solve this in 2 ways:
(easiest, safer) run the nginx as you app user instead of default nginx user. To do this, add the following in nginx.conf
user your_app_user
Replace your_app_user with appropriate unix username for your app. In this case the your_app_user already has necessary permissions to the static content.
Another way would be to to grant permissions for the web server user to the static dir.
The minimum fix that worked for me is:
sudo chmod -R 664 /home/ubuntu/virtualenv/myapp/myapp/homelaunch/static/
sudo chmod -R a+X /home/ubuntu/virtualenv/myapp/myapp/homelaunch/static/
(BTW, in my case the static folder is called collected_static)
Try specifying a user at the top of your nginx.conf, above the server section.
user www-data;
The best solution in that case would be to add www-data to username group:
gpasswd -a www-data username
For your changes to work, restart nginx
nginx -s reload
I had the same issue no long ago. It might be a combination of factors. I found how to fix 403 access denied by replacing the user in the nginx.conf file.
I deployed my website on an ubuntu server using Digital Ocean.
I created a new user on my new ubuntu server and give admin priviliges
adduser newuser
usermod -aG sudo newuser
I updated my new server and installed few packages
sudo apt update
sudo apt install python3-pip python3-dev libpq-dev postgresql postgresql-contrib nginx curl
I followed all this beautiful instruction on how to deploy your site on Digital Ocean
Since I changed the user and I ssh into my new server using this new user, I need to replace the user on the nginx.conf. By default nginx.conf user is www-data:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
Then I replaced with my sudo user and solved my problem. 😀
user newuser;
worker_processes auto;
pid /run/nginx.pid;
Then I restart nginx, gunicorn and postgresql(even if the last one it is not really necessary)
sudo systemctl restart nginx
sudo systemctl restart gunicorn
sudo systemctl restart postgresql
And tada.. :) no more issue.
Fix 403 error with Django static files on Ubuntu server.
Run this -> gpasswd -a www-data your_proj_username
Reload nginx -> nginx -s reload
Check chmod for your dirs: /home, /home/proj_dir, /home/proj_dir/static
Run this - stat --format '%a' /home . Result must be 755
Run this - stat --format '%a' /home/your_proj_dir/static . Result must be 755
Run this - stat --format '%a' /home/your_proj_dir . Result must be 750
If you have different values you can try to change this:
sudo chmod 755 /home
sudo chmod 755 /home/your_proj_dir/static
sudo chmod 750 /home/your_proj_dir
Reload you project-server. This solve all permission errors
After hours upon hours following so many articles, I ran across :
http://nicholasorr.com/blog/2008/07/22/nginx-engine-x-what-a-pain-in-the-bum/
which had a comment to chmod the whole django app dir, so I did:
sudo chmod -R myapp
This fixed it. Unbelievable!
Thanks to those who offered solutions to fix this.
Related
I'm started developing a new site using Django. For realistic testing I wanted to run it on a Synology DS212J NAS.
Following the official Synology guides I installed ipkg and with it the mod_wsgi package.
As Next step: Following the standard tutorial I made a virtualenv and installed Django in it. Opening a new project and adjust the settings following to: https://www.digitalocean.com/community/tutorials/how-to-serve-django-applications-with-apache-and-mod_wsgi-on-ubuntu-16-04
I'm able to reach the "Hello World" Site from Django by use of manage.py
As suggested I want to exchange the manage.py through the apache server on the NAS. So I think I should go and edit the apache config files for e.g. define a virtual host...
However I can't localize the files for it, as it seems they where moved at DSM6 (which I use) in comparison too other guides.
Where need I to enter the values following the Tutorial on the Synology?
As I'm quite new into the topic do I need to especially load the mod_wsgi module for Apache and if where?
Is it a good idea to use the basic mode of wsgi instead of the daemon mode? I'm not sure which Django modules will be used later on in development...
Thanks for the support!
Activate the python 3 package and the webstation
In webstation> general settings> main server http enable nginx
In Control Panel> Network> DSM Settings> Enable Custom Domain: "test"
(which will allow us to access the nas by entering test.local and simplify the task later.)
Enable ssh connection in control panel> terminal and smtp
We use the ddns service of synology to have external access in our case "test.synology.me"
In control panel> security> certificate : we generate our ssl certificate with let's encrypt
Connect to the nas in ssh
Take root rights sudo -i
Install virtualenv: easy_install virtualenv
We set up our virtual environment: virtualenv -p python3 flasktest
Flask and gunicorn are installed:
pip install flask gunicorn
We create our web application, file: init.py
We launch our web application with gunicorn:
gunicorn --certfile /usr/syno/etc/certificate/system/default/cert.pem --keyfile /usr/syno/etc/certificate/system/default/privkey.pem -b 127.0 .0.1: 5000 app: app
In /etc/nginx/sites-enabled we create a server configuration file, we will use nginx as a proxy, in our case the file will be flasktest.conf
flasktest.conf file:
`
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
gzip on;
server_name test.synology.me;
location / {
proxy_pass https://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_log /volume1/projects/flasktest/logs/error.log;
access_log /volume1/projects/flasktest/logs/acess.log;
}
`
Open the control panel port> external access> router configuration> create> integrate application> enable the check box for webstation and apply
We check our server file for that we enter the command, nginx -t
We are restarting nginx synoservicecfg --restart nginx
You now have access to your python web applications from outside in https ** https: //test.synology.me**
a little more information ...
To end and access your application permanently if you will ever be able to reboot, crash ... you can create a script that will restart gunicorn because otherwise the webstation takes over elsewhere if you enter ip nas locally you do not will not see your web apps in python because we did not modify the main configuration file /etc/nginx/nginx.conf locally so this is the default index.html page of the webstation that will be displayed.
example:
cd / volume1 / projects / flasktest
source bin / activate
gunicorn --certfile /usr/syno/etc/certificate/system/default/cert.pem --keyfile /usr/syno/etc/certificate/system/default/privkey.pem -b 127.0.0.1:5000 app: app
</ dev / null 2> & 1 &
This method found with other python framework
I am following the this to deploy a flask app(simple hello world) on the Ubuntu 16-04. digital Ocean tutorial
Everything works fine till Testing uWSGI Serving. After that I followed the step as described and when I finally reach the bottom and check server IP address then I got:
502 Bad Gateway
Ok fine. I searched and checked my error log, I got this :-
2017/01/16 05:29:27 [crit] 20714#20714: *2 connect() to unix:/home/sajjan/project/project.sock failed (2: No such file or directory) while connecting to upstream, client: xx.9.xxx.xxx, server: 138.xxx.xx.xxx, request: "GET / HTTP/1.1", upstream: "uwsgi://unix:/home/sajjan/project/project.sock:", host: "xx.xx.xx.xx"
So After taking a error log , I created the file project.sock manually. again Go to server ip address and then same error "502 Bad Gateway"
Again checked the error log and found this
2017/01/16 06:07:11 [crit] 20874#20874: *1 connect() to unix:/home/sajjan/project/project.sock failed (13: Permission denied) while connecting to upstream, client: 47.9.237.113, server: XX.XX.XX.XX, request: "GET / HTTP/1.1", upstream: "uwsgi://unix:/home/sajjan/project/project.sock:", host: " XX.XX.XX.XX "
I figured out about the permission issue and change the permission using below command
sudo chmod 666 project.sock
Now I checked the permision( using ls -l filename)
-rw-rw-rw- 1 root root 0 Jan 16 05:31 project.sock
Now I go back to check the server's IP but found the same "502 Bad Gateway".
Again I checked the error log and found this :
017/01/16 06:13:31 [error] 20897#20897: *6 connect() to unix:/home/sajjan/project/project.sock failed (111: Connection refused) while connecting to upstream, client: 47.9.237.113, server: XX.XX.XX.XX, request: "GET /favicon.ico HTTP/1.1", upstream: "uwsgi://unix:/home/sajjan/project/project.sock:", host: " XX.XX.XX.XX ", referrer: "http:// XX.XX.XX.XX /"
I googled for above error read a lot in last two days but nothing to seem working for me .
I have check these answers but no help stackanswer-1 stackanswer-2 and along with these I checked all the digital-ocean community thread but nothing seems to work.
I am total begineer to servers and don't know much about ubuntu. If you can help me to find out what wrong am I doing or suggest some better tutorial/ways to deploy my flask application, then I would be greatful.
These are my files
hello.py
from flask import Flask
app = Flask(__name__)
#app.route("/")
def hello():
return "<h1 style='color:blue'>Hello There!</h1>"
if __name__ == "__main__":
app.run(host='0.0.0.0')
project.ini
[uwsgi]
module = wsgi:app
master = true
processes = 5
socket = /home/sajjan/project/project.sock
chmod-socket = 660
vacuum = true
die-on-term = true
wsgi.py
from hello import app
if __name__ == "__main__":
app.run()
Below is file : /etc/nginx/sites-available/project
server {
listen 80;
server_name 138.197.28.107;
location / {
include uwsgi_params;
uwsgi_pass unix:/home/sajjan/project/project.sock;
}
}
When I run the command :
sudo service uwsgi restart
output:
Failed to restart wsgi.service: Unit wsgi.service not found.
while output of
sudo service nginx status/restart
then this show that nginx is running .
Help me, If anything else that you want to know then let me know.
Thanks
EDIT :
I have created a project.service file and its conetent is :
[Unit]
Description=uWSGI instance to serve project
After=network.target
[Service]
User=sajjan
Group=www-data
WorkingDirectory=/home/sajjan/project
Environment="PATH=/home/sajjan/project/venv/bin"
ExecStart=/home/sajjan/project/venv/bin/uwsgi --ini project.ini
[Install]
WantedBy=multi-user.target
I figured out I have to run below command :
sudo systemctl start project
Output is :
Warning: project.service changed on disk. Run 'systemctl daemon-reload' to reload units.
and when I run
sudo systemcl reload project
then output :
Failed to reload project.service: Job type reload is not applicable for unit project.service.
See system logs and 'systemctl status project.service' for details.
and when I check the "systemctl status project.service"
● project.service - uWSGI instance to serve project
Loaded: loaded (/etc/systemd/system/project.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2017-01-16 17:49:29 UTC; 6min ago
Main PID: 27157 (code=exited, status=203/EXEC)
Jan 16 17:49:29 learningwithpython systemd[1]: Started uWSGI instance to serve project.
Jan 16 17:49:29 learningwithpython systemd[1]: project.service: Main process exited, code=exited, status=203/EXEC
Jan 16 17:49:29 learningwithpython systemd[1]: project.service: Unit entered failed state.
Jan 16 17:49:29 learningwithpython systemd[1]: project.service: Failed with result 'exit-code'.
I had the same problem using the guide. As far as I've read; 502 bad gateway is a symptom of Nginx not being able to properly connect to the uwsgi. Changing the permissions on the socket solved the issue for me.
sudo chmod 777 /home/sajjan/project/project.sock
sudo systemctl restart nginx
777 is offcourse a bit excessive, but its a quick and dirty way to verify if it is in fact a problem with permissions
Nginx has no permission to write to socket. Granting appropriate mode with below command, helped me.
chmod 0755 /to/project
Same problem.
But I give the 666 permission and restart all, and it works.
I think the error log only show the problem's one possible cause. While, the journalctl -u <yourproject>.service command help present another reason.
My error log also tells me that he can't find the "myproject.socket". But .ini has already help us build it. Then I get this error: myproject.service: Failed at step USER spawning ~/bin/uwsgi: No such process
So maybe it is the permission's problem.
Try running myapp/bin/uwsgi --ini myapp.ini to see the actual error thats preventing uwsgi to run.
In my case 5 processes in the .ini configuration file were to much to handle for my cpu this was my error output.
your processes number limit is 3900
your memory page size is 4096 bytes
detected max file descriptor number: 1024
If this is your case lowering the number of processes to 2 in your .ini file might work.
For me this problem was due to the users configuration. Basically, I set up all of my project using the root user. But then I redid everything from scratch using a non-root user with sudo privileges. It worked.
I saw your comment on https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-uwsgi-and-nginx-on-ubuntu-16-04
try run sudo /etc/init.d/nginx start
Then try open http://server_domain_or_IP
If it works, type which uwsgi to find the right uwsgi path and change "/etc/systemd/system/myproject.service"
change
Environment="PATH=/home/sammy/myproject/myprojectenv/bin"
ExecStart=/home/sammy/myproject/myprojectenv/bin/uwsgi --ini myproject.ini
into the real path instead of env path.
I figure out this problem through these command.
As many people already mentioned, the 502 error is about socket permissions (you may see Permission denied errors in /var/log/nginx/error.log). However, it all seems to have to work, since
socket's file ownership is your_user:www-data
socket's file permissions are 660 (which means that you and group can read/write socket)
nginx works with the user www-data:www-data (it's configured in nginx .conf file)
The real problem is that nginx can't connect to the socket located in your home directory!
So the solution is simple - just move the socket file somewhere else. For example, to /tmp/ or /var/www/... folders.
Solution:
Create directories
sudo mkdir /var/www/your_project
sudo chown your_user:www-data /var/www/your_project
Modify your_project.ini
socket = /var/www/your_project/your_project.sock
Modify nginx server block
uwsgi_pass unix:///var/www/your_project/your_project.sock;
Restart uWSGI and nginx
sudo systemctl restart your_project_service
sudo systemctl restart nginx
And it all has to work now.
I'm trying to use Flask app on uwsgi/nginx.
Following
http://uwsgi-docs.readthedocs.org/en/latest/tutorials/Django_and_nginx.html
and
http://www.markjberger.com/flask-with-virtualenv-uwsgi-nginx/, I could make wiki.ini file,
[uwsgi]
vhost = true
socket = /tmp/flask_app.sock
venv = /home/ubuntu/webapp/flask/hello/.env
chdir = /home/ubuntu/webapp/flask/hello
module = flaskapp
callable = app
chmod-socket = 666
I checked the wiki.ini file works fine with uwsgi --ini wiki.ini.
Then, I tried to start the Flask app when booting.
From sudo update-rc.d uwsgi enable, I could start the uwsgi service in booting time, and copied the wiki.ini file in /etc/uwsgi/apps-enabled directory.
This is the conf file for nginx.
server {
listen 80;
server_name wiki.example.com;
access_log /var/log/nginx/uwsgi_access.log;
error_log /var/log/nginx/uwsgi_error.log;
location / { try_files $uri #riki; }
location #riki {
include uwsgi_params;
uwsgi_pass unix:/tmp/flask_app.sock;
}
error_page 404 /404.html;
}
However, when I rebooted my ubuntu server, the Flask app isn't working.
I checked the error log to find this error message.
2015/11/07 17:48:17 [crit] 1055#0: *1 connect() to
unix:/tmp/flask_app.sock failed (2: No such file or directory)
while connecting to upstream, client: 68.203.30.28, server: wiki.example.com,
I created the /tmp/flask_app.sock file and run chown -R www-data:www-data /tmp/flask_app.sock to make the application working.
> touch /tmp/flask_app.sock
> sudo chown www-data:www-data /tmp/flask_app.sock
> sudo service uwsgi restart
> sudo service nginx restart
However, I had another connection refuse error.
2015/11/07 17:50:38 [error] 1055#0: *4 connect() to
unix:/tmp/flask_app.sock failed (111: Connection refused) while
connecting to upstream, client: 68.203.30.28,
server: wiki.example.com, request: "GET / HTTP/1.1",
upstream: "uwsgi://unix:/tmp/flask_app.sock:", host: "wiki.example.com"
What might be wrong? How to teach uwsgi to create the unix domain socket? Also, how to make the connection work? I use ubuntu 14.04.
EDIT
Removing the /tmp/flask_app.sock and run uwsgi --ini /etc/uwsgi/apps-enabled/wiki.ini makes the app working fine.
The main issue seems to be from the uwsgi service; it just doesn't work.
I found another way to start uwsgi at startup: upstart and uwsgi --emperor from http://uwsgi-docs.readthedocs.org/en/latest/Upstart.html and http://upstart.ubuntu.com
The process is just make a flask.conf file in /etc/init directory. uwsgi --emperor controls all the ini files in the uwsgi directory.
# simple uWSGI script
# http://uwsgi-docs.readthedocs.org/en/latest/Upstart.html
description "uwsgi tiny instance"
start on runlevel [2345]
stop on runlevel [06]
respawn
exec uwsgi --emperor /etc/uwsgi/apps-enabled
I also had to sudo update-rc.d uwsgi disable so that uwsgi service should be disabled.
I also found this site http://flaviusim.com/blog/Deploying-Flask-with-nginx-uWSGI-and-Supervisor/ for invoking uswgi at startup, but I didn't test it.
I'm having a hell of a time trying to get Ubuntu + uWSGI + nginx running as my web server.
Below are my configs, and the information that is in my emperor.log file:
nginx config:
server {
listen 80;
server_name localhost;
charset utf-8;
client_max_body_size 5M;
location / { try_files $uri #cc; }
location #cc {
include uwsgi_params;
uwsgi_pass unix:/tmp/cc/cc_uwsgi.sock;
}
}
uwsgi config:
[uwsgi]
base = /srv/www/cc
app = hello
module = %(app)
socket = /tmp/cc/%n.sock
chmod-socket = 664
uid = www-data
gid = www-data
callable = app
logto = /var/log/uwsgi/%n.log
emperor config:
#/etc/init/uwsgi.conf
description "uWSGI"
start on runlevel [2345]
stop on runlevel [06]
respawn
env UWSGI=/home/ccadmin/.local/bin/uwsgi
env LOGTO=/var/log/uwsgi/emperor.log
exec $UWSGI --master --emperor /etc/uwsgi/vassals --die-on-term --uid www-data --gid www-data --logto $LOGTO
However with this configuration my emperor.log file says:
execvp(): Permission denied [core/emperor.c line 1481]
[emperor] binary path: /home/ccadmin/.local/bin/uwsgi
[emperor] is the uwsgi binary in your system PATH ?
TIME STAMP - [emperor] curse the uwsgi instance cc_uwsgi.ini (pid: ####)
TIME STAMP - [emperor] removed uwsgi instance cc_uwsgi.ini
If I change the --uid and --gid to root, then it all works fine. It must be some simple permission thing, but being new to linux, I'm finding it very hard to pinpoint.
Also strange that it is asking me about the uwsgi binary in my system path... is it supposed to be there? Because i have added /home/ccadmin/.local/bin to my system path in /etc/environment. Should it not be there? or should it go all the way to the binary? (ie, adding /home/ccadmin/.local/bin/uwsgi insetad of just to /bin)
Did a couple things to make this work:
sudo chown -R ccadmin:www-data /home/ccadmin/
sudo chmod -R 774 /home/ccadmin/
Now the emperor has access to the uwsgi binary and all is good!
I am curious if the above is a security problem, though, not knowing much about linux.
I seem to be having some slight problems deploying a Pyramid web application. The problem seems to lie in my init script that I am using to start my web application on boot. For some reason, uWSGI will not work unless my socket is set to have a permission of "nobody.nobody" OR Nginx is started after my uwsgi init script. I'm changed my init script to reflect these changes, but it does not seem to be working. The init script (or the part that starts uwsgi) looks like so:
#!/sbin/runscript
args="--ini-paste /var/www/pyramid/app1/development.ini"
command="/var/www/pyramid/bin/uwsgi"
pidfile="/var/run/uwsgi.pid"
sock="/var/tmp/proxy/uwsgi.sock"
nobody="nobody.nobody"
start() {
ebegin "Starting app1"
chown $nobody $sock
start-stop-daemon --start --exec $command -- $args \
--pidfile $pidfile
chown $nobody $sock
einfo "app1 started"
eend $?
}
My Nginx configuration looks like so:
location / {
include uwsgi_params;
uwsgi_pass unix:///var/tmp/proxy/uwsgi.sock;
uwsgi_param SCRIPT_NAME "" ;
}
My ini file includes the following:
[uwsgi]
socket = /var/tmp/proxy/uwsgi.sock
pidfile = /var/run/uwsgi.pid
master = true
processes = 1
home = /var/www/pyramid
daemonize = /var/log/uwsgi.log
virtualenv = /var/www/pyramid/
pythonpath = /var/www/pyramid/bin
What happens is that Nginx will start, and then uwsgi will start. Performing a "ls -la" in /var/tmp/proxy reveals that the permissions of uwsgi.sock is set to "root root" instead of "nobody nobody". However, restarting Nginx will fix the problem, regardless of what the socket's permissions are (but Nginx has to be started first).
Thus, the ways I can get this to work is:
start uwsgi
start nginx
restart nginx
or
start nginx
start uwsgi
restart nginx
I'm at a complete loss as to why this isn't working. If anyone has any advice I'd greatly appreciate it!
You can use the following settings to change the permission of its socket in your ini file:
chmod-socket = 777 # socket permission
gid = www-data # socket group
uid = www-data # socket user
Another thing to consider is whether you actually want uWSGI to run as root. If you pass --uid and --gid arguments to uwsgi, uwsgi will masquerade as a different (preferably non-root) user.
For example, nginx usually runs as the www-data user and www-data group. So if you set up your wsgi app to run with "--gid www-data" and then add at least group-write permissions to your socket file with "--chmod-socket 020", then nginx will be able to write to the socket and you'll be in business.
See my blog post on the subject: http://blog.jackdesert.com/common-hurdles-to-deploying-uwsgi-apps-part-1