nginx Permission denied on Ubuntu

Question

I'm trying to set up my Django app with uWSGI and nginx by following this guide. I'm able to run my app with Django's development server, as well as being served directly from uWSGI.

I'm running everything on a university managed Ubuntu 16.04 virtual machine, and my user has sudo access.

---

My problem:
When getting to this bit of the tutorial, and try to fetch an image, I get a 403 error from nginx.
The next section results in a 502.

/var/log/nginx/error.log shows

connect() to unix:///me/myproject/media/image.jpg failed (13: Permission denied) while connecting to upstream

connect() to unix:///me/myproject/project.sock failed (13: Permission denied) while connecting to upstream

for the 403 and 502, respectively.

I have read multiple questions and guides (one here, another here and yet another one, and this is not all of them), changed my permissions and even moved my .sock to another folder (one of the SO answers recommended that).

What else can I try?

---

Update:

I mentioned it in a comment, but I've gotten a bit further. A part of the problem was that, apparently, the /home directory on my VM is NFS, which messes up a good many permissions.

What I've done:

• I've set up my project in /var/www/myproject/
• Run chown -R me:www-data myproject
• Run chmod -R 764 myproject

My new results:

• Without nginx running:
  • uwsgi --http :8000 --module myproject.wsgi
    works perfectly
• With nginx running:
  • uwsgi --socket myproject.sock --module myproject.wsgi --chmod-socket=664
    gives me a 502
  • uwsgi --ini myproject.ini
    gives me a 502

So now it's not a general permission issue, it's definitely an issue with nginx...

---

Update #2:
For the moment, everything is working when other has read-write permissions on the socket, and read-execute permissions on the rest of the project.
So nginx is not recognized as it should... I've double-checked, and nginx is running as the www-data user, which is the group-owner of my entire project, and which has read-execute permissions, just as other now has.

---

Here's my (updated) nginx.conf

# myproject_nginx.conf

# the upstream component nginx needs to connect to
upstream django {
    # server unix:///path/to/your/mysite/mysite.sock; # for a file socket
    server unix:///var/www/myproject/myproject.sock;
    # server 127.0.0.1:8001; # for a web port socket (we'll use this first)
}

# configuration of the server
server {
    # the port your site will be served on
    listen      8000;
    # the domain name it will serve for
    server_name my.ip.goes.here; # substitute your machine's IP address or FQDN
    charset     utf-8;

    # max upload size
    client_max_body_size 75M;   # adjust to taste

    # Django media
    location /media  {
        alias /var/www/myproject/media;  # your Django project's media files - amend as required
    }

    location /static {
        alias /var/www/myproject/static; # your Django project's static files - amend as required

    # Finally, send all non-media requests to the Django server.
    location / {
        uwsgi_pass  django;
        include     /var/www/myproject/uwsgi_params; # the uwsgi_params file you installed
    }
}

And here's my (updated) uwsgi.ini

# myproject_uwsgi.ini file
[uwsgi]

# Django-related settings
# the base directory (full path)
chdir          = /var/www/myproject
# Django's wsgi file
module         = myproject.wsgi
# the virtualenv (full path)
home           = /var/www/myenv

# process-related settings
master         = true
# maximum number of worker processes
processes      = 10
# the socket (full path)
socket         = /var/www/myproject/myproject.sock
# ... with appropriate permissions - may be needed
chmod-socket   = 666
uid            = me
gid            = www-data
# clear environment on exit
vacuum         = true

Answer 1

Solutions Whatever solution is chosen, remember to restart Nginx

sudo /etc/init.d/nginx restart

Also execute with the --chmod-socket=666 permissions

uwsgi --socket project.sock --module project.wsgi --chmod-socket=666

1. Assign the .sock file and folders to the www-data group

In my opinion, this is the best option since it will only have access to these folders and will not have permission for everything that the group of the user who creates the project has access to (as we do in point two). We must assign www-data as the group for both the .sock file and the folders up to the username.

Example:

sudo chown :www-data /home/daniel/
sudo chown :www-data /home/daniel/project
sudo chown :www-data /home/daniel/project/project.sock

2. Add the www-data user to the group of the user who created the .sock The first and recommended solution is to add the default Nginx user to the group of the user who created the project:

This will allow the www-data user (used by Nginx) to have access to the files and directories owned by daniel.

sudo usermod -aG daniel www-data

Adding the Nginx user (www-data) to your user group (daniel) can have some security implications, depending on how your system is configured and the permissions your user (daniel) has.

3. Change the user in /etc/nginx/nginx.conf Similar to the previous case, it is more permissive to change the www-data user to the user who created the project. Ensure that Nginx is running under the correct user. Normally, Nginx runs under the www-data user on Debian/Ubuntu-based systems and nginx on CentOS/Red Hat-based systems.

You can check this in the Nginx configuration file (/etc/nginx/nginx.conf):

user www-data;

Restart Services

After making changes to permissions and configurations, restart both Nginx and uWSGI for the changes to take effect:

sudo systemctl restart nginx 
sudo systemctl restart uwsgi

Answer 2

As the tutorial said:

You may also have to add your user to nginx’s group (which is probably www-data), or vice-versa, so that nginx can read and write to your socket properly.

Try that and see what happens.

As well I wouldn't recommend you doing things with sudo or as root, do it as a normal user and place the permission as it get necessary, otherwise you might end up in a situation that Nginx or uWSGI need to do something with the files and they are owned by root.

Answer 3

From my experience, most of the permission problems around web server are by accessing file which is owned by root, but Apache (nginx) is running under www-data user.

Try running sudo chown www-data -R /path/to/your/data/folder.