Django/gunicorn/nginx: 403 禁止
Posted
技术标签:
【中文标题】Django/gunicorn/nginx: 403 禁止【英文标题】:Django/gunicorn/nginx: 403 Forbidden 【发布时间】:2016-04-24 06:28:35 【问题描述】:我在 *** 和其他教程上花了几个小时,但是当我导航到 localhost 时,我无法弄清楚为什么 nginx 会返回 403 Forbidden。
这是我的 gunicorn 启动脚本(位于应用根目录中):
#!/bin/bash
# http://michal.karzynski.pl/blog/2013/06/09/django-nginx-gunicorn-virtualenv-supervisor/
NAME="mbta_django_gunicorn"
SOCKFILE=run/gunicorn.sock
USER=alexpetralia # the user to run as
GROUP=alexpetralia # the group to run as
NUM_WORKERS=5
DJANGO_SETTINGS_MODULE=mbta_django.settings
DJANGO_WSGI_MODULE=mbta_django.wsgi
echo "Starting $NAME"
# Create the run directory if it doesn't exist
RUNDIR=$(dirname $SOCKFILE)
test -d $RUNDIR || mkdir -p $RUNDIR
# Start Django Unicorn
exec gunicorn $DJANGO_WSGI_MODULE:application \
--name $NAME \
--workers $NUM_WORKERS \
--user=$USER --group=$GROUP \
# --bind=localhost:8000 \
--bind=unix:$SOCKFILE \
--log-level=debug \
--log-file=- \
--reload
这是我的 nginx.conf:
user alexpetralia alexpetralia; # www-data
worker_processes 4;
pid /run/nginx.pid;
events
worker_connections 768;
# multi_accept on;
http
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
这是我的应用程序特定的 nginxconf 文件,位于 sites-available 下(并在 sites-enabled 中链接):
upstream mbta_django_server
server unix:/home/alexpetralia/Projects/mbta_django/run/gunicorn.sock fail_timeout=0;
server
listen 80;
client_max_body_size 4G;
keepalive_timeout 5;
root /home/alexpetralia/Projects/mbta_django/static/;
location /static/
autoindex on;
alias /home/alexpetralia/Projects/mbta_django/static/;
运行 gunicorn 的主管设置(更改 PATH 以使用 virtualenv):
[program:mbta_gunicorn]
command=/home/alexpetralia/Projects/mbta_django/gunicorn_ctl
stdout_logfile=/home/alexpetralia/Projects/mbta_django/logs/mbta_gunicorn.log
stderr_logfile=/home/alexpetralia/Projects/mbta_django/logs/mbta_gunicorn.log
redirect_stderr=true
autorestart=true
stopsignal=KILL
killasgroup=true
stopasgroup=true
environment=PATH="/home/alexpetralia/Projects/mbta_django/venv/bin"
directory=/home/alexpetralia/Projects/mbta_django
这强烈感觉像是一个权限问题,但我已经在我的 webapp 的根文件夹中使用了chmod -R 775 mbta_django。我对chown 犹豫不决。我不明白为什么,如果 gunicorn 加载了正确的用户,就像 nginx 一样,那么就不应该有权限问题。
也许这与gunicorn有关,而不是与nginx有关?我觉得奇怪的是,如果 gunicorn 正在运行,我可以访问我的应用程序(没有静态文件),即使它绑定到 Unix 套接字而不是 127.0.0.1:8000。
谢谢。
更新
Nginx 错误日志(示例,差不多就是这个):
2016/01/18 16:42:40 [error] 20773#0: *5 directory index of "/home/alexpetralia/Projects/mbta_django/static/" is forbidden, client: 127.0.0.1, server: , request: "GET / HTTP/1.1", host: "localhost"
2016/01/18 16:42:40 [error] 20773#0: *5 directory index of "/home/alexpetralia/Projects/mbta_django/static/" is forbidden, client: 127.0.0.1, server: , request: "GET / HTTP/1.1", host: "localhost"
Gunicorn 错误日志(示例,目录名部分是来自教程here 的命令):
Starting mbta_django_gunicorn
/home/alexpetralia/Projects/mbta_django/gunicorn_ctl: line 20: dirname: command not found
[2016-01-18 18:03:08 +0000] [1996] [INFO] Starting gunicorn 19.4.5
[2016-01-18 18:03:08 +0000] [1996] [INFO] Listening at: http://127.0.0.1:8000 (1996)
[2016-01-18 18:03:08 +0000] [1996] [INFO] Using worker: sync
[2016-01-18 18:03:08 +0000] [2008] [INFO] Booting worker with pid: 2008
[2016-01-18 18:03:08 +0000] [2009] [INFO] Booting worker with pid: 2009
[2016-01-18 18:03:08 +0000] [2016] [INFO] Booting worker with pid: 2016
[2016-01-18 18:03:08 +0000] [2019] [INFO] Booting worker with pid: 2019
[2016-01-18 18:03:08 +0000] [2022] [INFO] Booting worker with pid: 2022
静态文件夹的所有权:
alexpetralia@linux-box:~$ namei -ov /home/alexpetralia/Projects/mbta_django/static
f: /home/alexpetralia/Projects/mbta_django/static
d root root /
d root root home
d alexpetralia alexpetralia alexpetralia
d alexpetralia alexpetralia Projects
d alexpetralia alexpetralia mbta_django
d alexpetralia alexpetralia static
静态文件夹的权限:
drwxr-xr-x 6 alexpetralia alexpetralia 4096 Jan 8 12:43 static
Gunicorn 进程:
alexpetralia@linux-box:~/Projects/mbta_django$ ps aux | grep gunicorn
root 1942 0.0 0.4 57416 15972 ? S 18:52 0:00 /home/alexpetralia/Projects/mbta_django/venv/bin/python /home/alexpetralia/Projects/mbta_django/venv/bin/gunicorn mbta_django.wsgi:application --name mbta_django_gunicorn --workers 5 --user=alexpetralia --group=alexpetralia
alexpet+ 1951 0.0 0.8 147648 32100 ? S 18:52 0:00 /home/alexpetralia/Projects/mbta_django/venv/bin/python /home/alexpetralia/Projects/mbta_django/venv/bin/gunicorn mbta_django.wsgi:application --name mbta_django_gunicorn --workers 5 --user=alexpetralia --group=alexpetralia
alexpet+ 1954 0.0 0.8 147660 32100 ? S 18:52 0:00 /home/alexpetralia/Projects/mbta_django/venv/bin/python /home/alexpetralia/Projects/mbta_django/venv/bin/gunicorn mbta_django.wsgi:application --name mbta_django_gunicorn --workers 5 --user=alexpetralia --group=alexpetralia
alexpet+ 1957 0.2 1.6 226280 63612 ? S 18:52 0:01 /home/alexpetralia/Projects/mbta_django/venv/bin/python /home/alexpetralia/Projects/mbta_django/venv/bin/gunicorn mbta_django.wsgi:application --name mbta_django_gunicorn --workers 5 --user=alexpetralia --group=alexpetralia
alexpet+ 1964 0.1 0.8 147676 32100 ? S 18:52 0:00 /home/alexpetralia/Projects/mbta_django/venv/bin/python /home/alexpetralia/Projects/mbta_django/venv/bin/gunicorn mbta_django.wsgi:application --name mbta_django_gunicorn --workers 5 --user=alexpetralia --group=alexpetralia
alexpet+ 1975 0.0 0.8 147688 32108 ? S 18:52 0:00 /home/alexpetralia/Projects/mbta_django/venv/bin/python /home/alexpetralia/Projects/mbta_django/venv/bin/gunicorn mbta_django.wsgi:application --name mbta_django_gunicorn --workers 5 --user=alexpetralia --group=alexpetralia
Nginx 进程:
alexpetralia@linux-box:~/Projects/mbta_django$ ps aux | grep nginx
root 1362 0.0 0.0 85892 2712 ? Ss 18:52 0:00 nginx: master process /usr/sbin/nginx
alexpet+ 1363 0.0 0.0 86172 3404 ? S 18:52 0:00 nginx: worker process
alexpet+ 1364 0.0 0.0 86172 3404 ? S 18:52 0:00 nginx: worker process
alexpet+ 1365 0.0 0.0 86172 3404 ? S 18:52 0:00 nginx: worker process
alexpet+ 1366 0.0 0.0 86172 3404 ? S 18:52 0:00 nginx: worker process
【问题讨论】:
你的 nginx 和 gunicorn 日志是怎么说的?/var/log/nginx/nginx_error.log 和 /home/alexpetralia/Projects/mbta_django/logs/mbta_gunicorn.log
@YPCrumble 已更新错误日志
/home/alexpetralia/Projects/mbta_django/static/的所有者和权限是什么
@YPCrumble 已更新所有权/权限;是的,对不起,我粘贴了错误的东西。我现在更新了。
这看起来像是/scraper/ 没有权限?
【参考方案1】:
我通过切换到 uWSGI 解决了这个问题。这个过程要简单得多。主 nginx conf 中的 user:group 是 alexpetralia alexpetralia(即/etc/nginx/nginx.conf/,而下面的 nginx conf 是 /etc/nginx/sites-enabled/mbta_django)。
应用特定的 nginx 配置:
upstream mbta_django_uwsgi
server unix:///home/alexpetralia/Projects/mbta_django/run/uwsgi.sock;
server
listen 80;
server_name 127.0.0.1; # or FQDN
charset utf-8;
location /static
alias /home/alexpetralia/Projects/mbta_django/static;
location /
uwsgi_pass unix:/home/alexpetralia/Projects/mbta_django/run/uwsgi.sock;
include /etc/nginx/uwsgi_params;
uWSGI 命令:
uwsgi --chdir=/home/alexpetralia/Projects/mbta_django --wsgi-file=mbta_django/wsgi.py --processes=5 --socket run/uwsgi.sock --py-autoreload=3
最后从根目录下的所有应用程序中收集静态,因为特定于应用程序的 css 文件没有加载(在 django settings.py,我有 STATIC_ROOT = os.path.join(BASE_DIR, "static")):
./manage.py collectstatic 在 django 根文件夹中
【讨论】:
【参考方案2】:运行命令“namei -l /home/alexpetralia/Projects/mbta_django/static”并查看您对所有其他父目录的权限。
AFAIK,您的用户必须对静态目录具有读取权限,并且必须在 /、/home/、/home/alexpetralia、/home/alexpetralia/Projects/mbta_django、/home/alexpetralia/Projects/mbta_django/ 中具有执行权限静态的。
您只包含了 /home/alexpetralia/Projects/mbta_django/static 的权限
参考:http://nginxlibrary.com/403-forbidden-error/
【讨论】:
f: /home/alexpetralia/Projects/mbta_django/static \ drwxr-xr-x root root / \ drwxr-xr-x root root home \ drwxr-xr-x alexpetralia alexpetralia alexpetralia \ drwxrwxr-x alexpetralia alexpetralia Projects \ drwxrwxr-x alexpetralia alexpetralia mbta_django \ drwxrwxr-x alexpetralia alexpetralia static 我相信它拥有所有正确的权限?以上是关于Django/gunicorn/nginx: 403 禁止的主要内容,如果未能解决你的问题,请参考以下文章
python+django+gunicorn+nginx的配置
在数字海洋上部署 Django、Gunicorn、Nginx、Virtualenv 给我 502 Bad Gateway & Gunicorn can't read Secret Key
Django gunicorn Nginx 设置仅显示 404 页面
谷歌灵活环境 django gunicorn nginx 静态文件
Django + Gunicorn + Nginx 部署 Ubuntu 服务器
Django,gunicorn,nginx 抛出 504 Gateway Time-out: AttributeError: module 'static' has no attribute 'Cli