Ok, I’m going crazy on this one. I have a Flask application which I want to deploy with gunicorn+nginx, on debian-12.
When I try to connect to the homepage, I get a 502 Bad Gateway in the browser and in the nginx error log I have:
2023/09/07 18:15:36 [crit] 15569#15569: *1 connect() to unix:/home/admin/my_app/app.sock failed
(13: Permission denied) while connecting to upstream, client: XXX.XXX.XX.XXX, server: xxxx,
request: "GET / HTTP/1.1", upstream: "http://unix:/home/admin/my_app/app.sock:/", host:
"xxxxxx.yyy.zzz"
This is what I have on my configurations:
NGINX
On my sites-available (and linked this to sites-enabled) folder:
server {
listen 80;
server_name xxxx xxxxx.yyy.zzz/;
location / {
include proxy_params;
proxy_pass http://unix:/home/admin/my_app/app.sock;
}
}
Note: nginx runs as www-data user
Gunicorn
I have a service created on systemd as (myapp.service):
[Unit]
Description=my app
After=network.target
[Service]
User=admin
Group=www-data
WorkingDirectory=/home/admin/my_app
Environment="PATH=/home/admin/my_app/venv/bin"
ExecStart=/home/admin/my_app/venv/bin/gunicorn --workers=2 --bind=unix:app.sock -m 777 main:app
[Install]
WantedBy=multi-user.
This is working ok, this is the result of systemctl status:
myapp.service - xxxx server
Loaded: loaded (/etc/systemd/system/myapp.service; enabled; preset: enabled)
Active: active (running) since Thu 2023-09-07 18:04:07 EDT; 31min ago
Main PID: 15471 (gunicorn)
CGroup: /system.slice/osgr-sales.service
├─15471 /home/admin/my_app/venv/bin/python3 /home/admin/my_app/venv/bin/gunicorn --workers=2 --bind=unix:app.sock -m 777 main:app
├─15472 /home/admin/my_app/venv/bin/python3 /home/admin/my_app/venv/bin/gunicorn --workers=2 --bind=unix:app.sock -m 777 main:app
└─15473 /home/admin/my_app/venv/bin/python3 /home/admin/my_app/venv/bin/gunicorn --workers=2 --bind=unix:app.sock -m 777 main:app
Sep 07 18:04:07 xxxxx systemd[1]: Started myapp.service - xxxxx server.
Sep 07 18:04:07 xxxxx gunicorn[15471]: [2023-09-07 18:04:07 -0400] [15471] [INFO] Starting gunicorn 20.0.4
Sep 07 18:04:07 xxxxx gunicorn[15471]: [2023-09-07 18:04:07 -0400] [15471] [INFO] Listening at: unix:app.sock (15471)
Sep 07 18:04:07 xxxxx gunicorn[15471]: [2023-09-07 18:04:07 -0400] [15471] [INFO] Using worker: sync
Sep 07 18:04:07 xxxxx gunicorn[15472]: [2023-09-07 18:04:07 -0400] [15472] [INFO] Booting worker with pid: 15472
Sep 07 18:04:07 xxxxx gunicorn[15473]: [2023-09-07 18:04:07 -0400] [15473] [INFO] Booting worker with pid: 15473
Everything seems ok, but whenever I try to reach my app, I get the "Bad Gateway error" described above.
Seems it must be some authorization problem but I have no idea what might be, since I setup 777 permissions on the socket, should work, right?
This is what I have tried so far:
1- Change the socket (app.sock) group to www-data
2- Add www-data user to admin group
3- Manually change the socket owner to www-data
4- Change the folder /home/admin/my_app group to www-data
None of these work, I keep getting the "Bad gateway"/(13: Permission denied) error. Please help.
2
Answers
As mentioned by FeanDoe, it was a permissions problem.
I changed the group from www-data to admin on my service file:
Group=admin
And it's working fine now.
I had a similar problem some time ago and it was because www-data didn’t have read permissions for /home/admin.
You should check that. www-data should have permissions to navigate to your folder and read the .sock file.