skip to Main Content

Ok, I’m going crazy on this one. I have a Flask application which I want to deploy with gunicorn+nginx, on debian-12.

When I try to connect to the homepage, I get a 502 Bad Gateway in the browser and in the nginx error log I have:

2023/09/07 18:15:36 [crit] 15569#15569: *1 connect() to unix:/home/admin/my_app/app.sock failed
(13: Permission denied) while connecting to upstream, client: XXX.XXX.XX.XXX, server: xxxx,
request: "GET / HTTP/1.1", upstream: "http://unix:/home/admin/my_app/app.sock:/", host:
"xxxxxx.yyy.zzz"

This is what I have on my configurations:
NGINX

On my sites-available (and linked this to sites-enabled) folder:
server {
listen 80;

server_name xxxx xxxxx.yyy.zzz/;

location / {
      include proxy_params;
      proxy_pass http://unix:/home/admin/my_app/app.sock;
    }
}

Note: nginx runs as www-data user

Gunicorn
I have a service created on systemd as (myapp.service):

[Unit]
Description=my app
After=network.target

[Service]
User=admin
Group=www-data
WorkingDirectory=/home/admin/my_app
Environment="PATH=/home/admin/my_app/venv/bin"
ExecStart=/home/admin/my_app/venv/bin/gunicorn --workers=2 --bind=unix:app.sock -m 777 main:app

[Install]
WantedBy=multi-user.

This is working ok, this is the result of systemctl status:

myapp.service - xxxx server
     Loaded: loaded (/etc/systemd/system/myapp.service; enabled; preset: enabled)
     Active: active (running) since Thu 2023-09-07 18:04:07 EDT; 31min ago
   Main PID: 15471 (gunicorn)
     CGroup: /system.slice/osgr-sales.service
             ├─15471 /home/admin/my_app/venv/bin/python3 /home/admin/my_app/venv/bin/gunicorn --workers=2 --bind=unix:app.sock -m 777 main:app
             ├─15472 /home/admin/my_app/venv/bin/python3 /home/admin/my_app/venv/bin/gunicorn --workers=2 --bind=unix:app.sock -m 777 main:app
             └─15473 /home/admin/my_app/venv/bin/python3 /home/admin/my_app/venv/bin/gunicorn --workers=2 --bind=unix:app.sock -m 777 main:app

Sep 07 18:04:07 xxxxx systemd[1]: Started myapp.service - xxxxx server.
Sep 07 18:04:07 xxxxx gunicorn[15471]: [2023-09-07 18:04:07 -0400] [15471] [INFO] Starting gunicorn 20.0.4
Sep 07 18:04:07 xxxxx gunicorn[15471]: [2023-09-07 18:04:07 -0400] [15471] [INFO] Listening at: unix:app.sock (15471)
Sep 07 18:04:07 xxxxx gunicorn[15471]: [2023-09-07 18:04:07 -0400] [15471] [INFO] Using worker: sync
Sep 07 18:04:07 xxxxx gunicorn[15472]: [2023-09-07 18:04:07 -0400] [15472] [INFO] Booting worker with pid: 15472
Sep 07 18:04:07 xxxxx gunicorn[15473]: [2023-09-07 18:04:07 -0400] [15473] [INFO] Booting worker with pid: 15473

Everything seems ok, but whenever I try to reach my app, I get the "Bad Gateway error" described above.

Seems it must be some authorization problem but I have no idea what might be, since I setup 777 permissions on the socket, should work, right?

This is what I have tried so far:

1- Change the socket (app.sock) group to www-data
2- Add www-data user to admin group
3- Manually change the socket owner to www-data
4- Change the folder /home/admin/my_app group to www-data

None of these work, I keep getting the "Bad gateway"/(13: Permission denied) error. Please help.

2

Answers


  1. Chosen as BEST ANSWER

    As mentioned by FeanDoe, it was a permissions problem.

    I changed the group from www-data to admin on my service file:

    Group=admin

    And it's working fine now.


  2. I had a similar problem some time ago and it was because www-data didn’t have read permissions for /home/admin.

    You should check that. www-data should have permissions to navigate to your folder and read the .sock file.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search