wsgi nginx error: permission denied while connecting to upstream

April 26, 2015 35.3k views
Nginx Python

I’m getting a 502 bad gateway on nginx, and the following on the logs: connect() to …myproject.sock failed (13: Permission denied) while connecting to upstream

I’m running wsgi and nginx on ubuntu, and I’ve been following this guide from Digital Ocean. I apparently configured wsgi correctly since uwsgi -s myproject.sock –http –module app –callable app worked, but I keep getting the nginx permission denied error and I have no idea why:

After coming across this question and this other one, I changed the .ini file and added the chown-socket, chmod-socket, uid and gid parameters (also tried just setting the first two, either or, and a couple of different permission settings –and even the most permissive didn’t work).

This one seemed promising, but I don’t believe selinux is installed on my Ubuntu (running sudo apt-get remove selinux gives “Package ‘selinux’ is not installed, so not removed” and find / -name “selinux” doesn’t show anything). Just in case, though, I tried what this post recommended as well. Uninstalling apparmor (sudo apt-get install apparmor) didn’t work either.

Every time I make a change, I run sudo service nginx restart, but I only see the 502 Gateway Error (and the permission denied error when I read the logs).

This is is my nginx configuration file:

server {
    listen 80;

    location / {
        include uwsgi_params;
        uwsgi_pass unix:/home/user/myproject/web_server/myproject.sock;

.conf file:

description "uWSGI server instance configured to serve myproject"

start on runlevel [2345]
stop on runlevel [!2345]

setuid user
setgid www-data

env PATH=/root/.virtualenvs/my-env/bin
chdir /home/user/myproject/web_server
exec uwsgi --ini /home/user/myproject/web_server/myproject.ini

.ini file:

module = wsgi

master = true
processes = 5

socket = /home/user/myproject/web_server/myproject.sock
chmod-socket = 664
uid = www-data
gid = www-data

vacuum = true
die-on-term = true

Since nginx seems to run on www-data, I tried to change the directories within /home/user/ to be owned by www-data:www-data using chown, but that hasn’t worked either.

(If it helps, these are the specs of my Digital Ocean machine: Linux 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x8664 x8664 x86_64 GNU/Linux)

Please let me know if there’s anything I can do, and thank you very much.

5 Answers

I had the same issue. What I found is that “SELinux” was blocking nginx from using the socket. If SELinux is enabled you can check the status (which should look similar to below):

[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

You can add a NGINX SELinux policy or just disable SELinux to get around the issue.

I hope this helps.

  • Thanks ! I was getting the same issue and disabling selinux resolved it. Here are the steps to disable selinux:

    1. Check the status of SELinux using sestatus
    2. If it says enabled, vi into /etc/sysconfig/selinux. This is a symlink to /etc/selinux/config so modify this file in case you don’t find the above file. Terminal command: sudo vi /etc/sysconfig/selinux
    3. The file is highly self-explanatory. Just change the value of SELINUX to “disabled” – without quotes.
    4. Most important step - REBOOT!

Check user field on the first line in nginx.conf file. By default it is www-data. Change the name to user adam in nginx.conf file if you logged in as adam.

This question was answered by @devpledge:

chmod-socket = 664

change it to chmod-socket = 666

You can see the comment here.

  • it doesn’t work, there’s another comment elsewhere by someone saying to change it to 660 and that doesn’t work too

Me too have the same issue. Could some one help me out it.

2017/06/09 12:50:48 [crit] 7925#7925: *12 connect() to unix:/home/user/firstsite/firstsite.sock failed (13: Permission denied) while connecting to upstream, client:, server:, request: “GET / HTTP/1.1”, upstream: “uwsgi://unix:/home/user/firstsite/firstsite.sock:”, host: “”

Hello! I was able to solve by doing this:

$ cd /your-application-name/your-application.sock
$ sudo chmod 666 your-application.sock 

It doesn’t need to restart anything.

Hope I’ve helped. :)

Have another answer? Share your knowledge.