Django/gunicorn/nginx：403 Forbidden

Question

我已经花了几个小时在StackOverflow和其他教程，但我不明白为什么nginx返回403 Forbidden当我导航到localhost。

这里是我的gunicorn启动脚本（位于应用程序根目录）：

#!/bin/bash 
# http://michal.karzynski.pl/blog/2013/06/09/django-nginx-gunicorn-virtualenv-supervisor/ 

NAME="mbta_django_gunicorn" 
SOCKFILE=run/gunicorn.sock 
USER=alexpetralia          # the user to run as 
GROUP=alexpetralia          # the group to run as 
NUM_WORKERS=5 
DJANGO_SETTINGS_MODULE=mbta_django.settings 
DJANGO_WSGI_MODULE=mbta_django.wsgi 

echo "Starting $NAME" 

# Create the run directory if it doesn't exist 
RUNDIR=$(dirname $SOCKFILE) 
test -d $RUNDIR || mkdir -p $RUNDIR 

# Start Django Unicorn 
exec gunicorn ${DJANGO_WSGI_MODULE}:application \ 
    --name $NAME \ 
    --workers $NUM_WORKERS \ 
    --user=$USER --group=$GROUP \ 
    # --bind=localhost:8000 \ 
    --bind=unix:$SOCKFILE \ 
    --log-level=debug \ 
    --log-file=- \ 
    --reload 

这里是我的nginx.conf：

user alexpetralia alexpetralia; # www-data 
worker_processes 4; 
pid /run/nginx.pid; 

events { 
    worker_connections 768; 
    # multi_accept on; 
} 

http { 

    ## 
    # Basic Settings 
    ## 

    sendfile on; 
    tcp_nopush on; 
    tcp_nodelay on; 
    keepalive_timeout 65; 
    types_hash_max_size 2048; 

    include /etc/nginx/mime.types; 
    default_type application/octet-stream; 

    ## 
    # Logging Settings 
    ## 

    access_log /var/log/nginx/access.log; 
    error_log /var/log/nginx/error.log; 

    gzip on; 
    gzip_disable "msie6"; 

    ## 
    # Virtual Host Configs 
    ## 

    include /etc/nginx/conf.d/*.conf; 
    include /etc/nginx/sites-enabled/*; 
} 

这里是位于sites-available在我的应用程序特定的nginxconf文件（并链接在sites-enabled）：

upstream mbta_django_server { 
    server unix:/home/alexpetralia/Projects/mbta_django/run/gunicorn.sock fail_timeout=0; 
} 

server { 
    listen 80; 
    client_max_body_size 4G; 
    keepalive_timeout 5; 
    root /home/alexpetralia/Projects/mbta_django/static/; 

    location /static/ { 
     autoindex on; 
     alias /home/alexpetralia/Projects/mbta_django/static/; 
    }  
} 

我的主管设置f或运行gunicorn（更改PATH才能使用的virtualenv）：

[program:mbta_gunicorn] 
command=/home/alexpetralia/Projects/mbta_django/gunicorn_ctl 
stdout_logfile=/home/alexpetralia/Projects/mbta_django/logs/mbta_gunicorn.log 
stderr_logfile=/home/alexpetralia/Projects/mbta_django/logs/mbta_gunicorn.log 
redirect_stderr=true 
autorestart=true 
stopsignal=KILL 
killasgroup=true 
stopasgroup=true 
environment=PATH="/home/alexpetralia/Projects/mbta_django/venv/bin" 
directory=/home/alexpetralia/Projects/mbta_django 

这强烈感觉就像一个权限问题，但我已经在我的web应用程序的根文件夹使用chmod -R 775 mbta_django。我很犹豫chown吧。我不明白为什么，如果gunicorn加载了正确的用户，就像nginx一样，那么应该不会有权限问题。

也许这与gunicorn有关，而不是nginx？我发现如果gunicorn正在运行，我可以访问我的应用程序（没有静态文件），即使它绑定到Unix套接字而不是127.0.0.1:8000，也很奇怪。

谢谢。

UPDATE

Nginx的错误日志（样本，这是非常简单，只是这一点）：

2016/01/18 16:42:40 [error] 20773#0: *5 directory index of "/home/alexpetralia/Projects/mbta_django/static/" is forbidden, client: 127.0.0.1, server: , request: "GET/HTTP/1.1", host: "localhost" 
2016/01/18 16:42:40 [error] 20773#0: *5 directory index of "/home/alexpetralia/Projects/mbta_django/static/" is forbidden, client: 127.0.0.1, server: , request: "GET/HTTP/1.1", host: "localhost" 

Gunicorn错误日志（样本，该目录名称的部分是来自frmo教程here命令） ：

Starting mbta_django_gunicorn 
/home/alexpetralia/Projects/mbta_django/gunicorn_ctl: line 20: dirname: command not found 
[2016-01-18 18:03:08 +0000] [1996] [INFO] Starting gunicorn 19.4.5 
[2016-01-18 18:03:08 +0000] [1996] [INFO] Listening at: http://127.0.0.1:8000 (1996) 
[2016-01-18 18:03:08 +0000] [1996] [INFO] Using worker: sync 
[2016-01-18 18:03:08 +0000] [2008] [INFO] Booting worker with pid: 2008 
[2016-01-18 18:03:08 +0000] [2009] [INFO] Booting worker with pid: 2009 
[2016-01-18 18:03:08 +0000] [2016] [INFO] Booting worker with pid: 2016 
[2016-01-18 18:03:08 +0000] [2019] [INFO] Booting worker with pid: 2019 
[2016-01-18 18:03:08 +0000] [2022] [INFO] Booting worker with pid: 2022 

所有权静态文件夹：

alexpetralia@linux-box:~$ namei -ov /home/alexpetralia/Projects/mbta_django/static 
f: /home/alexpetralia/Projects/mbta_django/static 
d root   root  /
d root   root   home 
d alexpetralia alexpetralia alexpetralia 
d alexpetralia alexpetralia Projects 
d alexpetralia alexpetralia mbta_django 
d alexpetralia alexpetralia static 

权限静态文件夹：

drwxr-xr-x 6 alexpetralia alexpetralia 4096 Jan 8 12:43 static 

Gunicorn过程：

alexpetralia@linux-box:~/Projects/mbta_django$ ps aux | grep gunicorn 
root  1942 0.0 0.4 57416 15972 ?  S 18:52 0:00 /home/alexpetralia/Projects/mbta_django/venv/bin/python /home/alexpetralia/Projects/mbta_django/venv/bin/gunicorn mbta_django.wsgi:application --name mbta_django_gunicorn --workers 5 --user=alexpetralia --group=alexpetralia 
alexpet+ 1951 0.0 0.0 ?  S 18:52 0:00 /home/alexpetralia/Projects/mbta_django/venv/bin/python /home/alexpetralia/Projects/mbta_django/venv/bin/gunicorn mbta_django.wsgi:application --name mbta_django_gunicorn --workers 5 --user=alexpetralia --group=alexpetralia 
alexpet+ 1954 0.0 0.0 ?  S 18:52 0:00 /home/alexpetralia/Projects/mbta_django/venv/bin/python /home/alexpetralia/Projects/mbta_django/venv/bin/gunicorn mbta_django.wsgi:application --name mbta_django_gunicorn --workers 5 --user=alexpetralia --group=alexpetralia 
alexpet+ 1957 0.2 1.6 226280 63612 ?  S 18:52 0:01 /home/alexpetralia/Projects/mbta_django/venv/bin/python /home/alexpetralia/Projects/mbta_django/venv/bin/gunicorn mbta_django.wsgi:application --name mbta_django_gunicorn --workers 5 --user=alexpetralia --group=alexpetralia 
alexpet+ 1964 0.1 0.0 ?  S 18:52 0:00 /home/alexpetralia/Projects/mbta_django/venv/bin/python /home/alexpetralia/Projects/mbta_django/venv/bin/gunicorn mbta_django.wsgi:application --name mbta_django_gunicorn --workers 5 --user=alexpetralia --group=alexpetralia 
alexpet+ 1975 0.0 0.8 ?  S 18:52 0:00 /home/alexpetralia/Projects/mbta_django/venv/bin/python /home/alexpetralia/Projects/mbta_django/venv/bin/gunicorn mbta_django.wsgi:application --name mbta_django_gunicorn --workers 5 --user=alexpetralia --group=alexpetralia 

Nginx的过程：

alexpetralia@linux-box:~/Projects/mbta_django$ ps aux | grep nginx 
root  1362 0.0 0.0 85892 2712 ?  Ss 18:52 0:00 nginx: master process /usr/sbin/nginx 
alexpet+ 1363 0.0 0.0 86172 3404 ?  S 18:52 0:00 nginx: worker process 
alexpet+ 1364 0.0 0.0 86172 3404 ?  S 18:52 0:00 nginx: worker process 
alexpet+ 1365 0.0 0.0 86172 3404 ?  S 18:52 0:00 nginx: worker process 
alexpet+ 1366 0.0 0.0 86172 3404 ?  S 18:52 0:00 nginx: worker process 

Answer 1

运行命令“对虾-l /家庭/ alexpetralia /项目/ mbta_django /静态“，看看你的权利是什么样的所有其他父目录。 AFAIK，您的用户必须具有读取静态目录的权限，并且必须具有/，/ home /，/ home/alexpetralia，/ home/alexpetralia/Projects/mbta_django，/ home/alexpetralia/Projects/mbta_django中的执行权限/静态的。

你只包括权限的/ home/alexpetralia /项目/ mbta_django /静态

裁判：http://nginxlibrary.com/403-forbidden-error/

Answer 2

我解决了这个切换到uWSGI。这个过程非常简单。用户：主要nginx conf中的组为alexpetralia alexpetralia（即/etc/nginx/nginx.conf/，而下面的nginx conf在/etc/nginx/sites-enabled/mbta_django中）。

应用特定的nginx的conf：

upstream mbta_django_uwsgi { 
    server unix:///home/alexpetralia/Projects/mbta_django/run/uwsgi.sock; 
} 

server { 

    listen  80; 
    server_name 127.0.0.1; # or FQDN 
    charset  utf-8; 

    location /static { 
      alias /home/alexpetralia/Projects/mbta_django/static; 
    } 

    location/{ 
     uwsgi_pass unix:/home/alexpetralia/Projects/mbta_django/run/uwsgi.sock; 
     include  /etc/nginx/uwsgi_params; 
    } 
} 

uWSGI命令：

uwsgi --chdir=/home/alexpetralia/Projects/mbta_django --wsgi-file=mbta_django/wsgi.py --processes=5 --socket run/uwsgi.sock --py-autoreload=3

最后收集来自我在根下的所有应用程序，因为应用程序特定的CSS文件没有加载静态（ django settings.py，我有STATIC_ROOT = os.path.join(BASE_DIR, "static")）：

./manage.py collectstatic在django roo t文件夹