(13: Permission denied) while connecting to upstream:[nginx]
Disclaimer
Make sure there are no security implications for your use-case before running this.
Answer
I had a similar issue getting Fedora 20, Nginx, Node.js, and Ghost (blog) to work. It turns out my issue was due to SELinux.
This should solve the problem:
setsebool -P httpd_can_network_connect 1
Details
I checked for errors in the SELinux logs:
sudo cat /var/log/audit/audit.log | grep nginx | grep denied
And found that running the following commands fixed my issue:
sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
sudo semodule -i mynginx.pp
Option #2 (untested, but probably more secure)
setsebool -P httpd_can_network_relay 1
https://security.stackexchange.com/questions/152358/difference-between-selinux-booleans-httpd-can-network-relay-and-httpd-can-net
References
http://blog.frag-gustav.de/2013/07/21/nginx-selinux-me-mad/
https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details
http://wiki.gentoo.org/wiki/SELinux/Tutorials/Managing_network_port_labels
I’ve run into this problem too. Another solution is to toggle the SELinux boolean value for httpd network connect to on (Nginx uses the httpd label).
setsebool httpd_can_network_connect on
To make the change persist use the -P flag.
setsebool httpd_can_network_connect on -P
You can see a list of all available SELinux booleans for httpd using
getsebool -a | grep httpd
I have solved my problem by running my Nginx as the user I'm currently logged in with, mulagala.
By default the user as nginx is defined at the very top section of the nginx.conf file as seen below;
user nginx; # Default Nginx user
Change nginx to the name of your current user - here, mulagala.
user mulagala; # Custom Nginx user (as username of the current logged in user)
However, this may not address the actual problem and may actually have casual side effect(s).
For an effective solution, please refer to Joseph Barbere's solution.
Had a similar problem on Centos 7. When I tried to apply the solution prescribed by Sorin, I started moving in cycles. First I had a permission {write} denied. Then when I solved that I had a permission { connectto } denied. Then back again to permission {write } denied.
Following @Sid answer above of checking the flags using getsebool -a | grep httpd and toggling them I found that in addition to the httpd_can_network_connect being off. http_anon_write was also off resulting in permission denied write and permission denied {connectto}
type=AVC msg=audit(1501830505.174:799183): avc:
denied { write } for pid=12144 comm="nginx" name="myroject.sock"
dev="dm-2" ino=134718735 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=sock_file
Obtained using sudo cat /var/log/audit/audit.log | grep nginx | grep denied as explained above.
So I solved them one at a time, toggling the flags on one at a time.
setsebool httpd_can_network_connect on -P
Then running the commands specified by @sorin and @Joseph above
sudo cat /var/log/audit/audit.log | grep nginx | grep denied |
audit2allow -M mynginx
sudo semodule -i mynginx.pp
Basically you can check the permissions set on setsebool and correlate that with the error obtained from grepp'ing' audit.log nginx, denied
if "502 Bad Gateway" error throws on centos api url for api gateway proxy pass on nginx , run following command to solve the issue
sudo setsebool -P httpd_can_network_connect 1