nginx permission denied accessing puma socket that does exist in the correct location

Question

On a Digital Ocean droplet running Ubuntu 21.10 impish I am deploying a bare bones Rails 7.0.0.alpha2 application to production. I am setting up nginx as the reverse proxy server to communicate with Puma acting as the Rails server.

I wish to run puma as a service using systemctl without sudo root privileges. To this effect I have a puma service setup in the users home folder located at ~/.config/systemd/user, the service is enabled and runs as I would expect it to run.

systemctl status --user puma_master_cms_production

reports the following

● puma_master_cms_production.service - Puma HTTP Server for master_cms (production)
     Loaded: loaded (/home/comtechmaster/.config/systemd/user/puma_master_cms_production.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2021-11-18 22:31:02 UTC; 1h 18min ago
   Main PID: 1577 (ruby)
      Tasks: 10 (limit: 2338)
     Memory: 125.1M
        CPU: 2.873s
     CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/puma_master_cms_production.service
             └─1577 puma 5.5.2 (unix:///home/comtechmaster/apps/master_cms/shared/tmp/sockets/puma_master_cms_production.sock)

Nov 18 22:31:02 master-cms systemd[749]: Started Puma HTTP Server for master_cms (production).

The rails production.log is empty. The puma error log shows the following

cat log/puma_error.log 
=== puma startup: 2021-11-18 22:31:05 +0000 ===

The pid files exist in the application roots shared/tmp/pids folder

ls tmp/pids
puma.pid  puma.state

and the socket that nginx needs but is unable to connect to due to permission denied exists

ls -l ~/apps/master_cms/shared/tmp/sockets/
total 0
srwxrwxrwx 1 comtechmaster comtechmaster 0 Nov 18 22:31 puma_master_cms_production.sock

nginx is up and running and providing a

502 bad gateway

response. The nginx error log reports the following error

2021/11/18 23:18:43 [crit] 1500#1500: *25 connect() to unix:/home/comtechmaster/apps/master_cms/shared/tmp/sockets/puma_master_cms_production.sock failed (13: Permission denied) while connecting to upstream, client: 86.160.191.54, server: 159.65.50.229, request: "GET / HTTP/2.0", upstream: "http://unix:/home/comtechmaster/apps/master_cms/shared/tmp/sockets/puma_master_cms_production.sock:/500.html"

sudo nginx -t reports the following

sudo nginx -t
nginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successfu

just to be pedantic both an ls and a sudo ls to the path reported in the error shows

ls /home/comtechmaster/apps/master_cms/shared/tmp/sockets/
puma_master_cms_production.sock

as expected so I am stumped to understand why nginx running as root using sudo service nginx start is being denied access to a socket that exists, that is owned by the local user rather than root.

I expect the solution is going to be something totally obvious but I can not see what

Answer 1

This problem ended up being related to the folder permissions for the users home folder and specifically a change in the way Ububntu 20.10 sets permissions differently to previous versions of ubuntu, or at least a difference in the way the DigitalOcean setup scripts behave. This was resolved with a simple command line chmod o=rx from the /home against the user folder concerned e.g.

cd /home
chmod o=rx the_home_folder_for_user

Answer 2

Thanks @jamesc this solve my problem with ubuntu 22.04

I did as ubuntu user

cd /home

and

sudo chmod o=rx deploy

previous error on nginx below with permission denied:

==> /var/log/nginx/error.log <==
2022/05/02 12:48:55 [crit] 10524#10524: *2 stat() 
"/home/deploy/production/current/public/favicon.ico/index.html" failed 
(13: Permission denied), client: xx.xx.xx, , request: "GET /favicon.ico 
HTTP/1.1", host: "technologies.co.uk", referrer: 
"http://technologies.co.uk/"