PHP permission denied (Nginx 502) when downloading archive

When clicking the button to download the archive (zip, tar.gz, etc), the response is a 502. The logfile /var/log/nginx/gitlab_error.log gives:

2016/05/04 08:01:56 [crit] 26087#26087: *3222164 connect() to unix://var/opt/gitlab/gitlab-workhorse/socket failed (13: Permission denied) while connecting to upstream, client: xx.xx.xx.xx, server:, request: "GET /project/project/repository/ HTTP/2.0", upstream: "http://unix://var/opt/gitlab/gitlab-workhorse/socket:/project/project/repository/", host: "", referrer: ""

I’m not sure where to look. Nginx configuration for handling (using the server’s Nginx, configured as described here)? Linux file permissions and if so, which? Something else? Since the workhorse is triggered, I assume Nginx is configured ok.

The files in /var/log/gitlab/gitlab-workhorse are binaries or empty files. Does anybody have a hint on how to get meaningful logs?