After an update of my system I ran into a bad gateway error of my PHP apps running on Nginx.
1 connect() to unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock failed (13: Permission denied) while connecting to upstream, client: xx.xxx.xx.xx, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock:", host: "xx.xx.xx.xx"
The problem is caused by bad permissions of the php-fpm sockets used, in fact I see /var/run/php-fcgi.sock
owned by root:root
but nginx and php-fpm use as user www-data
.
I've already edited the php-fpm config at /etc/php-fpm.d/www.conf
with:
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
but it doesn't solve the problem and when i restart nginx and php-fpm the sockets are created with root:root
as user/group.
The only way I've found to fix it is to change the owner of the sockets to www-data:www-data manually. But this is not a real solution because everytime I restart my services I've to apply it again.
How can I fix this problem? I'm on CentOS 6.5
I use Ajenti-V to configure my vhosts and my PHP-FPM. It creates a new socket for each website/vhost, and them are set in /etc/php-fpm.conf
They have this structure:
[vhostname-php-fcgi-0]
user = www-data
group = www-data
listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5
If I add to each entry these strings:
listen.owner = www-data
listen.group = www-data
listen.mode = 0666
Everything works correctly.
So looks like the www.conf is not included (maybe?). This is my php-fpm.conf:
[global]
pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php5-fpm.log
[global-pool]
user = www-data
group = www-data
listen = /var/run/php-fcgi.sock
pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5
[vhostname-php-fcgi-0]
user = www-data
group = www-data
listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5
PHP-FPM is installed and active for NGINX. And that's it, you've got NGINX up and running with PHP-FPM support. Remember, when you build your virtualhost configuration files, you'll need to make sure to include PHP support in those. For that, you can use the /etc/nginx/sites-available/default file as an example.
For example, on CentOS 8, with a single version, all PHP configuration files are located in the /etc directory and the default PHP-FPM pool (www) configuration file is /etc/php-fpm. d/www. conf: To list all PHP configuration files, use the following ls command.
By default the web server and php-fpm runs with the user called www-data.
PHP-FPM (FastCGI Process Manager) is an alternative to FastCGI implementation of PHP with some additional features useful for sites with high traffic. It is the preferred method of processing PHP pages with NGINX and is faster than traditional CGI based methods such as SUPHP or mod_php for running a PHP script.
/etc/php-fpm.conf
is the config file FPM will read (on CentOS). If you want FPM to read other config files as well, you need to tell it that.
You can do this by placing the line include=/etc/php-fpm.d/*.conf
at the bottom of /etc/php-fpm.conf
. It will then read everything in the directory /etc/php-fpm.d
(that ends with .conf
).
Then place the global directives and the include line in /etc/php-fpm.conf
. This could look something like this:
[global] pid = /var/run/php-fpm/php-fpm.pid error_log = /var/log/php5-fpm.log include=/etc/php-fpm.d/*.conf
And have a separate file in /etc/php-fpm.d
for each pool.
Example /etc/php-fpm.d/global.conf
:
[global-pool] user = www-data group = www-data listen = /var/run/php-fcgi.sock listen.owner = www-data listen.group = www-data listen.mode = 0660 pm = dynamic pm.start_servers = 1 pm.max_children = 5 pm.min_spare_servers = 1 pm.max_spare_servers = 5
Example /etc/php-fpm.d/vhostname-0.conf
:
[vhostname-php-fcgi-0] user = www-data group = www-data listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock listen.owner = www-data listen.group = www-data listen.mode = 0660 pm = dynamic pm.max_children = 5 pm.start_servers = 1 pm.min_spare_servers = 1 pm.max_spare_servers = 5
Every pool should use a different socket. If you have multiple pools using the same socket you'll get issues.
The directives user
and group
control the user/group which the FPM process for that pool will run as. These do not specify the user/group of the socket.
The directives listen.owner
and listen.group
control the user/group the socket uses for that pool.
The pool directives (like listen.*
) will only work for pools. So you can't use them in the global section, you have to specify them for each pool.
The permissions 0660 are perfectly fine when listen.owner
and listen.group
are the same as the webserver. You could even use 0600, but one might argue that any user that can operate under the same group as the webserver can also use the socket, so I would use 0660.
Just adding here that the listen.acl_users
directive should be commented, otherwise, it will override the listen.owner
and listen.group
values:
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users = apache,nginx
NGINX runs as user nginx
and php5-fpm as user www-data
. Just add nginx
to group www-data
and the problem is solved, and nginx can access /var/run/php5-fpm.sock
. Works great with Ubuntu 14.04, nginx 1.7.10, PHP 5.5.9-1ubuntu4.6 (fpm-fcgi):
$ sudo usermod -aG www-data nginx
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With