Access denied (403) for PHP files with Nginx + PHP-FPM
Solution 1
Here are some possible solutions:
In your php-fpm www.conf set
security.limit_extensions
to.php
or.php5
or whatever suits your environment. For some users, completely removing all values or setting it toFALSE
was the only way to get it working.In your nginx config file set
fastcgi_pass
to your socket address (e.g.unix:/var/run/php-fpm/php-fpm.sock;
) instead of your server address and port.Check your
SCRIPT_FILENAME
fastcgi param and set it according to the location of your files.In your nginx config file include
fastcgi_split_path_info ^(.+\.php)(/.+)$;
in the location block where all the other fastcgi params are defined.In your php.ini set
cgi.fix_pathinfo
to1
Solution 2
Please note that the above solution (set cgi.fix_pathinfo
to 1
) is a terrible idea. See https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/ for a good overview.
The issue is probably down to your application relying on PATH_INFO. Enable access logging for php to get more information about how your application is called to help you debug this issue.
Once again, just to be sure - the accepted solution is a terrible idea, and will likely get your site hacked.
Solution 3
Do not forget to restart php5-fpm service after changing php.ini!!
service php5-fpm restart or service php5-fpm reload
fpm prestarts php5 so it is not enough to restart nginx to have the changes applied.
Solution 4
It may be related to selinux. If you use the shared folder of Virtual Box, you cannot change the access permissions in this folder in Linux. Therefore, you can solve it after closing selinux.
Related videos on Youtube
Comments
-
feub almost 4 years
I have been spending few hours on that issue and despite the high number of posts related to it, I cannot solve it. I have a Fedora 20 box with Nginx + PHP-FPM that worked quite good until today (after I reloaded php-fpm.service I guess). Nginx is serving static files with no problem, but any PHP file triggers an error 403.
The permissions are ok, nginx and php-fpm are running under the user "nginx":
root 13763 0.0 0.6 490428 24924 ? Ss 15:47 0:00 php-fpm: master process (/etc/php-fpm.conf) nginx 13764 0.0 0.1 490428 7296 ? S 15:47 0:00 php-fpm: pool www nginx 13765 0.0 0.1 490428 7296 ? S 15:47 0:00 php-fpm: pool www nginx 13766 0.0 0.1 490428 7296 ? S 15:47 0:00 php-fpm: pool www nginx 13767 0.0 0.1 490428 7296 ? S 15:47 0:00 php-fpm: pool www nginx 13768 0.0 0.1 490428 6848 ? S 15:47 0:00 php-fpm: pool www
The served files have been set to nginx user as well, I even ended chmoding 777 those files to try, but still "Access denied" for any PHP files.
Below is a server of my Nginx config:
server { listen 80; server_name localhost; root /var/www/html; location ~ \.php$ { fastcgi_intercept_errors on; try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
The PHP-FPM pool:
[www] ... listen = 127.0.0.1:9000 user = nginx group = nginx ...
For the versions:
php-5.5.11 (as well as php-fpm-5.5.11 of course)
nginx-1.4.7
I am adding the Nginx error log:
FastCGI sent in stderr: "Access to the script '/var/www/html' has been denied (see security.limit_extensions)" while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: localhost, request: "GET /index.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "xxx.xxx.xxx.xxx"
And precise that
security.limit_extensions
is correct, set to:security.limit_extensions = .php
.About the path permissions, /var/www/html can be traversed. What am I missing?
-
VF_ about 10 yearsI know it sounds weird, but did you double check whether you have edited the right php.ini file regarding to limit_extensions? I made this mistake the other day..
-
feub about 10 years
limit_extensions
is present only in the FPM pool, for me with Fedora 20 in/etc/php-fpm.d/www.conf
.. But thank you John -
VF_ about 10 yearshave you tried setting the
fastcgi_pass
to the socket address instead of the serveraddress (e.g. unix:/var/run/php-fpm/php-fpm.sock;)? -
feub about 10 yearsYes I tried this too, but the result is the same. I'm running out of ideas with this issue..
-
VF_ about 10 yearsWell.. could you set the
fastcgi_param SCRIPT_FILENAME
to$fastcgi_script_name
, reload fpm and try again? Without$document_root
... -
feub about 10 yearsThe same problem John, thx
-
VF_ about 10 yearsYeah it's kinda embarrassing but I had this problem two weeks ago and I didn't write down how I solved it, of course.. Anyway, here's my last idea and I kinda think that was the thing: Remove everything from the
security.limit_extensions
so it looks like this:security.limit_extensions =
.. -
feub about 10 yearsI tried too ;] But without success. Then I get a 404 even if the file exists. Error log:
FastCGI sent in stderr: "Unable to open primary script: /var/www/html (Success)" while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: localhost, request: "GET /info.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", host: "xxx.xxx.xxx.xxx"
Some thread suggested to set it to FALSE too, same result. -
VF_ about 10 yearsHuh.. I think that we're heading in the right direction ;) please keep the
limit_extensions
empty and includefastcgi_split_path_info ^(.+\.php)(/.+)$;
in your location block and try again with and without the $doc_root inSCRIPT_FILENAME
-
Black Sheep about 10 yearstry this:
location ~ \.php$ { include /etc/nginx/fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;}
-
feub about 10 yearsJohn, I found a solution and I feel stupid about it. In the php.ini, I switched the
cgi.fix_pathinfo
from 0 to 1 and everything is working now. Thank you for your time, you support helped! ;] -
VF_ about 10 yearsGreat! I'm gonna answer with all the possible solutions for future reference.. You don't have to accept it, of course!
-
-
chifliiiii over 9 yearsAre you sure is safe to set fix_pathinfo to 1 ? Check serverfault.com/questions/627903/…
-
Ty. over 8 yearsIf #1 and #4 are implemented, it's perfectly safe to implement #5. Actually... #1 and #5 were defaulted to
.php
and1
respectively in PHP 5.5. -
Ty. over 8 yearsIt's not a terrible idea and it won't get your site hacked. It's the default value for PHP 5.5. If you pass to PHP-FPM as instructed here you're fine: nginx.com/resources/wiki/start/topics/examples/phpfcgi/…
-
David Beckwith over 7 yearsI was trying to get .html files to run as .php files, so #1 above with "sudo systemctl restart php7.0-fpm" did it for me. Cheers.
-
Marcelo Agimóvel over 5 yearsGuys its not safe. In NGINX oficial website it says it opens a security hole that allows to upload something.
-
dev-assassin about 4 yearswhen i change
cgi.fix_pathinfo
to 1, site works well.