Access denied (403) for PHP files with Nginx + PHP-FPM

nginx permissions fedora php http-status-code-403
86,492

Solution 1

Here are some possible solutions:

  1. In your php-fpm www.conf set security.limit_extensions to .php or .php5 or whatever suits your environment. For some users, completely removing all values or setting it to FALSE was the only way to get it working.

  2. In your nginx config file set fastcgi_pass to your socket address (e.g. unix:/var/run/php-fpm/php-fpm.sock;) instead of your server address and port.

  3. Check your SCRIPT_FILENAME fastcgi param and set it according to the location of your files.

  4. In your nginx config file include fastcgi_split_path_info ^(.+\.php)(/.+)$; in the location block where all the other fastcgi params are defined.

  5. In your php.ini set cgi.fix_pathinfo to 1

Solution 2

Please note that the above solution (set cgi.fix_pathinfo to 1) is a terrible idea. See https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/ for a good overview.

The issue is probably down to your application relying on PATH_INFO. Enable access logging for php to get more information about how your application is called to help you debug this issue.

Once again, just to be sure - the accepted solution is a terrible idea, and will likely get your site hacked.

Solution 3

Do not forget to restart php5-fpm service after changing php.ini!!

service php5-fpm restart or service php5-fpm reload

fpm prestarts php5 so it is not enough to restart nginx to have the changes applied.

Solution 4

It may be related to selinux. If you use the shared folder of Virtual Box, you cannot change the access permissions in this folder in Linux. Therefore, you can solve it after closing selinux.

Share:
86,492

Related videos on Youtube

feub
Author by

feub

PHP developer. Magento and Zend Framework.

Updated on June 10, 2020

Comments

  • feub
    feub almost 4 years

    I have been spending few hours on that issue and despite the high number of posts related to it, I cannot solve it. I have a Fedora 20 box with Nginx + PHP-FPM that worked quite good until today (after I reloaded php-fpm.service I guess). Nginx is serving static files with no problem, but any PHP file triggers an error 403.

    The permissions are ok, nginx and php-fpm are running under the user "nginx":

    root     13763  0.0  0.6 490428 24924 ?        Ss   15:47   0:00 php-fpm: master process (/etc/php-fpm.conf)
nginx    13764  0.0  0.1 490428  7296 ?        S    15:47   0:00 php-fpm: pool www
nginx    13765  0.0  0.1 490428  7296 ?        S    15:47   0:00 php-fpm: pool www
nginx    13766  0.0  0.1 490428  7296 ?        S    15:47   0:00 php-fpm: pool www
nginx    13767  0.0  0.1 490428  7296 ?        S    15:47   0:00 php-fpm: pool www
nginx    13768  0.0  0.1 490428  6848 ?        S    15:47   0:00 php-fpm: pool www

    The served files have been set to nginx user as well, I even ended chmoding 777 those files to try, but still "Access denied" for any PHP files.

    Below is a server of my Nginx config:

    server {
        listen          80;
        server_name     localhost;

        root            /var/www/html;

         location ~ \.php$ {
            fastcgi_intercept_errors on;
            try_files $uri =404;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
}

    The PHP-FPM pool:

    [www]
...
listen = 127.0.0.1:9000
user = nginx
group = nginx
...

    For the versions:

    php-5.5.11 (as well as php-fpm-5.5.11 of course)

    nginx-1.4.7

    I am adding the Nginx error log:

     FastCGI sent in stderr: "Access to the script '/var/www/html' has been denied (see security.limit_extensions)" while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: localhost, request: "GET /index.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "xxx.xxx.xxx.xxx"

    And precise that security.limit_extensions is correct, set to: security.limit_extensions = .php.

    About the path permissions, /var/www/html can be traversed. What am I missing?

    • VF_
      VF_ about 10 years
      I know it sounds weird, but did you double check whether you have edited the right php.ini file regarding to limit_extensions? I made this mistake the other day..
    • feub
      feub about 10 years
      limit_extensions is present only in the FPM pool, for me with Fedora 20 in /etc/php-fpm.d/www.conf.. But thank you John
    • VF_
      VF_ about 10 years
      have you tried setting the fastcgi_pass to the socket address instead of the serveraddress (e.g. unix:/var/run/php-fpm/php-fpm.sock;)?
    • feub
      feub about 10 years
      Yes I tried this too, but the result is the same. I'm running out of ideas with this issue..
    • VF_
      VF_ about 10 years
      Well.. could you set the fastcgi_param SCRIPT_FILENAME to $fastcgi_script_name, reload fpm and try again? Without $document_root...
    • feub
      feub about 10 years
      The same problem John, thx
    • VF_
      VF_ about 10 years
      Yeah it's kinda embarrassing but I had this problem two weeks ago and I didn't write down how I solved it, of course.. Anyway, here's my last idea and I kinda think that was the thing: Remove everything from the security.limit_extensions so it looks like this: security.limit_extensions = ..
    • feub
      feub about 10 years
      I tried too ;] But without success. Then I get a 404 even if the file exists. Error log: FastCGI sent in stderr: "Unable to open primary script: /var/www/html (Success)" while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: localhost, request: "GET /info.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", host: "xxx.xxx.xxx.xxx" Some thread suggested to set it to FALSE too, same result.
    • VF_
      VF_ about 10 years
      Huh.. I think that we're heading in the right direction ;) please keep the limit_extensions empty and include fastcgi_split_path_info ^(.+\.php)(/.+)$;in your location block and try again with and without the $doc_root in SCRIPT_FILENAME
    • Black Sheep
      Black Sheep about 10 years
      try this: location ~ \.php$ { include /etc/nginx/fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;}
    • feub
      feub about 10 years
      John, I found a solution and I feel stupid about it. In the php.ini, I switched the cgi.fix_pathinfo from 0 to 1 and everything is working now. Thank you for your time, you support helped! ;]
    • VF_
      VF_ about 10 years
      Great! I'm gonna answer with all the possible solutions for future reference.. You don't have to accept it, of course!
  • chifliiiii
    chifliiiii over 9 years
    Are you sure is safe to set fix_pathinfo to 1 ? Check serverfault.com/questions/627903/…
  • Ty.
    Ty. over 8 years
    If #1 and #4 are implemented, it's perfectly safe to implement #5. Actually... #1 and #5 were defaulted to .php and 1 respectively in PHP 5.5.
  • Ty.
    Ty. over 8 years
    It's not a terrible idea and it won't get your site hacked. It's the default value for PHP 5.5. If you pass to PHP-FPM as instructed here you're fine: nginx.com/resources/wiki/start/topics/examples/phpfcgi/…
  • David Beckwith
    David Beckwith over 7 years
    I was trying to get .html files to run as .php files, so #1 above with "sudo systemctl restart php7.0-fpm" did it for me. Cheers.
  • Marcelo Agimóvel
    Marcelo Agimóvel over 5 years
    Guys its not safe. In NGINX oficial website it says it opens a security hole that allows to upload something.
  • dev-assassin
    dev-assassin about 4 years
    when i change cgi.fix_pathinfo to 1, site works well.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Ownership and permissions for nginx local webserver
Php7 and php5 on fedora at the same time
nginx on fedora fastcgi not working
PHP fopen fails - does not have permission to open file in write mode
phpmyadmin forbidden in Nginx although permited
Nginx says 404 not found, no error log
Nginx PHP-fpm permission
nginx: no permission to bind port 8090 but it binds to 80 and 8080
Nginx 403 forbidden for all files
Failed to start The nginx HTTP and reverse proxy server issue