nginx php-fpm: Permission denied while connecting to upstream
7,752
Don't listen on the pid file...
In your pool config:
You must listen on a socket file or over tcp, like this:
listen = /run/run/php-fpm.sock
or
listen = 127.0.0.1:9000
See http://php.net/manual/fr/install.fpm.configuration.php#listen
And in Nginx:
fastcgi_pass unix:/run/run/php-fpm.sock;
or
fastcgi_pass 127.0.0.1:9000;
See http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_pass
Related videos on Youtube
03 : 01
Nginx error connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied)
02 : 54
nginx + PHP-FPM = "permission denied" error 13 in nginx log; configuration mistake?
01 : 40
DevOps & SysAdmins: Nodejs Nginx error: (13: Permission denied) while connecting to upstream
10 : 22
How to Configure PHP for Nginx with PHP-FPM on Ubuntu
01 : 12
How to PHP : nginx: connect() failed (111: Connection refused) while connecting to upstream
02 : 30
DevOps & SysAdmins: nginx php-fpm: Permission denied while connecting to upstream
Author by
H Aßdøµ
Back-end developer, open-source fan, challenge seeker. My Github repo: https://github.com/hAbd0u
Updated on September 18, 2022Comments
-
H Aßdøµ over 1 year
Installing nginx and php-fpm make the error below not going even after setting all required permissions like suggested in previous answers here:
[error] 2443#0: *2 connect() to unix:/run/php-fpm/php-fpm.pid failed (111: Connection refused) while connecting to upstreamThis all my configurations: /etc/php-fpm.d/www.conf
[www] user = nginx group = nginx listen = /run/php-fpm/php-fpm.pid listen.owner = nginx listen.group = nginx listen.mode = 0660 listen.allowed_clients = 127.0.0.1 pm = dynamic pm.max_children = 50 pm.start_servers = 5 pm.min_spare_servers = 5 pm.max_spare_servers = 35 slowlog = /var/log/php-fpm/www-slow.log php_admin_value[error_log] = /var/log/php-fpm/www-error.log php_admin_flag[log_errors] = on php_value[session.save_handler] = files php_value[session.save_path] = /var/lib/php/session php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache/etc/php-fpm.conf
include=/etc/php-fpm.d/*.conf [global] pid = /run/php-fpm/php-fpm.pid error_log = /var/log/php-fpm/error.log daemonize = yes events.mechanism = epoll/etc/nginx/nginx.conf
user nginx nginx; worker_processes 1; error_log /var/log/nginx/error.log; pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; upstream php { #server unix:/var/run/php-fpm/php-fpm.pid; server 127.0.0.1:9000; } server_names_hash_bucket_size 64; # Virtual hosts include /etc/nginx/sites/*.conf; }/etc/nginx/sites/*.conf
server { listen 80 ; listen [::]:80; server_name elkhobara.com www.elkhobara.com; root /var/hosts/elkhobara; index index.html index.htm index.php; location / { try_files $uri $uri/ =404; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/run/php-fpm/php-fpm.pid; #fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } }Note, if I changed the socket to 127.0.0.1:9000 then it will work perfectly.
UPDATE:
SELinux status:
# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28/var/log/audit/audit.log
-------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/nginx from getattr access on the file /var/hosts/elkhobara/index.php. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow nginx to have getattr access on the index.php file Then you need to change the label on /var/hosts/elkhobara/index.php Do # semanage fcontext -a -t FILE_TYPE '/var/hosts/elkhobara/index.php' where FILE_TYPE is one of the following: --Striped text--. Then execute: restorecon -v '/var/hosts/elkhobara/index.php' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that nginx should be allowed getattr access on the index.php file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'nginx' --raw | audit2allow -M my-nginx # semodule -i my-nginx.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:var_t:s0 Target Objects /var/hosts/elkhobara/index.php [ file ] Source nginx Source Path /usr/sbin/nginx Port <Unknown> Host <Unknown> Source RPM Packages nginx-1.10.2-1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ip-172-31-39-125.us-west-2.compute.internal Platform Linux ip-172-31-39-125.us-west-2.compute.internal 3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16 13:15:13 EST 2016 x86_64 x86_64 Alert Count 23 First Seen 2017-01-01 16:46:48 EST Last Seen 2017-01-02 10:32:42 EST Local ID 0ff17cb3-2f01-4acf-8510-ab289c98d946 Raw Audit Messages type=AVC msg=audit(1483371162.342:339): avc: denied { getattr } for pid=2443 comm="nginx" path="/var/hosts/elkhobara/index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1483371162.342:339): arch=x86_64 syscall=stat success=yes exit=0 a0=7f9f09cef2d4 a1=7ffcd9347290 a2=7ffcd9347290 a3=7f9f09db3b30 items=0 ppid=2442 pid=2443 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null) Hash: nginx,httpd_t,var_t,file,getattr -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/nginx from read access on the file index.php. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow nginx to have read access on the index.php file Then you need to change the label on index.php Do # semanage fcontext -a -t FILE_TYPE 'index.php' where FILE_TYPE is one of the following: --Striped long text for future readability. Then execute: restorecon -v 'index.php' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that nginx should be allowed read access on the index.php file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'nginx' --raw | audit2allow -M my-nginx # semodule -i my-nginx.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:var_t:s0 Target Objects index.php [ file ] Source nginx Source Path /usr/sbin/nginx Port <Unknown> Host <Unknown> Source RPM Packages php-fpm-7.1.0-1.el7.remi.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ip-172-31-39-125.us-west-2.compute.internal Platform Linux ip-172-31-39-125.us-west-2.compute.internal 3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16 13:15:13 EST 2016 x86_64 x86_64 Alert Count 2 First Seen 2017-01-01 17:10:48 EST Last Seen 2017-01-02 06:22:16 EST Local ID ce7a65cb-6b95-4fc4-b31b-19efccf56ab1 Raw Audit Messages type=AVC msg=audit(1483356136.314:121): avc: denied { read } for pid=9421 comm="php-fpm" name="index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1483356136.314:121): avc: denied { open } for pid=9421 comm="php-fpm" path="/var/hosts/elkhobara/index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1483356136.314:121): arch=x86_64 syscall=open success=yes exit=EIO a0=7ffc64561010 a1=0 a2=1b6 a3=2 items=0 ppid=9419 pid=9421 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null) Hash: nginx,httpd_t,var_t,file,read ---------------------------------------------------------------------------------
Orphans over 7 yearslet it use socket 9000 then? -
H Aßdøµ over 7 years@Orphans I optimizing the server, that why I am switching to unix socket.
-
Federico Sierra over 7 yearsCheck your auditlog (/var/log/audit/audit.log) -
H Aßdøµ over 7 years@FedericoSierra I updated my question with more information as you suggested.
-
Michael Hampton over 7 yearsYour title says "permission denied" but your actual error message says "connection refused". What is really going on here? -
H Aßdøµ over 7 years@MichaelHampton I hape permission problem caused by SELinux with
/run/php-fpm/php-fpm.pid.
-
-
H Aßdøµ over 7 yearsThat is solved my problem.
-
Élie Deloumeau-Prigent over 7 yearsVery nice ! :-)
