nginx 和 php-fpm 套接字所有者 [英] nginx and php-fpm socket owner

问题描述

更新系统后，我在 Nginx 上运行的 PHP 应用程序遇到网关错误.

After an update of my system I ran into a bad gateway error of my PHP apps running on Nginx.

1 connect() to unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock 在连接上游时失败(13:权限被拒绝)，客户端:xx.xxx.xx.xx，服务器:localhost，请求:GET/HTTP/1.1"，上游:fastcgi://unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock:"，主机:xx.xx.xx.xx"

1 connect() to unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock failed (13: Permission denied) while connecting to upstream, client: xx.xxx.xx.xx, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock:", host: "xx.xx.xx.xx"

问题是由于使用的 php-fpm 套接字的权限不好，实际上我看到 /var/run/php-fcgi.sock 拥有的 root:root 但是 nginx 和 php-fpm 作为用户使用 www-data.

The problem is caused by bad permissions of the php-fpm sockets used, in fact I see /var/run/php-fcgi.sock owned by root:root but nginx and php-fpm use as user www-data.

我已经在 /etc/php-fpm.d/www.conf 编辑了 php-fpm 配置:

I've already edited the php-fpm config at /etc/php-fpm.d/www.conf with:

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

但这并没有解决问题，当我重新启动 nginx 和 php-fpm 时，套接字是使用 root:root 作为用户/组创建的.

but it doesn't solve the problem and when i restart nginx and php-fpm the sockets are created with root:root as user/group.

我发现修复它的唯一方法是将套接字的所有者手动更改为 www-data:www-data.但这不是一个真正的解决方案，因为每次我重新启动服务时，我都必须再次应用它.

The only way I've found to fix it is to change the owner of the sockets to www-data:www-data manually. But this is not a real solution because everytime I restart my services I've to apply it again.

我该如何解决这个问题?我在 CentOS 6.5 上

How can I fix this problem? I'm on CentOS 6.5

我使用 Ajenti-V 来配置我的虚拟主机和我的 PHP-FPM.它为每个网站/虚拟主机创建一个新的套接字，并在 /etc/php-fpm.conf

I use Ajenti-V to configure my vhosts and my PHP-FPM. It creates a new socket for each website/vhost, and them are set in /etc/php-fpm.conf

它们有这样的结构:

[vhostname-php-fcgi-0]
user = www-data
group = www-data

listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock

pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5

如果我在每个条目中添加这些字符串:

If I add to each entry these strings:

listen.owner = www-data
listen.group = www-data
listen.mode = 0666

一切正常.

所以看起来 www.conf 不包括在内(也许?).这是我的 php-fpm.conf:

So looks like the www.conf is not included (maybe?). This is my php-fpm.conf:

[global]
pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php5-fpm.log


[global-pool]
user = www-data
group = www-data
listen = /var/run/php-fcgi.sock

pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5


[vhostname-php-fcgi-0]
user = www-data
group = www-data

listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock

pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5

推荐答案

FPM 将读取的配置文件

/etc/php-fpm.conf 是 FPM 将读取的配置文件(在 CentOS 上).如果你想让 FPM 也读取其他配置文件，你需要告诉它.

Config files FPM will read

/etc/php-fpm.conf is the config file FPM will read (on CentOS). If you want FPM to read other config files as well, you need to tell it that.

您可以通过将行 include=/etc/php-fpm.d/*.conf 放在 /etc/php-fpm.conf.然后它将读取目录 /etc/php-fpm.d(以 .conf 结尾)中的所有内容.

You can do this by placing the line include=/etc/php-fpm.d/*.conf at the bottom of /etc/php-fpm.conf. It will then read everything in the directory /etc/php-fpm.d (that ends with .conf).

然后将全局指令和包含行放在 /etc/php-fpm.conf 中.这可能看起来像这样:

Then place the global directives and the include line in /etc/php-fpm.conf. This could look something like this:

[global]

pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php5-fpm.log

include=/etc/php-fpm.d/*.conf

并且在每个池的 /etc/php-fpm.d 中有一个单独的文件.

And have a separate file in /etc/php-fpm.d for each pool.

示例/etc/php-fpm.d/global.conf:

[global-pool]

user = www-data
group = www-data

listen = /var/run/php-fcgi.sock

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5

示例/etc/php-fpm.d/vhostname-0.conf:

[vhostname-php-fcgi-0]

user = www-data
group = www-data

listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5

注意事项

• 每个池都应该使用不同的套接字.如果您有多个池使用同一个套接字，则会出现问题.

  Directives to pay attention to

  • Every pool should use a different socket. If you have multiple pools using the same socket you'll get issues.

    指令 user 和 group 控制该池的 FPM 进程将作为哪个用户/组运行.这些不指定套接字的用户/组.

    The directives user and group control the user/group which the FPM process for that pool will run as. These do not specify the user/group of the socket.

    指令 listen.owner 和 listen.group 控制套接字用于该池的用户/组.

    The directives listen.owner and listen.group control the user/group the socket uses for that pool.

    池指令(如 listen.*)仅适用于池.所以你不能在全局部分使用它们，你必须为每个池指定它们.

    The pool directives (like listen.*) will only work for pools. So you can't use them in the global section, you have to specify them for each pool.

    当 listen.owner 和 listen.group 与 webserver 相同时，权限 0660 非常好.你甚至可以使用 0600，但有人可能会争辩说，任何可以在与 web 服务器相同的组下操作的用户也可以使用套接字，所以我会使用 0660.

    The permissions 0660 are perfectly fine when listen.owner and listen.group are the same as the webserver. You could even use 0600, but one might argue that any user that can operate under the same group as the webserver can also use the socket, so I would use 0660.

    这篇关于nginx 和 php-fpm 套接字所有者的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！