nginx和php-fpm套接字所有者 [英] nginx and php-fpm socket owner
问题描述
更新我的系统后,我遇到了在Nginx上运行的PHP应用程序的错误网关错误。
* 1 connect()到unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock失败(13:权限被拒绝),而连接到上游,客户端:xx.xxx.xx.xx,server:localhost,请求:GET / HTTP / 1.1,upstream:fastcgi:// unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock:,host:xx.xx.xx.xx
问题是由于使用的php-fpm套接字的权限不对, code> /var/run/php-fcgi.sock 由 root:root 拥有,但nginx和php-fpm用作 www-data 。
我已经编辑了php-fpm config / etc /php-fpm.d/www.conf 与:
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
它不解决问题,当我重新启动nginx和php-fpm插座创建与 root:root 作为用户/组。
我找到解决它的唯一方法是手动将套接字的所有者更改为www-data:www-data。但这不是一个真正的解决方案,因为每次我重新启动我的服务,我必须再次应用它。
如何解决这个问题?我在CentOS 6.5上
编辑:
我使用Ajenti-V配置我的vhosts和我的PHP -FPM。它为每个网站/ vhost创建一个新的套接字,并且它们设置在 /etc/php-fpm.conf
它们具有以下结构:
[vhostname-php-fcgi-0]
user = www-data
group = www-data
listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5
如果我向每个条目添加以下字符串:
listen.owner = www -data
listen.group = www-data
listen.mode = 0666
一切正常工作。
看起来像www.conf不包括在内(也许?)。这是我的php-fpm.conf:
[global]
pid = / var / run / php-fpm /php-fpm.pid
error_log = /var/log/php5-fpm.log
[global-pool]
user = www-data
group = www-data
listen = /var/run/php-fcgi.sock
pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5
[vhostname-php-fcgi-0]
user = www-data
group = www-data
listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5
配置文件FPM将读取
etc / php-fpm.conf 是FPM将读取的配置文件(在CentOS上)。如果你想要FPM读取其他配置文件,你需要告诉它。
你可以通过放置 include = /etc/php-fpm.conf 底部的/etc/php-fpm.d / *。conf 。然后它将读取目录 /etc/php-fpm.d 中的所有内容(以 .conf 结尾)。
然后将全局指令和include行放在 /etc/php-fpm.conf 中。这看起来像这样:
[global]
pid = / var / run / php -fpm / php-fpm.pid
error_log = /var/log/php5-fpm.log
include = / etc / php-fpm.d / *。conf
并且在 /etc/php-fpm.d
$ b
p>
[global-pool]
user = www-data
group = www-data
listen = /var/run/php-fcgi.sock
listen.owner = www-data
listen.group = www-data
listen .mode = 0660
pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5
示例 /etc/php-fpm.d/vhostname-0。 conf :
[vhostname-php-fcgi-0]
user = www-data
group = www-data
listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5
要注意的指令
-
每个池都应使用不同的套接字。如果您有多个使用相同套接字的池,您会遇到问题。
-
指令
usergroup控制该池的FPM进程将作为运行的用户/组。 -
指令
listen.owner code>和listen.group控制套接字用于该池的用户/组。 - p> pool指令(例如
listen。*)只适用于池。因此,您不能在全局部分中使用它们,您必须为每个池指定。
套接字权限
listen.owner 和 listen.group 与Web服务器相同。你甚至可以使用0600,但有人可能会说,任何用户可以在同一个组下的web服务器也可以使用套接字,所以我会使用0660。
After an update of my system I ran into a bad gateway error of my PHP apps running on Nginx.
*1 connect() to unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock failed (13: Permission denied) while connecting to upstream, client: xx.xxx.xx.xx, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock:", host: "xx.xx.xx.xx"
The problem is caused by bad permissions of the php-fpm sockets used, in fact I see /var/run/php-fcgi.sock owned by root:root but nginx and php-fpm use as user www-data.
I've already edited the php-fpm config at /etc/php-fpm.d/www.conf with:
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
but it doesn't solve the problem and when i restart nginx and php-fpm the sockets are created with root:root as user/group.
The only way I've found to fix it is to change the owner of the sockets to www-data:www-data manually. But this is not a real solution because everytime I restart my services I've to apply it again.
How can I fix this problem? I'm on CentOS 6.5
Edit:
I use Ajenti-V to configure my vhosts and my PHP-FPM. It creates a new socket for each website/vhost, and them are set in /etc/php-fpm.conf
They have this structure:
[vhostname-php-fcgi-0]
user = www-data
group = www-data
listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5
If I add to each entry these strings:
listen.owner = www-data
listen.group = www-data
listen.mode = 0666
Everything works correctly.
So looks like the www.conf is not included (maybe?). This is my php-fpm.conf:
[global]
pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php5-fpm.log
[global-pool]
user = www-data
group = www-data
listen = /var/run/php-fcgi.sock
pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5
[vhostname-php-fcgi-0]
user = www-data
group = www-data
listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5
Config files FPM will read
/etc/php-fpm.conf is the config file FPM will read (on CentOS). If you want FPM to read other config files as well, you need to tell it that.
You can do this by placing the line include=/etc/php-fpm.d/*.conf at the bottom of /etc/php-fpm.conf. It will then read everything in the directory /etc/php-fpm.d (that ends with .conf).
Then place the global directives and the include line in /etc/php-fpm.conf. This could look something like this:
[global]
pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php5-fpm.log
include=/etc/php-fpm.d/*.conf
And have a separate file in /etc/php-fpm.d for each pool.
Example /etc/php-fpm.d/global.conf:
[global-pool]
user = www-data
group = www-data
listen = /var/run/php-fcgi.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5
Example /etc/php-fpm.d/vhostname-0.conf:
[vhostname-php-fcgi-0]
user = www-data
group = www-data
listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5
Directives to pay attention to
Every pool should use a different socket. If you have multiple pools using the same socket you'll get issues.
The directives
userandgroupcontrol the user/group which the FPM process for that pool will run as. These do not specify the user/group of the socket.The directives
listen.ownerandlisten.groupcontrol the user/group the socket uses for that pool.The pool directives (like
listen.*) will only work for pools. So you can't use them in the global section, you have to specify them for each pool.
Socket permissions
The permissions 0660 are perfectly fine when listen.owner and listen.group are the same as the webserver. You could even use 0600, but one might argue that any user that can operate under the same group as the webserver can also use the socket, so I would use 0660.
这篇关于nginx和php-fpm套接字所有者的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
