because I had some issues with HTTP2 and php via fcgid under Apache I tried to switch to php_fpm.
While I was at it, I noticed a problem that I couldn't pinpoint and decided to try nginx. The issue stayed the same, basically these log entries:
nginx:
connect() to unix:/var/lib/apache2/fastcgi/domainname.de-php-fpm.socket failed (13: Permission denied) while connecting to upstream, client: xx.xx.xx.xx, server: domainname.de, request: "GET /favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/var/lib/apache2/fastcgi/domainname.de-php-fpm.socket:", host: "domainname.de", referrer: "https://domainname.de/"
Apache:
(13)Permission denied: [client xx.xx.xx.xx:63318] FastCGI: failed to connect to server "/var/www/php-fpm/web2/domainname.de/ssl-fpm.external": connect() failed
The way I understand this problem:
By design, php-fpm sockets created by Froxlor have permissions which only allow the vhost user to connect.
But neither Apache nor nginx are told anywhere under which identity to connect to the socket.
The SuExecUserGroup line in the vhost config file for Apache which does this for fcgid vanished when switching to php-fpm.
I currently solved the problem by changing the line "listen.owner" inside the php-fpm pools to "www-data".
That should not lower security, because php-fpm in itself takes care that the php process runs as the vhost user.
Can someone tell me where I misunderstood the whole concept?
Question
OliverRahner
Hi,
because I had some issues with HTTP2 and php via fcgid under Apache I tried to switch to php_fpm.
While I was at it, I noticed a problem that I couldn't pinpoint and decided to try nginx. The issue stayed the same, basically these log entries:
nginx:
connect() to unix:/var/lib/apache2/fastcgi/domainname.de-php-fpm.socket failed (13: Permission denied) while connecting to upstream, client: xx.xx.xx.xx, server: domainname.de, request: "GET /favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/var/lib/apache2/fastcgi/domainname.de-php-fpm.socket:", host: "domainname.de", referrer: "https://domainname.de/"
Apache:
(13)Permission denied: [client xx.xx.xx.xx:63318] FastCGI: failed to connect to server "/var/www/php-fpm/web2/domainname.de/ssl-fpm.external": connect() failed
The way I understand this problem:
By design, php-fpm sockets created by Froxlor have permissions which only allow the vhost user to connect.
But neither Apache nor nginx are told anywhere under which identity to connect to the socket.
The SuExecUserGroup line in the vhost config file for Apache which does this for fcgid vanished when switching to php-fpm.
I currently solved the problem by changing the line "listen.owner" inside the php-fpm pools to "www-data".
That should not lower security, because php-fpm in itself takes care that the php process runs as the vhost user.
Can someone tell me where I misunderstood the whole concept?
Link to comment
Share on other sites
4 answers to this question
Recommended Posts
Archived
This topic is now archived and is closed to further replies.