PHP-FPM socket file permission denied for particular user

[Sisir Adhikari]

My users are having this problem. It is weird because the site was working last night.

 

connect() to unix:/var/run/1-pronob-xxxx.com-php-fpm.socket failed (13: Permission denied) while connecting to upstream

The result of  

groups www-data
www-data : www-data froxlorlocal xxxx xxxx xxxx xxxx xxxx pronob

www-data is successfully added to the group of the user. So, no issue there. Permission of socket file seems to be okay too.

cd/var/run
ls -l

srw-rw----  1 pronob     pronob         0 Apr 23 07:22 1-pronob-xxxx.com-php-fpm.socket

How to further troubleshot this issue?

[d00p]

Looks all good from here. Users are correct. Ownership is correct. Most likely, if it's only very limited and temporary (1 or 2 requests) then possibly it's just a php-fpm restart or similar.

[d00p]

Hard to get anything out of this, please provide logs, vhost-config, pool-configs, list of the customers docroot/domain docroot, etc. regarding this domain and customer

[Sisir Adhikari]

Sorry, it seems all of the site having issues now. error is the same. When I change ownership of socket files to www-data:www-data sites are working.

I am looking further into this. Will post more soon.

[d00p]

Then you clearly configured something wrong - fpm runs with the customers users, the socket should NOT belong to www-data

[Sisir Adhikari]

2 minutes ago, d00p said:

the socket should NOT belong to www-data

They do not, their ownership belongs to users. I was saying when I "change" socket file ownership to www-data sites are back up.

[d00p]

yes and what I meant with "the socket should NOT belong to www-data" was that this behaviour is clearly wrong if it works after chown'ing to www-data

[Sisir Adhikari]

The problem seem to be fixed itself after a cron run. Still don't have any clue what happened.

[Sisir Adhikari]

Getting the problem again very randomly. No clue why this is happening.

 

2020/04/24 07:34:58 [crit] 1049#1049: *56685 connect() to unix:/var/run/1-pronob-xxxx.com-php-fpm.socket failed (13: Permission denied) while connecting to upstream, client: 162.158.207.135, server: xxxxx.com, request: "GET /%e0%a6%b0%e0%a6%be%e0%a6%a8%e0%a6%be%e0%a6%aa%e0%a7%8d%e0%a6%b2%e0%a6%be%e0%a6%9c%e0%a6%be-%e0%a6%86%e0%a6%b9%e0%a6%a4%e0%a6%a6%e0%a7%87%e0%a6%b0-%e0%a6%b8%e0%a7%81%e0%a6%9a%e0%a6%bf%e0%a6%95%e0%a6%bf/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/1-pronob-xxxx.com-php-fpm.socket:", host: "xxxxx.com", referrer: "http://m.facebook.com/"

[d00p]

On 4/23/2020 at 9:41 AM, d00p said:

Hard to get anything out of this, please provide logs, vhost-config, pool-configs, list of the customers docroot/domain docroot, etc. regarding this domain and customer

 

[Sisir Adhikari]

Where do I find pool config?

 

Below list of configs and logs as requested.

 

Vhost Config for site:

server {
        listen 173.82.54.45:443 ssl;
        server_name xxxx.com www.xxxx.com;
        ssl_protocols TLSv1 TLSv1.2 TLSv1.3;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128;
        ssl_prefer_server_ciphers off;
        ssl_session_tickets on;
        ssl_session_cache shared:SSL:10m;
        ssl_certificate /etc/ssl/froxlor-custom/xxxx.com.crt;
        ssl_certificate_key /etc/ssl/froxlor-custom/xxxx.com.key;
        add_header Strict-Transport-Security "max-age=0";
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/ssl/froxlor-custom/xxxx.com.crt;
        include /etc/apache2/conf-enabled/acme.conf;
        access_log /var/customers/logs/pronob-access.log combined;
        error_log /var/customers/logs/pronob-error.log error;
        root /var/customers/webs/pronob/xxxx.com/;
        location / {
                index index.php index.html index.htm;
                try_files $uri $uri/ @rewrites;
        }

        location @rewrites {
                rewrite ^ /index.php last;
        }

        location ~ ^(.+?\.php)(/.*)?$ {
                try_files /0f6cdec4d4006fb06b92f065192e2d00.htm @php;
        }

        location @php {
                try_files $1 =404;

                include /etc/nginx/fastcgi_params;
                fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                fastcgi_param PATH_INFO $2;
                fastcgi_param HTTPS on;
                fastcgi_pass unix:/var/run/1-pronob-xxxx.com-php-fpm.socket;
                fastcgi_index index.php;
        }


}

$ ls -l /var/customers/webs/pronob

-rw-r--r--  1 pronob pronob     6422 Mar  8 06:44 index.html
drwxr-xr-x 10 pronob pronob     4096 Apr 24 14:16 odhikarbd.com
drwxr-xr-x  2 pronob pronob     4096 Apr 18 18:50 pronob.server.vimohost.com
drwxr-xr-x  2 pronob pronob     4096 Apr 24 00:01 webalize

$ ls -la /var/customers/webs/pronob/odhikarbd.com

drwxr-xr-x 10 pronob pronob  4096 Apr 24 14:16 .
drwxr-xr-x  5 pronob pronob  4096 Apr 18 20:30 ..
-rw-r--r--  1 pronob pronob   227 Apr 18 20:16 active.php
drwxr-xr-x  2 pronob pronob  4096 Apr 18 20:16 cgi-bin
-rw-r--r--  1 pronob pronob    53 Apr 18 20:16 google86cdd11e02e76bd5.html
-rw-r--r--  1 pronob pronob   743 Apr 18 20:16 .htaccess__67c55ca-18180332
-rw-r--r--  1 pronob pronob   405 Apr 18 20:16 index.php
-rw-r--r--  1 pronob pronob 19915 Apr 18 20:16 license.txt
drwxr-xr-x  2 pronob pronob  4096 Apr 18 20:16 .quarantine
-rw-r--r--  1 pronob pronob  7278 Apr 18 20:16 readme.html
drwxr-xr-x  2 pronob pronob  4096 Apr 18 20:16 .tmb
drwxr-xr-x  3 pronob pronob  4096 Apr 18 20:16 .well-known
-rw-r--r--  1 pronob pronob  6912 Apr 18 20:16 wp-activate.php
drwxr-xr-x  9 pronob pronob  4096 Apr 18 20:16 wp-admin
-rw-r--r--  1 pronob pronob   351 Apr 18 20:16 wp-blog-header.php
-rw-r--r--  1 pronob pronob  2275 Apr 18 20:16 wp-comments-post.php
-rw-------  1 pronob pronob  2882 Apr 18 20:38 wp-config.php
-rw-r--r--  1 pronob pronob  2913 Apr 18 20:16 wp-config-sample.php
drwxr-xr-x 10 pronob pronob  4096 Apr 24 14:29 wp-content
-rw-r--r--  1 pronob pronob  3940 Apr 18 20:16 wp-cron.php
drwxr-xr-x 21 pronob pronob 12288 Apr 18 20:16 wp-includes
-rw-r--r--  1 pronob pronob  2496 Apr 18 20:16 wp-links-opml.php
-rw-r--r--  1 pronob pronob  3300 Apr 18 20:16 wp-load.php
-rw-r--r--  1 pronob pronob 47874 Apr 18 20:16 wp-login.php
-rw-r--r--  1 pronob pronob  8501 Apr 18 20:16 wp-mail.php
-rw-r--r--  1 pronob pronob 19396 Apr 18 20:16 wp-settings.php
-rw-r--r--  1 pronob pronob 31111 Apr 18 20:16 wp-signup.php
drwxr-xr-x  4 pronob pronob  4096 Apr 21 13:55 wp-snapshots
-rw-r--r--  1 pronob pronob  4755 Apr 18 20:16 wp-trackback.php
-rw-r--r--  1 pronob pronob  3133 Apr 18 20:16 xmlrpc.php

 

[d00p]

Pool config is in /etc/php/[version optionally]/fpm/pool.d/ 

[Sisir Adhikari]

PHP FPM 7.2 Pool config

;PHP-FPM configuration for "odhikarbd.com" created on 2020.04.24 07:35:03
[odhikarbd.com]
listen = /var/run/1-pronob-odhikarbd.com-php-fpm.socket
listen.owner = pronob
listen.group = pronob
listen.mode = 0660
user = pronob
group = pronob
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.max_requests = 0
;chroot = /var/customers/webs/pronob/odhikarbd.com/
security.limit_extensions = .php
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /var/customers/tmp/pronob/
env[TMPDIR] = /var/customers/tmp/pronob/
env[TEMP] = /var/customers/tmp/pronob/
php_admin_value[session.save_path] = /var/customers/tmp/pronob/
php_admin_value[upload_tmp_dir] = /var/customers/tmp/pronob/


php_admin_flag[allow_url_fopen] = On
php_admin_flag[allow_url_include] = Off
php_value[auto_append_file] = 
php_value[auto_prepend_file] = 
php_value[default_charset] = "UTF-8"
php_flag[asp_tags] = Off
php_admin_value[disable_functions] = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,curl_multi_exec,exec,parse_ini_file,passthru,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,show_source,system
php_flag[display_errors] = Off
php_flag[display_startup_errors] = Off
php_admin_flag[enable_dl] = Off
php_value[error_reporting] = E_ALL & ~E_DEPRECATED & ~E_STRICT & ~E_NOTICE
php_admin_flag[expose_php] = Off
php_admin_flag[file_uploads] = On
php_flag[html_errors] = On
php_admin_flag[ignore_repeated_errors] = Off
php_admin_flag[ignore_repeated_source] = Off
php_value[include_path] = ".:/usr/share/php/:/usr/share/php5/"
php_flag[log_errors] = On
php_admin_flag[log_errors] = On
php_value[log_errors_max_len] = 1024
php_flag[mail.add_x_header] = Off
php_value[max_execution_time] = 30
php_admin_value[max_input_time] = 60
php_admin_value[memory_limit] = 128M
php_admin_value[output_buffering] = 4096
php_admin_value[post_max_size] = 16M
php_admin_value[precision] = 14
php_admin_flag[register_argc_argv] = Off
php_admin_flag[report_memleaks] = On
php_admin_value[sendmail_path] = "/usr/sbin/sendmail -t -i -f xxxx@gmail.com"
php_value[session.auto_start] = 0
php_value[session.cookie_domain] = 
php_value[session.cookie_lifetime] = 0
php_value[session.cookie_path] = /
php_admin_value[session.gc_divisor] = 1000
php_admin_value[session.gc_probability] = 0
php_value[session.name] = PHPSESSID
php_value[session.serialize_handler] = php
php_flag[session.use_cookies] = 1
php_flag[short_open_tag] = On
php_value[upload_max_filesize] = 32M
php_admin_value[variables_order] = "GPCS"
php_admin_value[opcache.restrict_api] = "/var/customers/webs/pronob/odhikarbd.com/"

 

[Sisir Adhikari]

My client also reported few 522 errors from cloudflare as well. So, could it be php-fpm hanging generating gateway timeout?

[d00p]

Well the configs are generated and then the fpm daemon is just being reloaded, so this is a tiny second if at all downtime. Maybe it's cloudflare <> your host?

[Sisir Adhikari]

Can not be cloudflare but this client have good traffic in his site. Is there a way I can increase php-fpm processes for a single domain?

[d00p]

Sure, you can adjust the used process-manager (pm) and the corresponding settings regarding child-processes etc., just go to your fpm-versions/php-confgurations

[Sisir Adhikari]

Thank you for your support! I will change if necessery. Most concerning thing is the permission error right now. I will wait for next 24 hours to see if this problem persists.