PHP

nginx error connect to php5-fpm.sock failed (13: Permission denied)

nginx error connect to php5-fpm.sock failed (13: Permission denied) we update nginx to 1.4.7 and php to 5.5.12, After that I

e update nginx to 1.4.7 and php to 5.5.12, After that I got the 502 error. Before we update everything works fine.

nginx-error.log

Php Code
2014/05/03 13:27:41 [crit] 4202#0: *1 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: xx.xxx.xx.xx, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "xx.xx.xx.xx"
nginx.conf
Php Code
user  www www;
worker_processes  1;

        location / {
            root   /usr/home/user/public_html;
            index  index.php index.html index.htm;
        }
        location ~ [^/]\.php(/|$) {
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param  SCRIPT_FILENAME    /usr/home/user/public_html$fastcgi_script_name;
            include fastcgi_params;
        }

  • we had a similar error after php update. PHP fixed a security bug where o had rw permission to the socket file.
  • Open /etc/php5/fpm/pool.d/www.conf or /etc/php/7.0/fpm/pool.d/www.conf, depending on your version.

Uncomment all permission lines, like:

Php Code
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

Restart fpm – sudo service php5-fpm restart or sudo service php7.0-fpm restart

Note: if your webserver runs as user other than www-data, you will need to update the www.conf file accordingly

  • All the fixes currently mentioned here basically enable the security hole all over again.
  • What we ended up doing is adding the following lines to my PHP-FPM configuration file.
Php Code
listen.owner = www-data
listen.group = www-data

Make sure that www-data is actually the user the nginx worker is running as. For debian it’s www-data by default.

Doing it this way does not enable the security problem that this change was supposed to fix.

  • Make sure you have these lines uncommented in /etc/php5/fpm/pool.d/www.conf:
Php Code
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

Make sure /etc/nginx/fastcgi_params looks like this:

Php Code
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  PATH_INFO          $fastcgi_script_name;
fastcgi_param  HTTPS              $https if_not_empty;
Php Code
fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

These two lines were missing from my /etc/nginx/fastcgi_params, make sure they are there!

Php Code
fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  PATH_INFO          $fastcgi_script_name;

Then, restart php5-fpm and nginx. Should do the trick.

  • In fact, “listen.mode” should be: “0660” and not “0666” as Other Writable or Other Readable is never a good choice here.
  • So try to find out as which user/group your webserver runs.

I use CentOs and it runs as user “nginx” So add to your php-fpm.conf:

Php Code
listen.owner = nginx
listen.group = nginx
listen.mode = 0660

  • Check which user runs nginx. As of Ubuntu 12.04 nginx runs by nginx user which is not a member of www-data group.
Php Code
usermod -a -G www-data nginx

and restarting nginx and php5-fpm daemons solves the problem of nginx error.

  • Alternative to broadening permissions in your php config, you could change the user specified in your nginx config.
  • On the first line of your nginx.conf excerpt above, the user and group are specified as www and www, respectively.
Php Code
user  www www;

Meanwhile, your php config probably specifies a user and group of www-data:

Php Code
listen.owner = www-data
listen.group = www-data

You might change the line in your nginx.conf, to any of the following, then:

Php code
user www-data www;
user www-data www-data; # or any group, really, since you have the user matching
user www www-data; # requires that your php listen.mode gives rw access to the group

  • Consideration must also be given to your individual FPM pools, if any.
  • The listen.user and listen.group were duplicated on a per-pool basis.
  • If you used pools for different user accounts like, where each user account owns their FPM processes and sockets, setting only the default listen.owner and listen.group configuration options to ‘nginx’ will simply not work.
  • And obviously, letting ‘nginx‘ own them all is not acceptable either.

For each pool, make sure that

Php Code
listen.group = nginx

Otherwise, you can leave the pool’s ownership and such alone.

  • Simple but works..
Php Code
listen.owner = nginx
listen.group = nginx
chown nginx:nginx /var/run/php-fpm/php-fpm.sock

About the author

Wikitechy Editor

Wikitechy Founder, Author, International Speaker, and Job Consultant. My role as the CEO of Wikitechy, I help businesses build their next generation digital platforms and help with their product innovation and growth strategy. I'm a frequent speaker at tech conferences and events.

2 Comments

Click here to post a comment