{"id":3425,"date":"2017-04-02T13:11:13","date_gmt":"2017-04-02T07:41:13","guid":{"rendered":"https:\/\/www.wikitechy.com\/technology\/?p=3425"},"modified":"2018-10-30T10:45:59","modified_gmt":"2018-10-30T05:15:59","slug":"nginx-error-connect-to-php5-fpm-sock-failed-13-permission-denied","status":"publish","type":"post","link":"https:\/\/www.wikitechy.com\/technology\/nginx-error-connect-to-php5-fpm-sock-failed-13-permission-denied\/","title":{"rendered":"nginx error connect to php5-fpm.sock failed (13: Permission denied)"},"content":{"rendered":"<p>e update nginx to 1.4.7 and <a href=\"https:\/\/www.wikitechy.com\/php\/php-programming\" target=\"_blank\" rel=\"noopener\">php<\/a> to 5.5.12, After that I got the 502 error. Before we update everything works fine.<\/p>\n<p><strong>nginx-error.log<\/strong><\/p>\n[pastacode lang=\u201dphp\u201d manual=\u201d2014%2F05%2F03%2013%3A27%3A41%20%5Bcrit%5D%204202%230%3A%20*1%20connect()%20to%20unix%3A%2Fvar%2Frun%2Fphp5-fpm.sock%20failed%20(13%3A%20Permission%20denied)%20while%20connecting%20to%20upstream%2C%20client%3A%20xx.xxx.xx.xx%2C%20server%3A%20localhost%2C%20request%3A%20%22GET%20%2F%20HTTP%2F1.1%22%2C%20upstream%3A%20%22fastcgi%3A%2F%2Funix%3A%2Fvar%2Frun%2Fphp5-fpm.sock%3A%22%2C%20host%3A%20%22xx.xx.xx.xx%22%0Anginx.conf\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n[pastacode lang=\u201dphp\u201d manual=\u201duser%20%20www%20www%3B%0Aworker_processes%20%201%3B%0A%0A%20%20%20%20%20%20%20%20location%20%2F%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20root%20%20%20%2Fusr%2Fhome%2Fuser%2Fpublic_html%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20index%20%20index.php%20index.html%20index.htm%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20location%20~%20%5B%5E%2F%5D%5C.php(%2F%7C%24)%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20fastcgi_split_path_info%20%5E(.%2B%3F%5C.php)(%2F.*)%24%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20fastcgi_pass%20unix%3A%2Fvar%2Frun%2Fphp5-fpm.sock%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20fastcgi_index%20index.php%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20fastcgi_param%20%20SCRIPT_FILENAME%20%20%20%20%2Fusr%2Fhome%2Fuser%2Fpublic_html%24fastcgi_script_name%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20include%20fastcgi_params%3B%0A%20%20%20%20%20%20%20%20%7D\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<h3 id=\"solution-1\"><span style=\"color: #003300;\"><label class=\"label label-info\">SOLUTION 1:<\/label><\/span><\/h3>\n<ul>\n<li>we had a similar error after php update. PHP fixed a security bug where o had <strong>rw<\/strong> permission to the <a href=\"https:\/\/www.wikitechy.com\/tutorials\/socket\/simple-way-to-emit-messages-by-user-id\" target=\"_blank\" rel=\"noopener\">socket<\/a> file.<\/li>\n<li>Open <strong>\/etc\/php5\/fpm\/pool.d\/www.conf or \/etc\/php\/7.0\/fpm\/pool.d\/www.conf,<\/strong> depending on your version.<\/li>\n<\/ul>\n<p><strong> Uncomment all permission lines, like:<\/strong><\/p>\n[pastacode lang=\u201dphp\u201d manual=\u201dlisten.owner%20%3D%20www-data%0Alisten.group%20%3D%20www-data%0Alisten.mode%20%3D%200660\u2033 message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n[ad type=\u201dbanner\u201d]\n<p>Restart <strong>fpm<\/strong> \u2013 sudo service <strong>php5-fpm<\/strong> restart or sudo service <strong>php7.0-fpm<\/strong> restart<\/p>\n<p><strong>Note:<\/strong> if your webserver runs as user other than www-data, you will need to update the <strong>www.conf<\/strong> file accordingly<\/p>\n<h3 id=\"solution-2\"><span style=\"color: #003300;\"><label class=\"label label-info\">SOLUTION 2:<\/label><\/span><\/h3>\n<ul>\n<li>All the fixes currently mentioned here basically enable the security hole all over again.<\/li>\n<li>What we ended up doing is adding the following lines to my <strong>PHP-FPM<\/strong> configuration file.<\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201dlisten.owner%20%3D%20www-data%0Alisten.group%20%3D%20www-data\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p>Make sure that www-data is actually the user the <a href=\"https:\/\/www.wikitechy.com\/tutorials\/apache\/apache-vs-nginx\" target=\"_blank\" rel=\"noopener\">nginx<\/a> worker is running as. For <strong>debian it\u2019s www-data<\/strong> by default.<\/p>\n<p>Doing it this way does not enable the security problem that this change was supposed to fix.<\/p>\n<h3 id=\"solution-3\"><span style=\"color: #003300;\"><strong><label class=\"label label-info\">SOLUTION 3:<\/label><\/strong><\/span><\/h3>\n<ul>\n<li>Make sure you have these lines uncommented in <strong>\/etc\/php5\/fpm\/pool.d\/www.conf:<\/strong><\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201dlisten.owner%20%3D%20www-data%0Alisten.group%20%3D%20www-data%0Alisten.mode%20%3D%200660\u2033 message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p><strong>Make sure \/etc\/nginx\/fastcgi_params looks like this:<\/strong><\/p>\n[pastacode lang=\u201dphp\u201d manual=\u201dfastcgi_param%20%20QUERY_STRING%20%20%20%20%20%20%20%24query_string%3B%0Afastcgi_param%20%20REQUEST_METHOD%20%20%20%20%20%24request_method%3B%0Afastcgi_param%20%20CONTENT_TYPE%20%20%20%20%20%20%20%24content_type%3B%0Afastcgi_param%20%20CONTENT_LENGTH%20%20%20%20%20%24content_length%3B%0A%0Afastcgi_param%20%20SCRIPT_NAME%20%20%20%20%20%20%20%20%24fastcgi_script_name%3B%0Afastcgi_param%20%20REQUEST_URI%20%20%20%20%20%20%20%20%24request_uri%3B%0Afastcgi_param%20%20DOCUMENT_URI%20%20%20%20%20%20%20%24document_uri%3B%0Afastcgi_param%20%20DOCUMENT_ROOT%20%20%20%20%20%20%24document_root%3B%0Afastcgi_param%20%20SCRIPT_FILENAME%20%20%20%20%24document_root%24fastcgi_script_name%3B%0Afastcgi_param%20%20SERVER_PROTOCOL%20%20%20%20%24server_protocol%3B%0Afastcgi_param%20%20PATH_INFO%20%20%20%20%20%20%20%20%20%20%24fastcgi_script_name%3B%0Afastcgi_param%20%20HTTPS%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24https%20if_not_empty%3B\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n[ad type=\u201dbanner\u201d]\n[pastacode lang=\u201dphp\u201d manual=\u201dfastcgi_param%20%20GATEWAY_INTERFACE%20%20CGI%2F1.1%3B%0Afastcgi_param%20%20SERVER_SOFTWARE%20%20%20%20nginx%2F%24nginx_version%3B%0A%0Afastcgi_param%20%20REMOTE_ADDR%20%20%20%20%20%20%20%20%24remote_addr%3B%0Afastcgi_param%20%20REMOTE_PORT%20%20%20%20%20%20%20%20%24remote_port%3B%0Afastcgi_param%20%20SERVER_ADDR%20%20%20%20%20%20%20%20%24server_addr%3B%0Afastcgi_param%20%20SERVER_PORT%20%20%20%20%20%20%20%20%24server_port%3B%0Afastcgi_param%20%20SERVER_NAME%20%20%20%20%20%20%20%20%24server_name%3B%0A%0A%23%20PHP%20only%2C%20required%20if%20PHP%20was%20built%20with%20\u2013enable-force-cgi-redirect%0Afastcgi_param%20%20REDIRECT_STATUS%20%20%20%20200%3B\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p>These two lines were missing from my <strong>\/etc\/nginx\/fastcgi_params,<\/strong> make sure they are there!<\/p>\n[pastacode lang=\u201dphp\u201d manual=\u201dfastcgi_param%20%20SCRIPT_FILENAME%20%20%20%20%24document_root%24fastcgi_script_name%3B%0Afastcgi_param%20%20PATH_INFO%20%20%20%20%20%20%20%20%20%20%24fastcgi_script_name%3B\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p>Then, <strong>restart<\/strong> php5-fpm and nginx. Should do the trick.<\/p>\n<h3 id=\"solution-4\"><span style=\"color: #003300;\"><label class=\"label label-info\">SOLUTION 4:<\/label><\/span><\/h3>\n<ul>\n<li>In fact, \u201c<strong>listen.mode<\/strong>\u201d should be: \u201c<strong>0660<\/strong>\u201d and not \u201c<strong>0666<\/strong>\u201d as Other Writable or Other Readable is never a good choice here.<\/li>\n<li>So try to find out as which user\/group your <a href=\"https:\/\/www.wikitechy.com\/tutorials\/apache\/apache-web-server\" target=\"_blank\" rel=\"noopener\">webserver<\/a> runs.<\/li>\n<\/ul>\n<p><strong> I use CentOs and it runs as user \u201cnginx\u201d So add to your php-fpm.conf:<\/strong><\/p>\n[pastacode lang=\u201dphp\u201d manual=\u201dlisten.owner%20%3D%20nginx%0Alisten.group%20%3D%20nginx%0Alisten.mode%20%3D%200660\u2033 message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<h3 id=\"solution-5\"><span style=\"color: #003300;\"><label class=\"label label-info\">SOLUTION 5:<\/label><\/span><\/h3>\n<ul>\n<li>Check which user runs <strong>nginx<\/strong>. As of <a href=\"https:\/\/www.wikitechy.com\/technology\/hack-wifi-passwords-ubuntu\/\" target=\"_blank\" rel=\"noopener\">Ubuntu<\/a> 12.04 nginx runs by nginx user which is not a member of www-data group.<\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201dusermod%20-a%20-G%20www-data%20nginx\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p>and <strong>restarting<\/strong> nginx and php5-fpm daemons solves the problem of\u00a0nginx error.<\/p>\n<h3 id=\"solution-6\"><span style=\"color: #003300;\"><label class=\"label label-info\">SOLUTION 6:<\/label><\/span><\/h3>\n<ul>\n<li>Alternative to broadening permissions in your <strong>php config<\/strong>, you could change the user specified in your nginx config.<\/li>\n<li>On the first line of your <strong>nginx.conf<\/strong> excerpt above, the user and group are specified as www and www, respectively.<\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201duser%20%20www%20www%3B\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p><strong>Meanwhile, your php config probably specifies a user and group of www-data:<\/strong><\/p>\n[pastacode lang=\u201dphp\u201d manual=\u201dlisten.owner%20%3D%20www-data%0Alisten.group%20%3D%20www-data\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p><strong>You might change the line in your nginx.conf, to any of the following, then:<\/strong><\/p>\n[pastacode lang=\u201dphp\u201d manual=\u201duser%20www-data%20www%3B%0Auser%20www-data%20www-data%3B%20%23%20or%20any%20group%2C%20really%2C%20since%20you%20have%20the%20user%20matching%0Auser%20www%20www-data%3B%20%23%20requires%20that%20your%20php%20listen.mode%20gives%20rw%20access%20to%20the%20group\u201d message=\u201dPhp code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n[ad type=\u201dbanner\u201d]\n<h3 id=\"solution-7\"><span style=\"color: #003300;\"><label class=\"label label-info\">SOLUTION 7:<\/label><\/span><\/h3>\n<ul>\n<li>Consideration must also be given to your individual <strong>FPM pools<\/strong>, if any.<\/li>\n<li>The <strong>listen.user<\/strong> and <strong>listen.group<\/strong> were duplicated on a per-pool basis.<\/li>\n<li>If you used pools for different user accounts like, where each user account owns their FPM processes and sockets, setting only the default<strong> listen.owner and listen.group<\/strong> configuration options to \u2018nginx\u2019 will simply not work.<\/li>\n<li>And obviously, letting \u2018<strong>nginx<\/strong>\u2018 own them all is not acceptable either.<\/li>\n<\/ul>\n<p>For each pool, make sure that<\/p>\n[pastacode lang=\u201dphp\u201d manual=\u201dlisten.group%20%3D%20nginx\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p>Otherwise, you can leave the pool\u2019s ownership and such alone.<\/p>\n<h3 id=\"solution-8\"><span style=\"color: #003300;\"><label class=\"label label-info\">SOLUTION 8:<\/label><\/span><\/h3>\n<ul>\n<li>Simple but works..<\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201dlisten.owner%20%3D%20nginx%0Alisten.group%20%3D%20nginx%0Achown%20nginx%3Anginx%20%2Fvar%2Frun%2Fphp-fpm%2Fphp-fpm.sock\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n","protected":false},"excerpt":{"rendered":"<p>nginx error connect to php5-fpm.sock failed (13: Permission denied) we update nginx to 1.4.7 and php to 5.5.12, After that I<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[6335,6342,6333,6341,6340,6344,6343,6339,6345,6338,6336,6334,6337],"class_list":["post-3425","post","type-post","status-publish","format-standard","hentry","category-php","tag-connect-to-unixvarrunphp5-fpm-sock-failed-what-is-wrong-with-my-setup","tag-connect-failed-to-open-php5-fpm-sock","tag-failed-104-connection-reset-by-peer","tag-info-php","tag-installing-nginx","tag-nginx-permission-denied-error-on-alpine-drupal-8-docker-image","tag-nginx-php5-6-permission-eror","tag-nginx-stat-failed-13-permission-denied","tag-nginx-connect-to-unixvarrunphp7-0-fpm-sock-failed-2-no-such-file-or-directory","tag-php5-fpm","tag-random-unixtmpphp5-fpm-sock-failed","tag-share-nginx-server-configuration","tag-yet-another-fastcgi-primary-script-unknown-error-nginx"],"_links":{"self":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts\/3425","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/comments?post=3425"}],"version-history":[{"count":0,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts\/3425\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/media?parent=3425"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/categories?post=3425"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/tags?post=3425"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}