nginx and php-fpm socket owner
Just adding here that the listen.acl_users
directive should be commented, otherwise, it will override the listen.owner
and listen.group
values:
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users = apache,nginx
Config files FPM will read
/etc/php-fpm.conf
is the config file FPM will read (on CentOS). If you want FPM to read other config files as well, you need to tell it that.
You can do this by placing the line include=/etc/php-fpm.d/*.conf
at the bottom of /etc/php-fpm.conf
. It will then read everything in the directory /etc/php-fpm.d
(that ends with .conf
).
Then place the global directives and the include line in /etc/php-fpm.conf
. This could look something like this:
[global]
pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php5-fpm.log
include=/etc/php-fpm.d/*.conf
And have a separate file in /etc/php-fpm.d
for each pool.
Example /etc/php-fpm.d/global.conf
:
[global-pool]
user = www-data
group = www-data
listen = /var/run/php-fcgi.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5
Example /etc/php-fpm.d/vhostname-0.conf
:
[vhostname-php-fcgi-0]
user = www-data
group = www-data
listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5
Directives to pay attention to
Every pool should use a different socket. If you have multiple pools using the same socket you'll get issues.
The directives
user
andgroup
control the user/group which the FPM process for that pool will run as. These do not specify the user/group of the socket.The directives
listen.owner
andlisten.group
control the user/group the socket uses for that pool.The pool directives (like
listen.*
) will only work for pools. So you can't use them in the global section, you have to specify them for each pool.
Socket permissions
The permissions 0660 are perfectly fine when listen.owner
and listen.group
are the same as the webserver. You could even use 0600, but one might argue that any user that can operate under the same group as the webserver can also use the socket, so I would use 0660.
everybody! That's my issue too. I just changed my fpm user to vagrant, restart my pools and ... it's done! Here comes my conf:
user = vagrant
group = nginx
listen.owner = vagrant
listen.group = nginx
listen.mode = 0660
Hope it can help someone.
NGINX runs as user nginx
and php5-fpm as user www-data
. Just add nginx
to group www-data
and the problem is solved, and nginx can access /var/run/php5-fpm.sock
. Works great with Ubuntu 14.04, nginx 1.7.10, PHP 5.5.9-1ubuntu4.6 (fpm-fcgi):
$ sudo usermod -aG www-data nginx