Hi everyone, I'm really struggling with a persistent file permission issue with Nginx's fastcgi_cache, and I'm hoping someone can spot what I'm doing wrong. I need Nginx to create its cache files with 664 permissions. This is so WordPress can purge the cache files created by Nginx. The core of the conflict is that Nginx creates the cache files as www-data:www-data, but the PHP-FPM process that needs to purge them runs as web1:client1. The problem is that no matter what I try, Nginx creates the cache files in /var/cache/nginx/fastcgi/ with strict 600 (-rw-------) permissions, completely locking out my WordPress Purge Cache Plugin. I feel like I've tried everything. Here's a quick list of my failed attempts: My main attempt was to set the UMask for the Nginx service to 0002 using a systemd override. I've verified that the nginx worker process itself correctly inherits this umask (by checking its status in /proc), but it still creates files with 600 permissions. Then I tried to force permissions at the filesystem level using default ACLs (setfacl -d -m...) on the cache directory. Incredibly, this also failed. The new files are still created with 600 permissions, as if Nginx is stripping or ignoring the ACLs. I'm at a loss. It feels like something in the environment is forcing Nginx to ignore any attempts to change the permissions of the files it creates. Has anyone else run into this wall? does somebody know how to solve this? Thanks
ran into this problem before.. never found a solution and gave up on it. here's what i posted on it before: https://forum.howtoforge.com/threads/vhost-templates.93100/ relevant part starts with post #8 or post #9... hopefully something there helps you... if you do get it working i'd definitely like to know what your final config is so i could have another go at it..
Thanks for sharing that link. I've just had a look at it, but unfortunately, the suggestions there (starting from post #8 or #9) cover things I've already tried without success. For me, the only solution that is currently working is a cron job that runs every minute to set the correct group and permissions (chmod 774) on the cache folder, assigning ownership to the php-fpm group. This is the script I'm using: if [ -d "/var/cache/nginx/fastcgi/website.domain" ]; then find "/var/cache/nginx/fastcgi/website.domain" \( -type f -o -type d \) -mmin -1 -exec chown :client1 {} \; -exec chmod 0774 {} \; It's crucial that the script only acts on files modified or created within the last minute (-mmin -1); otherwise, the disk I/O operations become excessive. On the WordPress side, for cache purging, I developed my own proprietary plugin. However, I've found that the "Nginx Helper" plugin also works well if you define the RT_WP_NGINX_HELPER_CACHE_PATH constant in your wp-config.php file, pointing it to the absolute path of the cache directory. For example: define('RT_WP_NGINX_HELPER_CACHE_PATH', '/var/cache/nginx/fastcgi/website.domain'); Even though this setup has been 100% functional for a long time now with no side effects, I'd still prefer to find a "cleaner" solution.
Cron is fine but if you are looking to ensure that if only the permission is changed, then run the script kinda thing, this can be done by via systemd approach (Th0m wrote few on this), or old incron (Th0M and my old script for securing ISPConfig and other services has that too). You can also use monit. And yes, I don't think the any of above suggestion is a clear solution too, but "may be" better rather than to run cron every minute.
Below is using monit, since it is there running in most of ISPConfig new server, so first create /etc/monit/conf-available/nginx-fastcgi-cache.conf and add this inside it: Code: check file nginx_fastcgi_cache with path /var/cache/nginx/fastcgi/website.domain if changed permission then exec "/bin/chmod 744 /var/cache/nginx/fastcgi/website.domain" # You might also want to alert if it changes # if changed permission then alert Copy that file to /etc/monit/conf-enabled/nginx-fastcgi-cache.conf Test it with "monit -t", and if all ok, then run: Code: systemctl reload monit systemctl enable monit monit status Monit daemon default is 2 minutes (120 seconds), so change in /etc/monit/monitrc to "set daemon 60" if you want it to check every minute. This is not tested.
