Perfect Server for Ubuntu 16 (but with NGINX instead of Apache); socket permission issues

I'll be the first to admit that I deviated from the tutorial slightly in that I installed NGINX instead of Apache, and I used https://launchpad.net/~ondrej/ archive/ubuntu/php instead of Ubuntu's stock PHP package.

Everything appeared to go smoothly, but I'm receiving "502 Bad Gateway" from NGINX.

I added the "error_log" directive to /etc/nginx/sites-available/ispconfig.vhost to obtain further information:

Code:

2016/04/26 12:35:04 [crit] 26240#26240: *2 connect() to unix:/var/lib/php7.0-fpm/ispconfig.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.56.1, server: _, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/lib/php7.0-fpm/ispconfig.sock:", host: "ubuntu-16-vm.example.com:8080"

I have dug-around in the FPM pool configurations and everything looks to be correct.

/etc/php/7.0/fpm/pool.d/ispconfig.conf:

Code:

[ispconfig]

listen = /var/lib/php7.0-fpm/ispconfig.sock
listen.owner = ispconfig
listen.group = ispconfig
listen.mode = 0660

user = ispconfig
group = ispconfig
; ...

The socket permissions look to be correct:

Code:

srw-rw---- 1 ispconfig ispconfig 0 Apr 26 12:55 /var/lib/php7.0-fpm/ispconfig.sock

I don't know enough about how FPM starts its processes to know if this is correct or not:

Code:

# ss -lp | grep 56004
u_str  LISTEN  0  128  /var/lib/php7.0-fpm/ispconfig.sock 56004  * 0  users:(("php-fpm7.0",pid=8427,fd=0),("php-fpm7.0",pid=8426,fd=0),("php-fpm7.0",pid=8421,fd=9))

Code:

# ps -ef | grep ispconfig
ispconf+  8426  8421  0 12:55 ?  00:00:00 php-fpm: pool ispconfig
ispconf+  8427  8421  0 12:55 ?  00:00:00 php-fpm: pool ispconfig

Does anything jump-out? What might I have overlooked?

Thank you very much for any help!

UPDATE:

I got the ISPConfig interface working, but it's not a solution; it's a workaround.

In /etc/nginx/sites-available/ispconfig.vhost, I changed

Code:

fastcgi_pass unix:/var/lib/php7.0-fpm/ispconfig.sock;

to

Code:

fastcgi_pass localhost:9000;

and in /etc/php/7.0/fpm/pool.d/ispconfig.conf I changed

Code:

listen = /var/lib/php7.0-fpm/ispconfig.sock

to

Code:

listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1

This still didn't work until I added the following line to /etc/hosts (presumably because the fastcgi_pass directive in the NGINX config could not resolve "localhost" without it):

Code:

127.0.0.1  ubuntu-vm.example.com ubuntu-vm localhost

I should note also that in Ubuntu 16, the order in which the above hostnames appear is important; amavis failed to be installed/started when I had the order reversed (which has always worked fine in Ubuntu 14). Apparently,

Code:

hostname --fqdn

, which amavis uses to set $hostname, returns the leftmost of the listed hostnames. Unless the FQDN notation comes first in the list, amavis fails to start.

 

Thanks for taking a look, Till! I sincerely appreciate your time, especially given that I am straying from the prescribed setup slightly.

No, this is not an LXC and I'm not using ACL on this particular system.

I created a regular Website through the ISPConfig interface to see if the same socket permission issue arises there, and indeed it does.

The specific message looks to be the same:

Code:

2016/04/27 10:27:53 [crit] 25978#25978: *11 connect() to unix:/var/lib/php7.0-fpm/web1.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.56.1, server: ubuntu-16-vm.example.com, request: "GET /info.php HTTP/1.1", upstream: "fastcgi://unix:/var/lib/php7.0-fpm/web1.sock:", host: "ubuntu-16-vm.example.com"

The stat output is:

Code:

# stat /var/lib/php7.0-fpm/web1.sock
  File: '/var/lib/php7.0-fpm/web1.sock'
  Size: 0  Blocks: 0  IO Block: 4096  socket
Device: fc00h/64512d  Inode: 140238  Links: 1
Access: (0660/srw-rw----)  Uid: ( 5004/  web1)  Gid: ( 5005/ client0)
Access: 2016-04-27 10:25:03.724000000 -0400
Modify: 2016-04-27 10:25:03.724000000 -0400
Change: 2016-04-27 10:25:03.724000000 -0400
 Birth: -

The relevant pool configuration directives are:

Code:

[web1]

listen = /var/lib/php7.0-fpm/web1.sock
listen.owner = web1
listen.group = client0
listen.mode = 0660

user = web1
group = client0
; ...

It all looks correct to me.

I double-checked to ensure that apparmor was uninstalled and indeed I uninstalled it while following the guide initially.

What's weird is that even if I set the listen.mode to 0666, the message is the same.

There's nothing unusual in the PHP-FPM log... I'm not sure what to check next. Can't say I've run into this one before!

 

nginx and php-fpm have to run the same owner and group.
[web1]
listen = /var/lib/php7.0-fpm/web1.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
Would match and work if nginx is is running it's default group and owner of nginx
You would have to add web1 to the nginx owner and client0 to the nginx group
I'm brand new to ispconfig and just about to try a install with nginx
Hope my assumption was correct

 

Hi, Mate; thanks for replying.

One quick update: I tried installing the stock php7.0 packages that are included in Ubuntu's own repositories (I didn't use Onrej's co-installable PHP 5/7 PPA this time) and the result is exactly the same.

I'm not sure that nginx and php-fpm have to run under the same owner and group. Rather, I'm pretty sure that it works the same way that it does with filesystem permissions: as long the user under which NGINX runs has sufficient access rights to the socket files on the filesystem, everything works as expected.

I say this in part because with ISPConfig 3.0.5.4p8, NGINX runs as the "www-data" user, and my ISPConfig FPM configuration (this is for the ISPConfig interface itself) is as follows:

Code:

listen = /var/run/php/ispconfig.sock
listen.owner = ispconfig
listen.group = ispconfig
listen.mode = 0660

user = ispconfig
group = ispconfig

Also, my individual sites' pool files look like this:

Code:

[web1]

listen = /var/run/php/web1.sock
listen.owner = web1
listen.group = client2
listen.mode = 0660

user = web1
group = client2

So, the two values definitely don't have to match.

But you're on the right track, in my opinion. I think that the ISPConfig user and/or group isn't added to some other group, or vice versa.

I did try your suggestion (setting all values in question to the user/group under which NGINX is running, which is "www-data" on Ubuntu), for the sake of thoroughness, and, somewhat surprisingly, permission is still denied. But this is consistent with what I tried earlier (setting the socket file permissions to 777).

I haven't had any more time to fiddle with it, unfortunately. Again, thanks for taking a look... have you tried this setup yourself? Any luck with it?

Till, surely you've tried installing PHP-FPM + NGINX on Ubuntu 16.04 LTS as yet... but no Perfect Server tutorial? I suppose that it doesn't really necessitate its own separate tutorial, but it would be great to see a little NGINX section as an alternative.

 

I figured it out.

By default, ISPConfig is creating its PHP socket files in /var/lib/php7.0-fpm, which is owned by root:root with drwxr-x--- permissions (note the lack of execute permissions for "other"). This is why users in the www-data group cannot read the socket files.

By contrast, by default, PHP 7 packages on Ubuntu create sockets in /run/php, which is owned by www-data:www-data with drwxr-xr-x permissions.

I'm not sure by what mechanism the /var/lib/php7.0-fpm directory is created in the first place, but this fixes the whole problem:

Code:

# chown www-data:www-data /var/lib/php7.0-fpm
# systemctl restart nginx

Obviously, once the user is actually able to log into and access the ISPConfig interface (per above steps), he could change the effective socket path to match the path that the Ubuntu PHP package uses, under Server Config (left nav) -> Web (tab) -> PHP Settings (panel) -> PHP-FPM socket directory (field). The value to use would be /run/php, thereby obviating the need for this whole workaround in the first place.

That said, it's not clear how the socket path is set in /etc/php/7.0/fpm/pool.d/ispconfig.conf in the first place; changing the default socket path location through the ISPConfig interface, as described above, doesn't seem to force an update to this file. I had to update it manually.

However, when I modify an individual website through the ISPConfig interface, the socket path in the associated pool configuration file (e.g., /etc/php/7.0/fpm/pool.d/web1.conf) is indeed updated to use /var/run.

I should have referred back to my post at https://www.howtoforge.com/communit...able-php-5-6-and-7-0-package-on-ubuntu.72242/ and it probably would have saved me some time and energy here.

 

I was reading this when I was looking for a solution to the same problem.

My solution was rather changing the folder permission to 755 like all other php-fpm folder permission via "chmod 755 /var/lib/php7.2-fpm".

I don't think it is necessary to change other things as you mentioned above.