I'll be the first to admit that I deviated from the tutorial slightly in that I installed NGINX instead of Apache, and I used https://launchpad.net/~ondrej/ archive/ubuntu/php instead of Ubuntu's stock PHP package. Everything appeared to go smoothly, but I'm receiving "502 Bad Gateway" from NGINX. I added the "error_log" directive to /etc/nginx/sites-available/ispconfig.vhost to obtain further information: Code: 2016/04/26 12:35:04 [crit] 26240#26240: *2 connect() to unix:/var/lib/php7.0-fpm/ispconfig.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.56.1, server: _, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/lib/php7.0-fpm/ispconfig.sock:", host: "ubuntu-16-vm.example.com:8080" I have dug-around in the FPM pool configurations and everything looks to be correct. /etc/php/7.0/fpm/pool.d/ispconfig.conf: Code: [ispconfig] listen = /var/lib/php7.0-fpm/ispconfig.sock listen.owner = ispconfig listen.group = ispconfig listen.mode = 0660 user = ispconfig group = ispconfig ; ... The socket permissions look to be correct: Code: srw-rw---- 1 ispconfig ispconfig 0 Apr 26 12:55 /var/lib/php7.0-fpm/ispconfig.sock I don't know enough about how FPM starts its processes to know if this is correct or not: Code: # ss -lp | grep 56004 u_str LISTEN 0 128 /var/lib/php7.0-fpm/ispconfig.sock 56004 * 0 users:(("php-fpm7.0",pid=8427,fd=0),("php-fpm7.0",pid=8426,fd=0),("php-fpm7.0",pid=8421,fd=9)) Code: # ps -ef | grep ispconfig ispconf+ 8426 8421 0 12:55 ? 00:00:00 php-fpm: pool ispconfig ispconf+ 8427 8421 0 12:55 ? 00:00:00 php-fpm: pool ispconfig Does anything jump-out? What might I have overlooked? Thank you very much for any help! UPDATE: I got the ISPConfig interface working, but it's not a solution; it's a workaround. In /etc/nginx/sites-available/ispconfig.vhost, I changed Code: fastcgi_pass unix:/var/lib/php7.0-fpm/ispconfig.sock; to Code: fastcgi_pass localhost:9000; and in /etc/php/7.0/fpm/pool.d/ispconfig.conf I changed Code: listen = /var/lib/php7.0-fpm/ispconfig.sock to Code: listen = 127.0.0.1:9000 listen.allowed_clients = 127.0.0.1 This still didn't work until I added the following line to /etc/hosts (presumably because the fastcgi_pass directive in the NGINX config could not resolve "localhost" without it): Code: 127.0.0.1 ubuntu-vm.example.com ubuntu-vm localhost I should note also that in Ubuntu 16, the order in which the above hostnames appear is important; amavis failed to be installed/started when I had the order reversed (which has always worked fine in Ubuntu 14). Apparently, Code: hostname --fqdn , which amavis uses to set $hostname, returns the leftmost of the listed hostnames. Unless the FQDN notation comes first in the list, amavis fails to start.
Thanks for taking a look, Till! I sincerely appreciate your time, especially given that I am straying from the prescribed setup slightly. No, this is not an LXC and I'm not using ACL on this particular system. I created a regular Website through the ISPConfig interface to see if the same socket permission issue arises there, and indeed it does. The specific message looks to be the same: Code: 2016/04/27 10:27:53 [crit] 25978#25978: *11 connect() to unix:/var/lib/php7.0-fpm/web1.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.56.1, server: ubuntu-16-vm.example.com, request: "GET /info.php HTTP/1.1", upstream: "fastcgi://unix:/var/lib/php7.0-fpm/web1.sock:", host: "ubuntu-16-vm.example.com" The stat output is: Code: # stat /var/lib/php7.0-fpm/web1.sock File: '/var/lib/php7.0-fpm/web1.sock' Size: 0 Blocks: 0 IO Block: 4096 socket Device: fc00h/64512d Inode: 140238 Links: 1 Access: (0660/srw-rw----) Uid: ( 5004/ web1) Gid: ( 5005/ client0) Access: 2016-04-27 10:25:03.724000000 -0400 Modify: 2016-04-27 10:25:03.724000000 -0400 Change: 2016-04-27 10:25:03.724000000 -0400 Birth: - The relevant pool configuration directives are: Code: [web1] listen = /var/lib/php7.0-fpm/web1.sock listen.owner = web1 listen.group = client0 listen.mode = 0660 user = web1 group = client0 ; ... It all looks correct to me. I double-checked to ensure that apparmor was uninstalled and indeed I uninstalled it while following the guide initially. What's weird is that even if I set the listen.mode to 0666, the message is the same. There's nothing unusual in the PHP-FPM log... I'm not sure what to check next. Can't say I've run into this one before!
nginx and php-fpm have to run the same owner and group. [web1] listen = /var/lib/php7.0-fpm/web1.sock listen.owner = nginx listen.group = nginx listen.mode = 0660 Would match and work if nginx is is running it's default group and owner of nginx You would have to add web1 to the nginx owner and client0 to the nginx group I'm brand new to ispconfig and just about to try a install with nginx Hope my assumption was correct
Hi, Mate; thanks for replying. One quick update: I tried installing the stock php7.0 packages that are included in Ubuntu's own repositories (I didn't use Onrej's co-installable PHP 5/7 PPA this time) and the result is exactly the same. I'm not sure that nginx and php-fpm have to run under the same owner and group. Rather, I'm pretty sure that it works the same way that it does with filesystem permissions: as long the user under which NGINX runs has sufficient access rights to the socket files on the filesystem, everything works as expected. I say this in part because with ISPConfig 3.0.5.4p8, NGINX runs as the "www-data" user, and my ISPConfig FPM configuration (this is for the ISPConfig interface itself) is as follows: Code: listen = /var/run/php/ispconfig.sock listen.owner = ispconfig listen.group = ispconfig listen.mode = 0660 user = ispconfig group = ispconfig Also, my individual sites' pool files look like this: Code: [web1] listen = /var/run/php/web1.sock listen.owner = web1 listen.group = client2 listen.mode = 0660 user = web1 group = client2 So, the two values definitely don't have to match. But you're on the right track, in my opinion. I think that the ISPConfig user and/or group isn't added to some other group, or vice versa. I did try your suggestion (setting all values in question to the user/group under which NGINX is running, which is "www-data" on Ubuntu), for the sake of thoroughness, and, somewhat surprisingly, permission is still denied. But this is consistent with what I tried earlier (setting the socket file permissions to 777). I haven't had any more time to fiddle with it, unfortunately. Again, thanks for taking a look... have you tried this setup yourself? Any luck with it? Till, surely you've tried installing PHP-FPM + NGINX on Ubuntu 16.04 LTS as yet... but no Perfect Server tutorial? I suppose that it doesn't really necessitate its own separate tutorial, but it would be great to see a little NGINX section as an alternative.
I figured it out. By default, ISPConfig is creating its PHP socket files in /var/lib/php7.0-fpm, which is owned by root:root with drwxr-x--- permissions (note the lack of execute permissions for "other"). This is why users in the www-data group cannot read the socket files. By contrast, by default, PHP 7 packages on Ubuntu create sockets in /run/php, which is owned by www-data:www-data with drwxr-xr-x permissions. I'm not sure by what mechanism the /var/lib/php7.0-fpm directory is created in the first place, but this fixes the whole problem: Code: # chown www-data:www-data /var/lib/php7.0-fpm # systemctl restart nginx Obviously, once the user is actually able to log into and access the ISPConfig interface (per above steps), he could change the effective socket path to match the path that the Ubuntu PHP package uses, under Server Config (left nav) -> Web (tab) -> PHP Settings (panel) -> PHP-FPM socket directory (field). The value to use would be /run/php, thereby obviating the need for this whole workaround in the first place. That said, it's not clear how the socket path is set in /etc/php/7.0/fpm/pool.d/ispconfig.conf in the first place; changing the default socket path location through the ISPConfig interface, as described above, doesn't seem to force an update to this file. I had to update it manually. However, when I modify an individual website through the ISPConfig interface, the socket path in the associated pool configuration file (e.g., /etc/php/7.0/fpm/pool.d/web1.conf) is indeed updated to use /var/run. I should have referred back to my post at https://www.howtoforge.com/communit...able-php-5-6-and-7-0-package-on-ubuntu.72242/ and it probably would have saved me some time and energy here.
I was reading this when I was looking for a solution to the same problem. My solution was rather changing the folder permission to 755 like all other php-fpm folder permission via "chmod 755 /var/lib/php7.2-fpm". I don't think it is necessary to change other things as you mentioned above.