Perfect Server for Ubuntu 16 (but with NGINX instead of Apache); socket permission issues

Discussion in 'Installation/Configuration' started by cbj4074, Apr 26, 2016.

  1. cbj4074

    cbj4074 Member

    I'll be the first to admit that I deviated from the tutorial slightly in that I installed NGINX instead of Apache, and I used https://launchpad.net/~ondrej/ archive/ubuntu/php instead of Ubuntu's stock PHP package.

    Everything appeared to go smoothly, but I'm receiving "502 Bad Gateway" from NGINX.

    I added the "error_log" directive to /etc/nginx/sites-available/ispconfig.vhost to obtain further information:

    Code:
    2016/04/26 12:35:04 [crit] 26240#26240: *2 connect() to unix:/var/lib/php7.0-fpm/ispconfig.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.56.1, server: _, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/lib/php7.0-fpm/ispconfig.sock:", host: "ubuntu-16-vm.example.com:8080"
    
    I have dug-around in the FPM pool configurations and everything looks to be correct.

    /etc/php/7.0/fpm/pool.d/ispconfig.conf:

    Code:
    [ispconfig]
    
    listen = /var/lib/php7.0-fpm/ispconfig.sock
    listen.owner = ispconfig
    listen.group = ispconfig
    listen.mode = 0660
    
    user = ispconfig
    group = ispconfig
    ; ...
    
    The socket permissions look to be correct:

    Code:
    srw-rw---- 1 ispconfig ispconfig 0 Apr 26 12:55 /var/lib/php7.0-fpm/ispconfig.sock
    
    I don't know enough about how FPM starts its processes to know if this is correct or not:

    Code:
    # ss -lp | grep 56004
    u_str  LISTEN  0  128  /var/lib/php7.0-fpm/ispconfig.sock 56004  * 0  users:(("php-fpm7.0",pid=8427,fd=0),("php-fpm7.0",pid=8426,fd=0),("php-fpm7.0",pid=8421,fd=9))
    
    Code:
    # ps -ef | grep ispconfig
    ispconf+  8426  8421  0 12:55 ?  00:00:00 php-fpm: pool ispconfig
    ispconf+  8427  8421  0 12:55 ?  00:00:00 php-fpm: pool ispconfig
    
    Does anything jump-out? What might I have overlooked?

    Thank you very much for any help!

    UPDATE:

    I got the ISPConfig interface working, but it's not a solution; it's a workaround.

    In /etc/nginx/sites-available/ispconfig.vhost, I changed

    Code:
    fastcgi_pass unix:/var/lib/php7.0-fpm/ispconfig.sock;
    
    to

    Code:
    fastcgi_pass localhost:9000;
    
    and in /etc/php/7.0/fpm/pool.d/ispconfig.conf I changed

    Code:
    listen = /var/lib/php7.0-fpm/ispconfig.sock
    
    to

    Code:
    listen = 127.0.0.1:9000
    listen.allowed_clients = 127.0.0.1
    
    This still didn't work until I added the following line to /etc/hosts (presumably because the fastcgi_pass directive in the NGINX config could not resolve "localhost" without it):

    Code:
    127.0.0.1  ubuntu-vm.example.com ubuntu-vm localhost
    
    I should note also that in Ubuntu 16, the order in which the above hostnames appear is important; amavis failed to be installed/started when I had the order reversed (which has always worked fine in Ubuntu 14). Apparently,
    Code:
    hostname --fqdn
    , which amavis uses to set $hostname, returns the leftmost of the listed hostnames. Unless the FQDN notation comes first in the list, amavis fails to start.
     
    Last edited: Apr 26, 2016
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Is this a LXC container or do you use ACL in the filesystem?
     
  3. cbj4074

    cbj4074 Member

    Thanks for taking a look, Till! I sincerely appreciate your time, especially given that I am straying from the prescribed setup slightly.

    No, this is not an LXC and I'm not using ACL on this particular system.

    I created a regular Website through the ISPConfig interface to see if the same socket permission issue arises there, and indeed it does.

    The specific message looks to be the same:

    Code:
    2016/04/27 10:27:53 [crit] 25978#25978: *11 connect() to unix:/var/lib/php7.0-fpm/web1.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.56.1, server: ubuntu-16-vm.example.com, request: "GET /info.php HTTP/1.1", upstream: "fastcgi://unix:/var/lib/php7.0-fpm/web1.sock:", host: "ubuntu-16-vm.example.com"
    
    The stat output is:

    Code:
    # stat /var/lib/php7.0-fpm/web1.sock
      File: '/var/lib/php7.0-fpm/web1.sock'
      Size: 0  Blocks: 0  IO Block: 4096  socket
    Device: fc00h/64512d  Inode: 140238  Links: 1
    Access: (0660/srw-rw----)  Uid: ( 5004/  web1)  Gid: ( 5005/ client0)
    Access: 2016-04-27 10:25:03.724000000 -0400
    Modify: 2016-04-27 10:25:03.724000000 -0400
    Change: 2016-04-27 10:25:03.724000000 -0400
     Birth: -
    
    The relevant pool configuration directives are:

    Code:
    [web1]
    
    listen = /var/lib/php7.0-fpm/web1.sock
    listen.owner = web1
    listen.group = client0
    listen.mode = 0660
    
    user = web1
    group = client0
    ; ...
    
    It all looks correct to me.

    I double-checked to ensure that apparmor was uninstalled and indeed I uninstalled it while following the guide initially.

    What's weird is that even if I set the listen.mode to 0666, the message is the same.

    There's nothing unusual in the PHP-FPM log... I'm not sure what to check next. Can't say I've run into this one before!
     
  4. Mate

    Mate New Member

    nginx and php-fpm have to run the same owner and group.
    [web1]
    listen = /var/lib/php7.0-fpm/web1.sock
    listen.owner = nginx
    listen.group = nginx
    listen.mode = 0660
    Would match and work if nginx is is running it's default group and owner of nginx
    You would have to add web1 to the nginx owner and client0 to the nginx group
    I'm brand new to ispconfig and just about to try a install with nginx
    Hope my assumption was correct
     
  5. cbj4074

    cbj4074 Member

    Hi, Mate; thanks for replying.

    One quick update: I tried installing the stock php7.0 packages that are included in Ubuntu's own repositories (I didn't use Onrej's co-installable PHP 5/7 PPA this time) and the result is exactly the same.

    I'm not sure that nginx and php-fpm have to run under the same owner and group. Rather, I'm pretty sure that it works the same way that it does with filesystem permissions: as long the user under which NGINX runs has sufficient access rights to the socket files on the filesystem, everything works as expected.

    I say this in part because with ISPConfig 3.0.5.4p8, NGINX runs as the "www-data" user, and my ISPConfig FPM configuration (this is for the ISPConfig interface itself) is as follows:

    Code:
    listen = /var/run/php/ispconfig.sock
    listen.owner = ispconfig
    listen.group = ispconfig
    listen.mode = 0660
    
    user = ispconfig
    group = ispconfig
    
    Also, my individual sites' pool files look like this:

    Code:
    [web1]
    
    listen = /var/run/php/web1.sock
    listen.owner = web1
    listen.group = client2
    listen.mode = 0660
    
    user = web1
    group = client2
    
    So, the two values definitely don't have to match.

    But you're on the right track, in my opinion. I think that the ISPConfig user and/or group isn't added to some other group, or vice versa.

    I did try your suggestion (setting all values in question to the user/group under which NGINX is running, which is "www-data" on Ubuntu), for the sake of thoroughness, and, somewhat surprisingly, permission is still denied. But this is consistent with what I tried earlier (setting the socket file permissions to 777).

    I haven't had any more time to fiddle with it, unfortunately. Again, thanks for taking a look... have you tried this setup yourself? Any luck with it?

    Till, surely you've tried installing PHP-FPM + NGINX on Ubuntu 16.04 LTS as yet... but no Perfect Server tutorial? I suppose that it doesn't really necessitate its own separate tutorial, but it would be great to see a little NGINX section as an alternative.
     
    Last edited: May 3, 2016
  6. cbj4074

    cbj4074 Member

    I figured it out.

    By default, ISPConfig is creating its PHP socket files in /var/lib/php7.0-fpm, which is owned by root:root with drwxr-x--- permissions (note the lack of execute permissions for "other"). This is why users in the www-data group cannot read the socket files.

    By contrast, by default, PHP 7 packages on Ubuntu create sockets in /run/php, which is owned by www-data:www-data with drwxr-xr-x permissions.

    I'm not sure by what mechanism the /var/lib/php7.0-fpm directory is created in the first place, but this fixes the whole problem:

    Code:
    # chown www-data:www-data /var/lib/php7.0-fpm
    # systemctl restart nginx
    
    Obviously, once the user is actually able to log into and access the ISPConfig interface (per above steps), he could change the effective socket path to match the path that the Ubuntu PHP package uses, under Server Config (left nav) -> Web (tab) -> PHP Settings (panel) -> PHP-FPM socket directory (field). The value to use would be /run/php, thereby obviating the need for this whole workaround in the first place.

    That said, it's not clear how the socket path is set in /etc/php/7.0/fpm/pool.d/ispconfig.conf in the first place; changing the default socket path location through the ISPConfig interface, as described above, doesn't seem to force an update to this file. I had to update it manually.

    However, when I modify an individual website through the ISPConfig interface, the socket path in the associated pool configuration file (e.g., /etc/php/7.0/fpm/pool.d/web1.conf) is indeed updated to use /var/run.

    I should have referred back to my post at https://www.howtoforge.com/communit...able-php-5-6-and-7-0-package-on-ubuntu.72242/ and it probably would have saved me some time and energy here. :)
     
    Last edited: May 3, 2016
    ahrasis likes this.
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I was reading this when I was looking for a solution to the same problem.

    My solution was rather changing the folder permission to 755 like all other php-fpm folder permission via "chmod 755 /var/lib/php7.2-fpm".

    I don't think it is necessary to change other things as you mentioned above.
     

Share This Page