Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
apache + suexec + mod_fastcgi + php-fpm permission issue
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
trinite
n00b
n00b


Joined: 14 Sep 2004
Posts: 32

PostPosted: Tue Jun 10, 2014 10:51 am    Post subject: apache + suexec + mod_fastcgi + php-fpm permission issue Reply with quote

About a year ago, I setup an apache + suexec + mod_fastcgi + php-fpm setup with multiple virtual host, in which each virtual hosts has it's own user, and it's own php-fpm pool running. This all worked fine (also over previous updates) until last week when I updated the setup from php 5.5.10 to php 5.5.12.

The error I get:
Code:
[Tue Jun 10 11:26:42 2014] [error] [client 192.168.1.2] (13)Permission denied: FastCGI: failed to connect to server "/var/www/cgi-bin.d/cgi-control/php-fpm": connect() failed
[Tue Jun 10 11:26:42 2014] [error] [client 192.168.1.2] FastCGI: incomplete headers (0 bytes) received from server "/var/www/cgi-bin.d/cgi-control/php-fpm"


After some research I found out the the error seems to be that the fastcgi process cannot connect to the php-fpm socket. The permissions I used to use:
Code:
srw-rw---- 1 control control 0 Jun 10 12:08 /var/run/php-fpm-control.sock
To get it working again, I have to change the permissions to
Code:
srw-rw---- 1 control apache 0 Jun 10 12:08 /var/run/php-fpm-control.sock
by setting the fpm pool settings from
Code:
[control]

; Port or socket where apache can connect to
listen = /var/run/php-fpm-$pool.sock
listen.owner = $pool
listen.group = $pool

; user under which the process runs
user = $pool
group = $pool

to
Code:
[control]

; Port or socket where apache can connect to
listen = /var/run/php-fpm-$pool.sock
listen.owner = $pool
listen.group = apache

; user under which the process runs
user = $pool
group = $pool


So it looks that the FastCGI process tries to access the socket using the apache user, and not as the pool user (control). Is there something changed in the new php-version? Did Suexec or mod_fastcgi change something? Or did I miss something else?

Below is a short definition of my setup:

/etc/conf.d/apache2
Code:

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D SUEXEC -D LANGUAGE -D FASTCGI -D PHP_FPM"


/etc/apache2/modules.d/20_mod_fastcgi.conf
Code:
<IfDefine FASTCGI>
LoadModule fastcgi_module modules/mod_fastcgi.so
AddHandler fastcgi-script fcg fcgi fpl
# FastCgiWrapper has to be enabled to enforce a user and group to the FastCGIServer directive
FastCgiWrapper /usr/sbin/suexec
</IfDefine>


/etc/apache2/modules.d/71_php-fpm.conf
Code:

<IfDefine PHP_FPM>
   AddHandler php-fpm .php
   AddHandler php-fpm .php5
   AddHandler php-fpm .phtml
   DirectoryIndex index.php index.php5 index.phtml
   # Note that an Alias for /php-fpm should be defined for
   # every virtual host
   Action php-fpm /php-fpm
</IfDefine>


/etc/apache2/modules.d/vhosts.d/001_control.conf
Code:

<VirtualHost *:80>
   DocumentRoot "/home/control/public_html"
   ServerName control.nl
   ServerAlias *.control.nl

   CustomLog /home/control/log/access_log combined
   Errorlog /home/control/log/error_log

   SuexecUserGroup control control

   FastCGIExternalServer /var/www/cgi-bin.d/cgi-control/php-fpm -socket /var/run/php-fpm-control.sock -user control -group control
   Alias /php-fpm /var/www/cgi-bin.d/cgi-control/php-fpm

   <Directory /home/control/public_html>
      Options +Indexes +FollowSymlinks
      Order deny,allow
      Allow from all
   </Directory>

   <IfModule alias_module>
      #enable cgi? put cgi files in /var/www/cgi-bin.d/cgi-control and uncomment the next line and the Directory block
      #ScriptAlias /cgi-bin/ "/var/www/cgi-bin.d/cgi-control/"
   </IfModule>

   # Leave this enabled, also when not using CGI, as php-fpm has it's virtual
   # path here
   <Directory "/var/www/cgi-bin.d/cgi-control">
      AllowOverride None
      Options None
      Order allow,deny
      Allow from all
   </Directory>
</VirtualHost>


cgi directory permissions:
Code:
 ls -lah /var/www/cgi-bin.d/cgi-control/
total 8.0K
drwxrwxr-x 2 control control 4.0K Jul 29  2013 .
drwxr-xr-x 9 root    root    4.0K Aug  4  2013 ..


/etc/php/fpm-php5.5/php-fpm.conf
Code:
include=/etc/php/fpm-php5.5/pool.d/*.conf


/etc/php/fpm-php5.5/pool.d/001_control.conf
Code:
[control]

; Port or socket where apache can connect to
listen = /var/run/php-fpm-$pool.sock
listen.owner = $pool
listen.group = $pool

; user under which the process runs
user = $pool
group = $pool

; process manager
pm = dynamic
pm.max_children = 50
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 25
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum