Nginx

nginx php-fpm:連接到上游時權限被拒絕

  • January 3, 2017

安裝 nginx 和 php-fpm 使下面的錯誤即使在設置了所有必需的權限後也不會出現,就像這里以前的答案中建議的那樣:

[error] 2443#0: *2 connect() to unix:/run/php-fpm/php-fpm.pid failed (111: Connection refused) while connecting to upstream

這是我所有的配置: /etc/php-fpm.d/www.conf

[www]
user = nginx
group = nginx
listen = /run/php-fpm/php-fpm.pid
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
listen.allowed_clients = 127.0.0.1

pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35

slowlog = /var/log/php-fpm/www-slow.log

php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/session
php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache

/etc/php-fpm.conf

include=/etc/php-fpm.d/*.conf
[global]
pid = /run/php-fpm/php-fpm.pid
error_log = /var/log/php-fpm/error.log
daemonize = yes
events.mechanism = epoll

/etc/nginx/nginx.conf

user nginx nginx;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
   worker_connections 1024;
}
http {
   log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';
   access_log  /var/log/nginx/access.log  main;
   sendfile            on;
   tcp_nopush          on;
   tcp_nodelay         on;
   keepalive_timeout   65;
   types_hash_max_size 2048;
   include             /etc/nginx/mime.types;
   default_type        application/octet-stream;
   # Load modular configuration files from the /etc/nginx/conf.d directory.
   # See http://nginx.org/en/docs/ngx_core_module.html#include
   # for more information.
   include /etc/nginx/conf.d/*.conf;
   upstream php {
       #server unix:/var/run/php-fpm/php-fpm.pid;
       server 127.0.0.1:9000;
   }
   server_names_hash_bucket_size 64;
   # Virtual hosts
   include /etc/nginx/sites/*.conf;
}

/etc/nginx/sites/*.conf

server {
       listen 80 ;
       listen [::]:80;
       server_name elkhobara.com www.elkhobara.com;
       root /var/hosts/elkhobara;
       index index.html index.htm index.php;
       location / {
               try_files $uri $uri/ =404;
       }
       error_page   500 502 503 504  /50x.html;
       location = /50x.html {
               root   html;
       }
       location ~ \.php$ {
              try_files $uri =404;
              fastcgi_pass unix:/run/php-fpm/php-fpm.pid;
              #fastcgi_pass 127.0.0.1:9000;
              fastcgi_index index.php;
              include /etc/nginx/fastcgi_params;
              fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
       }
}

請注意,如果我將套接字更改為 127.0.0.1:9000 那麼它將完美執行。

更新:

SELinux 狀態:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

/var/log/audit/audit.log

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/nginx from getattr access on the file /var/hosts/elkhobara/index.php.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow nginx to have getattr access on the index.php file
Then you need to change the label on /var/hosts/elkhobara/index.php
Do
# semanage fcontext -a -t FILE_TYPE '/var/hosts/elkhobara/index.php'
where FILE_TYPE is one of the following: --Striped text--.
Then execute:
restorecon -v '/var/hosts/elkhobara/index.php'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that nginx should be allowed getattr access on the index.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                /var/hosts/elkhobara/index.php [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           nginx-1.10.2-1.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ip-172-31-39-125.us-west-2.compute.internal
Platform                      Linux ip-172-31-39-125.us-west-2.compute.internal
                             3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
                             13:15:13 EST 2016 x86_64 x86_64
Alert Count                   23
First Seen                    2017-01-01 16:46:48 EST
Last Seen                     2017-01-02 10:32:42 EST
Local ID                      0ff17cb3-2f01-4acf-8510-ab289c98d946

Raw Audit Messages
type=AVC msg=audit(1483371162.342:339): avc:  denied  { getattr } for  pid=2443 comm="nginx" path="/var/hosts/elkhobara/index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file


type=SYSCALL msg=audit(1483371162.342:339): arch=x86_64 syscall=stat success=yes exit=0 a0=7f9f09cef2d4 a1=7ffcd9347290 a2=7ffcd9347290 a3=7f9f09db3b30 items=0 ppid=2442 pid=2443 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,var_t,file,getattr

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/nginx from read access on the file index.php.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow nginx to have read access on the index.php file
Then you need to change the label on index.php
Do
# semanage fcontext -a -t FILE_TYPE 'index.php'
where FILE_TYPE is one of the following: --Striped long text for future readability.
Then execute:
restorecon -v 'index.php'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that nginx should be allowed read access on the index.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                index.php [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           php-fpm-7.1.0-1.el7.remi.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ip-172-31-39-125.us-west-2.compute.internal
Platform                      Linux ip-172-31-39-125.us-west-2.compute.internal
                             3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
                             13:15:13 EST 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2017-01-01 17:10:48 EST
Last Seen                     2017-01-02 06:22:16 EST
Local ID                      ce7a65cb-6b95-4fc4-b31b-19efccf56ab1

Raw Audit Messages
type=AVC msg=audit(1483356136.314:121): avc:  denied  { read } for  pid=9421 comm="php-fpm" name="index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file


type=AVC msg=audit(1483356136.314:121): avc:  denied  { open } for  pid=9421 comm="php-fpm" path="/var/hosts/elkhobara/index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file


type=SYSCALL msg=audit(1483356136.314:121): arch=x86_64 syscall=open success=yes exit=EIO a0=7ffc64561010 a1=0 a2=1b6 a3=2 items=0 ppid=9419 pid=9421 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,var_t,file,read

--------------------------------------------------------------------------------

不要聽pid文件…

在您的池配置中:

您必須偵聽套接字文件或通過 tcp,如下所示:

listen = /run/run/php-fpm.sock

或者

listen = 127.0.0.1:9000

http://php.net/manual/fr/install.fpm.configuration.php#listen

在 Nginx 中:

fastcgi_pass unix:/run/run/php-fpm.sock;

或者

fastcgi_pass 127.0.0.1:9000;

http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_pass

引用自:https://serverfault.com/questions/823723