Closed betweenbrain closed 6 years ago
betweenbrain
commented
10 years ago While this resolves the 502 Bad Gateway issue, it introduces a file ownership issue. What are your thoughts on adding www-data and added users to a common group that nginx runs under?
Mins
commented
10 years ago Any ideas why its causing 502 errors ? Changing it to www-data would effectively disallow a "multi user" setup.
Also, I presume you're trying to install on Ubuntu 14.04?
betweenbrain
commented
10 years ago This is with Debian 7 using the Dotdeb packages for PHP. With the release of PHP 5.5.12, there was a FPM listening socket permission change to resolve CVE-2014-0185. Simply upgrading to PHP 5.5.12 will cause the 502 error, and this how I was able to get it working again. But, it does present other issues as you state.
Do you think running nginx under a shared group would work, or maybe use a port for the listen directive in /etc/php5/fpm/pool.d/www.conf instead?
Mins
commented
10 years ago I just read up on the bugfix and it seems like it only affects un-configured socket parameters. If I am not mistaken, simply uncommenting the following lines and setting appropriate values should resolve it.
listen.owner = your-user listen.group = your-user listen.mode = 0666
betweenbrain
commented
10 years ago listen.owner = your-user listen.group = your-user listen.mode = 0666
That's what I was thinking too, but I have the server configured to take advantage of the multi-user setup. That's why I was thinking a common group might be good, but I haven't tested that as this is a production machine.
Mins
commented
10 years ago After reading up a little more it appears that the following config is preferable, and is not susceptible to the weak permissions of my earlier posted config.
listen.owner = www-data listen.group = www-data listen.mode = 0660
This will cause the users selecting nginx.org packages to break though since the webserver user is "nginx". Domain.sh needs to be updated to handle this.
betweenbrain
commented
10 years ago Glad to see that you have a solution in mind.
Please let me know if there is is anything that I can do to help.
betweenbrain
commented
10 years ago One option, which would allow the multi-user setup, would simply be to use a TCP/IP port (127.0.0.1:9000) for fastcgi_pass in the domain configurations and for the listen value in /etc/php5/fpm/pool.d/www.conf
Mins
commented
10 years ago TCP/IP port config was used previously but the socket way is now preferred due to better performance. You may still switch over to using that if you prefer though, it should work as you mentioned.
djvdorp
commented
6 years ago Like @Mins said above here: https://github.com/Mins/TuxLite/pull/39#issuecomment-43781624
The most proper, secure solution here would indeed be:
listen.owner = www-data
listen.group = www-data
listen.mode = 0660This will not work out-of-the-box with nginx.org packages since the webserver user is nginx (we could fix in domain.sh).
listen.mode with 0660 with your-user as listen.owner and your-user as listen.group might also work.
Setting listen.mode to 0666 will also resolve the problem but is less secure, see here:
https://ubuntuforums.org/showthread.php?t=2231143
and
https://chriskief.com/2014/05/07/nginx-php5-fpm-and-permission-denied-errors/
Using a TCP/IP port config will likely also resolve the problem but will also perform less.
Closing this PR as the solution is probably not exactly what we want, and keeping #44 open (TODO).
...ten directive of $php_fpm_conf