Closed betweenbrain closed 6 years ago
While this resolves the 502 Bad Gateway issue, it introduces a file ownership issue. What are your thoughts on adding www-data
and added users to a common group that nginx runs under?
Any ideas why its causing 502 errors ? Changing it to www-data would effectively disallow a "multi user" setup.
Also, I presume you're trying to install on Ubuntu 14.04?
This is with Debian 7 using the Dotdeb packages for PHP. With the release of PHP 5.5.12, there was a FPM listening socket permission change to resolve CVE-2014-0185. Simply upgrading to PHP 5.5.12 will cause the 502 error, and this how I was able to get it working again. But, it does present other issues as you state.
Do you think running nginx under a shared group would work, or maybe use a port for the listen directive in /etc/php5/fpm/pool.d/www.conf
instead?
I just read up on the bugfix and it seems like it only affects un-configured socket parameters. If I am not mistaken, simply uncommenting the following lines and setting appropriate values should resolve it.
listen.owner = your-user listen.group = your-user listen.mode = 0666
listen.owner = your-user listen.group = your-user listen.mode = 0666
That's what I was thinking too, but I have the server configured to take advantage of the multi-user setup. That's why I was thinking a common group might be good, but I haven't tested that as this is a production machine.
After reading up a little more it appears that the following config is preferable, and is not susceptible to the weak permissions of my earlier posted config.
listen.owner = www-data listen.group = www-data listen.mode = 0660
This will cause the users selecting nginx.org packages to break though since the webserver user is "nginx". Domain.sh needs to be updated to handle this.
Glad to see that you have a solution in mind.
Please let me know if there is is anything that I can do to help.
One option, which would allow the multi-user setup, would simply be to use a TCP/IP port (127.0.0.1:9000) for fastcgi_pass in the domain configurations and for the listen value in /etc/php5/fpm/pool.d/www.conf
TCP/IP port config was used previously but the socket way is now preferred due to better performance. You may still switch over to using that if you prefer though, it should work as you mentioned.
Like @Mins said above here: https://github.com/Mins/TuxLite/pull/39#issuecomment-43781624
The most proper, secure solution here would indeed be:
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
This will not work out-of-the-box with nginx.org packages since the webserver user is nginx
(we could fix in domain.sh
).
listen.mode
with 0660
with your-user
as listen.owner
and your-user
as listen.group
might also work.
Setting listen.mode
to 0666
will also resolve the problem but is less secure, see here:
https://ubuntuforums.org/showthread.php?t=2231143
and
https://chriskief.com/2014/05/07/nginx-php5-fpm-and-permission-denied-errors/
Using a TCP/IP port config will likely also resolve the problem but will also perform less.
Closing this PR as the solution is probably not exactly what we want, and keeping #44 open (TODO).
...ten directive of $php_fpm_conf