安装 nginx 和 php-fpm 会导致以下错误,即使按照前面的答案中的建议设置了所有必需的权限后也不会发生:
[error] 2443#0: *2 connect() to unix:/run/php-fpm/php-fpm.pid failed (111: Connection refused) while connecting to upstream
这是我的所有配置: /etc/php-fpm.d/www.conf
[www]
user = nginx
group = nginx
listen = /run/php-fpm/php-fpm.pid
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
slowlog = /var/log/php-fpm/www-slow.log
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
/etc/php-fpm.conf
include=/etc/php-fpm.d/*.conf
[global]
pid = /run/php-fpm/php-fpm.pid
error_log = /var/log/php-fpm/error.log
daemonize = yes
events.mechanism = epoll
/etc/nginx/nginx.conf
user nginx nginx;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
upstream php {
#server unix:/var/run/php-fpm/php-fpm.pid;
server 127.0.0.1:9000;
}
server_names_hash_bucket_size 64;
# Virtual hosts
include /etc/nginx/sites/*.conf;
}
/etc/nginx/sites/*.conf
server {
listen 80 ;
listen [::]:80;
server_name elkhobara.com www.elkhobara.com;
root /var/hosts/elkhobara;
index index.html index.htm index.php;
location / {
try_files $uri $uri/ =404;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/run/php-fpm/php-fpm.pid;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
请注意,如果我将套接字更改为 127.0.0.1:9000,那么它将完美运行。
更新:
SELinux 状态:
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
/var/log/audit/audit.log
--------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/nginx from getattr access on the file /var/hosts/elkhobara/index.php.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow nginx to have getattr access on the index.php file
Then you need to change the label on /var/hosts/elkhobara/index.php
Do
# semanage fcontext -a -t FILE_TYPE '/var/hosts/elkhobara/index.php'
where FILE_TYPE is one of the following: --Striped text--.
Then execute:
restorecon -v '/var/hosts/elkhobara/index.php'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that nginx should be allowed getattr access on the index.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:var_t:s0
Target Objects /var/hosts/elkhobara/index.php [ file ]
Source nginx
Source Path /usr/sbin/nginx
Port <Unknown>
Host <Unknown>
Source RPM Packages nginx-1.10.2-1.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name ip-172-31-39-125.us-west-2.compute.internal
Platform Linux ip-172-31-39-125.us-west-2.compute.internal
3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
13:15:13 EST 2016 x86_64 x86_64
Alert Count 23
First Seen 2017-01-01 16:46:48 EST
Last Seen 2017-01-02 10:32:42 EST
Local ID 0ff17cb3-2f01-4acf-8510-ab289c98d946
Raw Audit Messages
type=AVC msg=audit(1483371162.342:339): avc: denied { getattr } for pid=2443 comm="nginx" path="/var/hosts/elkhobara/index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1483371162.342:339): arch=x86_64 syscall=stat success=yes exit=0 a0=7f9f09cef2d4 a1=7ffcd9347290 a2=7ffcd9347290 a3=7f9f09db3b30 items=0 ppid=2442 pid=2443 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: nginx,httpd_t,var_t,file,getattr
--------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/nginx from read access on the file index.php.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow nginx to have read access on the index.php file
Then you need to change the label on index.php
Do
# semanage fcontext -a -t FILE_TYPE 'index.php'
where FILE_TYPE is one of the following: --Striped long text for future readability.
Then execute:
restorecon -v 'index.php'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that nginx should be allowed read access on the index.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:var_t:s0
Target Objects index.php [ file ]
Source nginx
Source Path /usr/sbin/nginx
Port <Unknown>
Host <Unknown>
Source RPM Packages php-fpm-7.1.0-1.el7.remi.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name ip-172-31-39-125.us-west-2.compute.internal
Platform Linux ip-172-31-39-125.us-west-2.compute.internal
3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
13:15:13 EST 2016 x86_64 x86_64
Alert Count 2
First Seen 2017-01-01 17:10:48 EST
Last Seen 2017-01-02 06:22:16 EST
Local ID ce7a65cb-6b95-4fc4-b31b-19efccf56ab1
Raw Audit Messages
type=AVC msg=audit(1483356136.314:121): avc: denied { read } for pid=9421 comm="php-fpm" name="index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1483356136.314:121): avc: denied { open } for pid=9421 comm="php-fpm" path="/var/hosts/elkhobara/index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1483356136.314:121): arch=x86_64 syscall=open success=yes exit=EIO a0=7ffc64561010 a1=0 a2=1b6 a3=2 items=0 ppid=9419 pid=9421 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: nginx,httpd_t,var_t,file,read
--------------------------------------------------------------------------------
答案1
不要监听 pid 文件......
在您的池配置中:
您必须监听套接字文件或 TCP,如下所示:
listen = /run/run/php-fpm.sock
或者
listen = 127.0.0.1:9000
看http://php.net/manual/fr/install.fpm.configuration.php#listen
在 Nginx 中:
fastcgi_pass unix:/run/run/php-fpm.sock;
或者
fastcgi_pass 127.0.0.1:9000;
看http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_pass