nginx php-fpm:连接到上游时权限被拒绝

nginx php-fpm:连接到上游时权限被拒绝

安装 nginx 和 php-fpm 会导致以下错误,即使按照前面的答案中的建议设置了所有必需的权限后也不会发生:

[error] 2443#0: *2 connect() to unix:/run/php-fpm/php-fpm.pid failed (111: Connection refused) while connecting to upstream

这是我的所有配置: /etc/php-fpm.d/www.conf

[www]
user = nginx
group = nginx
listen = /run/php-fpm/php-fpm.pid
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
listen.allowed_clients = 127.0.0.1

pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35

slowlog = /var/log/php-fpm/www-slow.log

php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/session
php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache

/etc/php-fpm.conf

include=/etc/php-fpm.d/*.conf
[global]
pid = /run/php-fpm/php-fpm.pid
error_log = /var/log/php-fpm/error.log
daemonize = yes
events.mechanism = epoll

/etc/nginx/nginx.conf

user nginx nginx;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    upstream php {
        #server unix:/var/run/php-fpm/php-fpm.pid;
        server 127.0.0.1:9000;
    }
    server_names_hash_bucket_size 64;
    # Virtual hosts
    include /etc/nginx/sites/*.conf;
}

/etc/nginx/sites/*.conf

server {
        listen 80 ;
        listen [::]:80;
        server_name elkhobara.com www.elkhobara.com;
        root /var/hosts/elkhobara;
        index index.html index.htm index.php;
        location / {
                try_files $uri $uri/ =404;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
                root   html;
        }
        location ~ \.php$ {
               try_files $uri =404;
               fastcgi_pass unix:/run/php-fpm/php-fpm.pid;
               #fastcgi_pass 127.0.0.1:9000;
               fastcgi_index index.php;
               include /etc/nginx/fastcgi_params;
               fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        }
}

请注意,如果我将套接字更改为 127.0.0.1:9000,那么它将完美运行。

更新:

SELinux 状态:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

/var/log/audit/audit.log

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/nginx from getattr access on the file /var/hosts/elkhobara/index.php.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow nginx to have getattr access on the index.php file
Then you need to change the label on /var/hosts/elkhobara/index.php
Do
# semanage fcontext -a -t FILE_TYPE '/var/hosts/elkhobara/index.php'
where FILE_TYPE is one of the following: --Striped text--.
Then execute:
restorecon -v '/var/hosts/elkhobara/index.php'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that nginx should be allowed getattr access on the index.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                /var/hosts/elkhobara/index.php [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           nginx-1.10.2-1.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ip-172-31-39-125.us-west-2.compute.internal
Platform                      Linux ip-172-31-39-125.us-west-2.compute.internal
                              3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
                              13:15:13 EST 2016 x86_64 x86_64
Alert Count                   23
First Seen                    2017-01-01 16:46:48 EST
Last Seen                     2017-01-02 10:32:42 EST
Local ID                      0ff17cb3-2f01-4acf-8510-ab289c98d946

Raw Audit Messages
type=AVC msg=audit(1483371162.342:339): avc:  denied  { getattr } for  pid=2443 comm="nginx" path="/var/hosts/elkhobara/index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file


type=SYSCALL msg=audit(1483371162.342:339): arch=x86_64 syscall=stat success=yes exit=0 a0=7f9f09cef2d4 a1=7ffcd9347290 a2=7ffcd9347290 a3=7f9f09db3b30 items=0 ppid=2442 pid=2443 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,var_t,file,getattr

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/nginx from read access on the file index.php.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow nginx to have read access on the index.php file
Then you need to change the label on index.php
Do
# semanage fcontext -a -t FILE_TYPE 'index.php'
where FILE_TYPE is one of the following: --Striped long text for future readability.
Then execute:
restorecon -v 'index.php'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that nginx should be allowed read access on the index.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                index.php [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           php-fpm-7.1.0-1.el7.remi.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ip-172-31-39-125.us-west-2.compute.internal
Platform                      Linux ip-172-31-39-125.us-west-2.compute.internal
                              3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
                              13:15:13 EST 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2017-01-01 17:10:48 EST
Last Seen                     2017-01-02 06:22:16 EST
Local ID                      ce7a65cb-6b95-4fc4-b31b-19efccf56ab1

Raw Audit Messages
type=AVC msg=audit(1483356136.314:121): avc:  denied  { read } for  pid=9421 comm="php-fpm" name="index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file


type=AVC msg=audit(1483356136.314:121): avc:  denied  { open } for  pid=9421 comm="php-fpm" path="/var/hosts/elkhobara/index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file


type=SYSCALL msg=audit(1483356136.314:121): arch=x86_64 syscall=open success=yes exit=EIO a0=7ffc64561010 a1=0 a2=1b6 a3=2 items=0 ppid=9419 pid=9421 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,var_t,file,read

--------------------------------------------------------------------------------

答案1

不要监听 pid 文件......

在您的池配置中:

您必须监听套接字文件或 TCP,如下所示:

listen = /run/run/php-fpm.sock

或者

listen = 127.0.0.1:9000

http://php.net/manual/fr/install.fpm.configuration.php#listen

在 Nginx 中:

fastcgi_pass unix:/run/run/php-fpm.sock;

或者

fastcgi_pass 127.0.0.1:9000;

http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_pass

相关内容