当文件存在且可读时,php-fpm 出现意外的 404 响应

tag-icon tag-icon nginx php-fpm arch-linux
当文件存在且可读时,php-fpm 出现意外的 404 响应

我正在使用 nginx 运行一个简单的基于 PHP 的网站。在最近更新了一些系统组件后,该网站停止工作。当我尝试访问该网站时,我得到一个空白页,上面显示“文件未找到”文本。服务器日志告诉我

FastCGI 在 stderr 中发送:“主脚本未知”,同时从上游读取响应头

PHP 日志包含

- - 25/Jan/2020:17:18:50 +0100 "GET /index.php" 404 - 0.151 2048 0.00%

nginx配置如下。

# configuration file /etc/nginx/nginx.conf:

user http http;
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    types_hash_max_size 2048;
    types_hash_bucket_size 128;

    sendfile        on;

    keepalive_timeout  65;

    # some server blocks elided

    include /home/myuser/www/com.mydomain.conf;
}

# configuration file /etc/nginx/mime.types:
types {
application/A2L                    a2l;
# lots of types elided so as not to exceed post size limit
}

# configuration file /etc/nginx/fastcgi.conf:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;
fastcgi_buffers 16 16k; 
fastcgi_buffer_size 32k;


# configuration file /home/myuser/www/com.mydomain.conf:
server {
  listen 80;
  server_name mydomain.com;
  # enforce https
  return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name mydomain.com;

    client_max_body_size 16m;

    root /home/myuser/www/com.mydomain;
    index index.php;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        try_files $uri $fastcgi_script_name =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_index index.php;
        fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
   }
}

nginx 和 php-fpm 以用户身份运行http,并且该index.php文件可由该用户访问:

-rwxrwxr-x 1 http http 1,7K  8. Nov 10:40 /home/myuser/www/com.mydomain/index.php

我已确定这一点,$document_root并且$fastcgi_script_name通过测试证明其是正确的SCRIPT_NAME

我究竟做错了什么?

编辑:这确实看起来像是一个权限问题,但我仍然不明白。如果我将网站内容移至/usr/share/webapps/进行测试,它可以正常工作。不幸的是,这不是生产使用的选项。将文件放在其预期(原始)位置后,我可以运行类似的东西sudo -u http php /home/myuser/www/com.mydomain/test.php并获得预期的结果。什么可以阻止 php-fpm(或套接字)访问这些文件?open_basedir未设置。

答案1

除了 nginx 和 php-fpm 之间的交互中可能出错的所有事情(本网站的多个问题中讨论过)之外,systemd 还存在另一个陷阱,而这恰恰是本案的罪魁祸首。

php-fpm.service 单元文件包含该ProtectHome=true指令。我可以通过运行systemctl edit php-fpm.service并指定来解决这个问题

[Service]
ProtectHome=false

相关内容