4

I am migrating to a new server to upgrade my internals and I have encountered this error when standing up my apache and PHP

[Fri Apr 09 16:51:26.243820 2021] [proxy:error] [pid 31179:tid 140021109556992] (13)Permission denied: AH02454: FCGI: attempt to connect to Unix domain socket /run/php-fpm/www.sock (*) failed
[Fri Apr 09 16:51:26.243868 2021] [proxy_fcgi:error] [pid 31179:tid 140021109556992] [client 47.213.222.69:56165] AH01079: failed to make connection to backend: httpd-UDS

The /run/php-fpm/www.sock file does exist, but it has root:root permissions. My webserver runs under a user that is not the default apache (the user is sites)

After much searching I found this article PHP-FPM - Error 503 - Attempt to connect to Unix domain socket failed and discovered that the /run/php-fpm/www.sock file needs to be chowed to the same user that runs httpd. So I did $chown sites: /run/php-fpm/www.sock and everything started working.

However, if the php-fpm service is restarted the permissions revert to root:root and PHP pages return 503

So I checked in /etc/php-fpm.d/www.conf and updated the lines:

user = sites
group = apache
 .
 .
 .
listen.owner = sites
listen.group = apache

I chowned the www.sock file again, but when the php-fpm service is restarted it still reverts the permissions of the www.sock file back to root:root

So I am stumped, and there seems to be very little information about this error to be found in my searching. And I know that with the chown command I can resolve the issue, however if my server ever needs to be restarted in the future, I doubt I will remember to do that unless I add an @reboot cron or something, but I shouldn't have to do that. I must be missing some configuration somewhere, I just can't find it.

My system information: Centos 8 Stream, PHP 7.2.24, Apache 2.4.37

Phillip Hagerman
  • 41
  • 1
  • 2
  • I think I may have found a possible solution, but I am questioning if it is the right one. Inside `/etc/php-fpm.d/www.conf` adding the `sites` user to the `listen.acl_users` list seems to have allowed the `www.sock` to remain owned by `root:root` without causing PHP pages to error out with a 503 – Phillip Hagerman Apr 09 '21 at 17:57
  • On Rocky 9 this is not working with php8.x because the apache user is already set in the listen.acl_users – M46 May 25 '23 at 08:25
  • Phillip, if possible, check my answer and set it as the correct, to allow other people to see. I found the root cause of the problem. – Paulo Coghi Jun 27 '23 at 17:17

6 Answers6

4

I've got the same issue, my config file /etc/php-fpm.d/www.conf was correct as yours.

I solved the issue when i see my php-fpm.service was started as root.

I edit the file /usr/lib/systemd/system/php-fpm.service and add :

[service]
User=youruser
Group=YourGroup

Also check permissions on all path you see in file : /etc/php-fpm.conf, for exemple the log file.

Sbstn Lu
  • 41
  • 1
  • 1
    Don't edit the files in `/usr/lib/systemd/system/`, create a drop in file instead. You can do that by running `systemctl edit php-fpm`. – Gerald Schneider Nov 29 '21 at 15:00
2

In www.conf are the following entries:

listen.owner
listen.group
listen.mode

My guess is they default to no one allowed, so the web server can't access the sock file. I changed these three settings (enabled actually) and added my httpd user and group as owner and group, set mode to 755 (cause 644 didn't work) and now the web server works and talks to php. IDK if that is the right solution or not, or if acl_users is more "correct"....but it appears both methods work.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
Al Zoot
  • 21
  • 2
  • For me under Rocky9 no solution is working for php 8.x while 7.x does not have any of these problemes. So a workaound is to set listen.mode to 0666. But it's not recommended for security reasons. – M46 May 25 '23 at 10:24
0

Add custom conf file /etc/php-fpm.d/z-php-fpm-override.conf

[www]
listen.owner = apache
;Make listen.acl_users blank
listen.acl_users =

It fixed the issue for me

Prasanti
  • 1
0

If you are using Apache2 in Ubuntu. Make this changes in your pool file:

listen.owner = www-data
listen.group = www-data
Rahul Mukati
  • 99
  • 1
0

[2023 update]

tl;dr

listen.acl_groups must be void.

Explanation

The only issue is the on listen.acl_groups variable from /etc/php-fpm.d/www.conf

If it's set, then listen.owner and listen.group are ignored, as explained on its own comments:

; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored

Solution

Thus, the solution is to change it to a void value, as:

listen.acl_groups =

I verified this behavior on Almalinux, Rocky Linux, CentOS, RedHat 8 and 9

Paulo Coghi
  • 598
  • 2
  • 11
  • 22
0

In my own case on remi's php80-php-fpm, I had to change listen.acl_users variable in ../php-fpm.d/www.conf to my webserver's user. For example:

;comment: replace mywebserveruser with your own user 
listen.acl_users = mywebserveruser
Dev
  • 101