-1

Edit for answer:

It's the selinux causes this problem, the temporary solution is to run this command: sudo semanage permissive -a httpd_t

But you shouldn't do that, because of security reasons. I found an article wrote by Danila Vershinin on nginx selinux configuration, if you have the same problem like me, you should read it.

Original question:

I have a wordpress + woocommerce website on a nginx server (centos 7), I want to make nginx fastcgi cache work, but it always get miss or passby, never hit.

Here is the errer log:

2018/11/11 00:00:00 [crit] 1900#0: *1 mkdir() "/etc/nginx/cache/0/53" failed (2: No such file or directory) while reading upstream, client: 111.111.111.111, server: www.example.com, request: "GET /page2/ HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/www.sock:", host: "www.example.com", referrer: "https://www.example.com/page1/"

So how do I solve this problem to make cache work? Thanks!

PS:

Cache will be stored in /etc/nginx/cache, its permission is 700(drwx------), user and group is nginx:root

Here is the related nginx conf:

fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=WORDPRESS:500m inactive=240m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";

Here is the upstream conf:

upstream php-fpm {
    server unix:/run/php-fpm/www.sock;
}

Here are some lines from the /etc/php-fpm.d/www.conf:

user = nginx
group = nginx
listen = /run/php-fpm/www.sock
listen.owner = nobody
listen.group = nobody
listen.mode = 0660
listen.acl_users = nginx
davidchannal
  • 21
  • 1
  • 3
  • Can you please edit your post to show "top", so we can confirm the user the nginx master / child processes are running as? Also an "ls -l" showing the folder permissions of the /etc/nginx/cache folder. This really looks like a permissions issue. – Tim Nov 12 '18 at 18:48
  • Hi @Tim, I finally found out what cause the problem, it's selinux. So after I run this command: sudo semanage permissive -a httpd_t, the fastcgi cache works. – davidchannal Nov 13 '18 at 02:42
  • Please write a full answer to your own question, and in 24 hours mark it as accepted, to help others who have this problem in the future. – Tim Nov 13 '18 at 03:26

1 Answers1

1

I am answering my own question here.

The culprit is selinux.

Basically you need to make nginx comply with selinux's policy to nginx, which is defined as httpd_t. Run the below commands.

  • sudo semanage permissive -a httpd_t
  • sudo mkdir -p /var/lib/nginx/cache
  • sudo chown -R nginx /var/lib/nginx
  • sudo restorecon -Rv /var/lib/nginx
  • Go to your nginx conf, change your cache location to /var/lib/nginx/cache
  • sudo matchpathcon -V /var/lib/nginx/microcache
  • sudo semanage permissive -d httpd_t

Simple explanation:

  • First command is enough to make cache work, but it's not safe, because it allows nginx to get around selinux.
  • Why /var/lib/nginx? This directory is already allowed by selinux.
davidchannal
  • 21
  • 1
  • 3