nginx forbidden and bad gateway errors

Question

I configured nginx to serve two virtua host from our server: a main host and a subdomain host. The main host is a rails app, served with passenger. It works as expected.

The subdomain host is a little PHP app. Doing a browser request to this subdomain, it returns a 403 (forbidden) error. And when doing a browser request to a specific file, it returns a 502 (bad gateway) error.

Here is the nginx.conf file:

#user  nobody;
worker_processes  3;

events {
  worker_connections  19000;
}

worker_rlimit_nofile  20000;


http {
  include       mime.types;
  default_type  application/octet-stream;

  passenger_root /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.18;
  passenger_ruby /usr/local/bin/ruby;

  sendfile        on;

  gzip  on;
  gzip_http_version   1.1;
  gzip_disable        "msie6";
  gzip_vary           on;
  gzip_comp_level     9;
  gzip_static         on;

  passenger_max_pool_size 6;
  passenger_min_instances 1;
  passenger_pool_idle_time 10;

  # Rails app
  server {
    listen       80;
    server_name  .domain.com;
    passenger_enabled on;

    root /home/ubuntu/rails_app/public;

    location ~ ^/assets/ {
      expires           max;
      add_header        Cache-Control public;
      #add_header        Last-Modified "";
      #add_header        ETag "";
      open_file_cache          max=1000 inactive=500s;
      open_file_cache_valid    600s;
      open_file_cache_errors   on;
      break;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
      root   html;
    }
  }


  # PHP app
  server {
      listen       80;
      server_name  sub.domain.com;

      root   /home/ubuntu/rails_app/sendy;
      index  index.html index.htm index.php;

      if (!-d $uri) { 
          set $rule_0 1$rule_0;
      }

      if (!-f $uri) {
          set $rule_0 2$rule_0;
      }

      if ($rule_0 = "21") {
          rewrite ^/([a-zA-Z0-9-]+)$ /$1.php last;
      }

      location / {
          try_files $uri $uri/ /index.php;
      }

      location ~ \.php$ {
          #root           html;
          fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
          #fastcgi_index  index.php;
          fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
          fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
          include        fastcgi_params;
      }

      location /l {
          rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last;
      }

      location /t {
          rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last;
      }

      location /w {
          rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last;
      }

      location /unsubscribe {
          rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last;
      }

      location /subscribe {
          rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 break;
      }

      location ~ /\.ht {
          deny  all;
      }
  }
}

I thought it was a permissions issue, but I change them to 744, 755 and even 777 and still getting the same errors.

Any ideas?

Answer 1

Your nginx config looks good on the first view. I am a bit concerned about the php-fpm processes. You should have one master-process and at least one child, usually more than one.

Did you configure a php-fpm pool?

That's how my processes look like

# ps aux | grep "php"
root      1081  0.0  0.3 387316  5404 ?        Ss   14:49   0:00 php-fpm: master process (/etc/php-fpm.conf)
nobody    1082  0.0  0.6 390376 10316 ?        S    14:49   0:03 php-fpm: pool poolname.com
nobody    1083  0.0  0.6 390388 10360 ?        S    14:49   0:03 php-fpm: pool poolname.com
nobody    1084  0.0  0.6 390392 10324 ?        S    14:49   0:02 php-fpm: pool poolname.com

Your /etc/php-fpm.conf should contain at least this:

include=/etc/php-fpm.d/*.conf

[global]
pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php-fpm.log
daemonize = yes

Then you need to create a pool definition in /etc/php-fpm.d/

e.g. mydomain.com.conf

[mydomain.com]
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
;                            a specific port;
;   'port'                 - to listen on a TCP socket to all addresses on a
;                            specific port;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.

listen        = /var/run/php-fpm/php-fpm.sock

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions..
; Default Values: user and group are set as the running user
; mode is set to 0666

listen.owner  = nginx
listen.group  = nginx
listen.mode   = 0666

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.

user          = nobody
group         = nobody

; Choose how the process manager will control the number of child processes.
; Possible Values:
;   static  - a fixed number (pm.max_children) of child processes;
;   dynamic - the number of child processes are set dynamically based on the
;             following directives:
;             pm.max_children      - the maximum number of children that can
;                                    be alive at the same time.
;             pm.start_servers     - the number of children created on startup.
;             pm.min_spare_servers - the minimum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is less than this
;                                    number then some children will be created.
;             pm.max_spare_servers - the maximum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is greater than this
;                                    number then some children will be killed.
; Note: This value is mandatory.

pm = dynamic

; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes to be created when pm is set to 'dynamic'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI.
; Note: Used when pm is set to either 'static' or 'dynamic'
; Note: This value is mandatory.

pm.max_children = 100

; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2

pm.start_servers = 20

; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'

pm.min_spare_servers = 5

; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'

pm.max_spare_servers = 100

; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0

pm.max_requests = 250

If config is set to your full satisfaction restart php-fpm

/etc/init.d/php-fpm restart

You should see a few more processes now

ps aux | grep "php"

make sure the socket file exists and is owned by the correct user (should be the user nginx runs with)

# ls -l /var/run/php-fpm/php-fpm.sock
srw-rw-rw- 1 nginx nginx 0 Jan  2 14:49 /var/run/php-fpm/php-fpm.sock

now restart your nginx to make sure it reads the new socket file

/etc/init.d/nginx restart

Hope this helps. If not, something else is wrong and we need to continue debugging