How to configure server on nginx, php-fpm to set file permissions correctly

Question

I think I have a small error /mistake in my configuration. I use a server for a magento shop.

My server setting for Nginx are:

user  nobody;
worker_processes  2; ## = CPU qty

error_log   /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
    use epoll;
       }

http   {
    index index.html index.php; ## Allow a static html file to be shown first
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #log_format error403  '$remote_addr - $remote_user [$time_local] '
    #                 '$status "$request"  "$http_x_forwarded_for"';                      

    server_tokens       off;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;


    ## Gzipping is an easy way to reduce page weight
    gzip                on;
    gzip_vary           on;
    gzip_proxied        any;
    gzip_types          text/css application/x-javascript;
    gzip_buffers        16 8k;
    gzip_comp_level     8;
    gzip_min_length     1024;

    #ssl_session_cache shared:SSL:15m;
    #ssl_session_timeout 15m;

    keepalive_timeout   10;

    ## Use when Varnish in front
    #set_real_ip_from 127.0.0.1;
    #real_ip_header X-Forwarded-For;

    ## Multi domain configuration
    #map $http_host $storecode { 
       #www.domain1.com 1store_code; ## US main
       #www.domain2.net 2store_code; ## EU store
       #www.domain3.de 3store_code; ## German store
       #www.domain4.com 4store_code; ## different products
       #}

server {   
    listen 80; ## change to 8080 with Varnish
    #listen 443 ssl;
    server_name _; ## Domain is here
    root /var/www/html;

    access_log  /var/log/nginx/access_mydomain.log  main;

    ## Nginx will not add the port in the url when the request is redirected.
    #port_in_redirect off; 

    ####################################################################################
    ## SSL CONFIGURATION

       #ssl_certificate     /etc/ssl/certs/www_server_com.chained.crt; 
       #ssl_certificate_key /etc/ssl/certs/server.key;

       #ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
       #http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
       #http://serverfault.com/questions/417512/disable-deflate-compression-in-nginx-ssl
       #ssl_ciphers               AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
       #ssl_ciphers               RC4:HIGH:!aNULL:!MD5:!kEDH;
       #ssl_prefer_server_ciphers on;

    ####################################################################################

    ## Server maintenance block. insert dev ip 1.2.3.4 static address www.whatismyip.com
    #if ($remote_addr !~ "^(1.2.3.4|1.2.3.4)$") {
        #return 503;
        #}

    #error_page 503 @maintenance;   
    #location @maintenance {
        #rewrite ^(.*)$ /error_page/503.html break;
        #internal;
        #access_log off;
        #log_not_found off;
        #}

    ####################################################################################

    ## 403 error log/page
    #error_page 403 /403.html;
    #location = /403.html {
        #root /var/www/html/error_page;
        #internal;
        #access_log   /var/log/nginx/403.log  error403;
        #}

    ####################################################################################

    ## Main Magento location
    location / {
        try_files $uri $uri/ @handler;
        }

    ####################################################################################

    ## These locations would be hidden by .htaccess normally, protected
    location ~ (/(app/|includes/|/pkginfo/|var/|errors/local.xml)|/\.svn/|/.hta.+) {
        deny all;
        #internal;
        }

    ####################################################################################

    ## Protecting /admin/ and /downloader/  1.2.3.4 = static ip (www.whatismyip.com)
    #location /downloader/  {
        #allow 1.2.3.4;
        #allow 1.2.3.4;
        #deny all;
        #rewrite ^/downloader/(.*)$ /downloader/index.php$1;
        #}
    #location /admin  {
        #allow 1.2.3.4;
        #allow 1.2.3.4;
        #deny all;
        #rewrite / /@handler;
        #}   

    ####################################################################################

    ## Images, scripts and styles set far future Expires header
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
        access_log off;
        }

    ####################################################################################

    ## Main Magento location
    location @handler {
        rewrite / /index.php;
        }

    location ~ .php/ { ## Forward paths like /js/index.php/x.js to relevant handler
        rewrite ^(.*.php)/ $1 last;
        }

    ####################################################################################

    ## Execute PHP scripts
    location ~ .php$ {
        try_files $uri $uri/ =404;
        #try_files $uri $uri/ @handler;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        ## Store code with multi domain
        #fastcgi_param  MAGE_RUN_CODE $storecode;
        ## Default Store code
        fastcgi_param  MAGE_RUN_CODE default; 
        fastcgi_param  MAGE_RUN_TYPE store; ## or website;
        include        fastcgi_params; ## See /etc/nginx/fastcgi_params
        }
    }
}

For php-fpm it is (its not the whole code, just what I changed)

;listen = 127.0.0.1:9000
listen = /var/run/php-fpm/php-fpm.sock
;listen.owner = nobody
listen.owner = nginx
;listen.group = nobody
listen.group = nginx
;listen.mode = 0666
listen.mode = 0664

user = nginx
group = nginx
[...]

Then I add myself as a user via:

user add byname -d /var/www/html -m 

give myself a password (I use VSFTPD), add a group wwwftp, add myself to the group via:

usermod -g wwwftp myname

make /var/www/html owned by me:

chown byname /var/www/html

and change the group (chgrp wwwftp /var/www/html)

Sometimes I have file permission issues. If Magento adds a file the file permissions are user 99 and group 99. Images can't be displayed. Files can't be opened unless I make them 777.

Maybe something in my config is wrong?

Answer 1

You have php-fpm set to run as user nginx and group nginx so any files created by magento will have that user and group (are those 99?).

But nginx itself is running as user 'nobody' (first line). So it can't access images that are owned by user/group 'nginx' (created by php-fpm). Setting permissions to 777 allows user 'nobody' to access files owned by 'nginx'.

But any php files written by magento would be fine, since they are created and read using user 'nginx' from php-fpm.

why do you want to set the /var/www/html to byname? what are you trying to accomplish? Are you trying to all an ftp connection to read/write those files? If so, you'd be better off adding your user to group 'nobody' and group 'nginx' so you can read/write both kinds of files.