使用 Nginx + PHP-FPM 访问 PHP 文件被拒绝 (403)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/23390531/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Access denied (403) for PHP files with Nginx + PHP-FPM
提问by feub
I have been spending few hours on that issue and despite the high number of posts related to it, I cannot solve it. I have a Fedora 20 box with Nginx + PHP-FPM that worked quite good until today (after I reloaded php-fpm.service I guess). Nginx is serving static files with no problem, but any PHP file triggers an error 403.
我一直在这个问题上花了几个小时,尽管与它相关的帖子数量很多,但我无法解决它。我有一个带有 Nginx + PHP-FPM 的 Fedora 20 机器,直到今天都运行良好(我猜是在我重新加载了 php-fpm.service 之后)。Nginx 提供静态文件没有问题,但任何 PHP 文件都会触发错误 403。
The permissions are ok, nginx and php-fpm are running under the user "nginx":
权限没问题,nginx和php-fpm都在用户“nginx”下运行:
root 13763 0.0 0.6 490428 24924 ? Ss 15:47 0:00 php-fpm: master process (/etc/php-fpm.conf)
nginx 13764 0.0 0.1 490428 7296 ? S 15:47 0:00 php-fpm: pool www
nginx 13765 0.0 0.1 490428 7296 ? S 15:47 0:00 php-fpm: pool www
nginx 13766 0.0 0.1 490428 7296 ? S 15:47 0:00 php-fpm: pool www
nginx 13767 0.0 0.1 490428 7296 ? S 15:47 0:00 php-fpm: pool www
nginx 13768 0.0 0.1 490428 6848 ? S 15:47 0:00 php-fpm: pool www
The served files have been set to nginx user as well, I even ended chmoding 777 those files to try, but still "Access denied" for any PHP files.
提供的文件也已设置为 nginx 用户,我什至结束了 chmoding 777 这些文件的尝试,但对于任何 PHP 文件仍然“拒绝访问”。
Below is a server of my Nginx config:
下面是我的 Nginx 配置的服务器:
server {
listen 80;
server_name localhost;
root /var/www/html;
location ~ \.php$ {
fastcgi_intercept_errors on;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
The PHP-FPM pool:
PHP-FPM 池:
[www]
...
listen = 127.0.0.1:9000
user = nginx
group = nginx
...
For the versions:
对于版本:
php-5.5.11(as well as php-fpm-5.5.11of course)
php-5.5.11(当然还有php-fpm-5.5.11)
nginx-1.4.7
nginx-1.4.7
I am adding the Nginx error log:
我正在添加 Nginx 错误日志:
FastCGI sent in stderr: "Access to the script '/var/www/html' has been denied (see security.limit_extensions)" while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: localhost, request: "GET /index.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "xxx.xxx.xxx.xxx"
And precise that security.limit_extensionsis correct, set to: security.limit_extensions = .php.
准确地说security.limit_extensions是正确的,设置为:security.limit_extensions = .php。
About the path permissions, /var/www/htmlcan be traversed. What am I missing?
关于路径权限,可以遍历/var/www/html。我错过了什么?
回答by VF_
Here are some possible solutions:
以下是一些可能的解决方案:
In your php-fpm www.conf set
security.limit_extensionsto.phpor.php5or whatever suits your environment. For some users, completely removing all values or setting it toFALSEwas the only way to get it working.In your nginx config file set
fastcgi_passto your socket address (e.g.unix:/var/run/php-fpm/php-fpm.sock;) instead of your server address and port.Check your
SCRIPT_FILENAMEfastcgi param and set it according to the location of your files.In your nginx config file include
fastcgi_split_path_info ^(.+\.php)(/.+)$;in the location block where all the other fastcgi params are defined.In your php.ini set
cgi.fix_pathinfoto1
在您的 php-fpm www.conf 中设置
security.limit_extensions为.php或.php5或适合您环境的任何内容。对于某些用户来说,完全删除所有值或将其设置FALSE为使其正常工作的唯一方法。在您的 nginx 配置文件中设置
fastcgi_pass为您的套接字地址(例如unix:/var/run/php-fpm/php-fpm.sock;)而不是您的服务器地址和端口。检查您的
SCRIPT_FILENAMEfastcgi 参数并根据您的文件位置进行设置。在您的 nginx 配置文件中,包含
fastcgi_split_path_info ^(.+\.php)(/.+)$;在定义所有其他 fastcgi 参数的位置块中。在你的 php.ini 设置
cgi.fix_pathinfo为1
回答by mdekkers
Please note that the above solution (set cgi.fix_pathinfoto 1) is a terribleidea. See https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/for a good overview.
请注意,上述解决方案(设置cgi.fix_pathinfo为1)是一个糟糕的主意。请参阅https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/以获得一个很好的概述。
The issue is probably down to your application relying on PATH_INFO. Enable access logging for php to get more information about how your application is called to help you debug this issue.
问题可能归结于您的应用程序依赖 PATH_INFO。为 php 启用访问日志以获取有关如何调用应用程序的更多信息,以帮助您调试此问题。
Once again, just to be sure - the accepted solution is a terribleidea, and will likely get your site hacked.
再一次,为了确定 - 接受的解决方案是一个糟糕的主意,并且可能会让您的网站遭到黑客攻击。
回答by Eduard Pertí?ez
Do not forget to restart php5-fpm service after changing php.ini!!
更改php.ini后不要忘记重启php5-fpm服务!!
service php5-fpm restart or service php5-fpm reload
服务 php5-fpm 重启或服务 php5-fpm 重新加载
fpm prestarts php5 so it is not enough to restart nginx to have the changes applied.
fpm 预启动 php5,因此仅重新启动 nginx 以应用更改是不够的。
回答by u6488398
It may be related to selinux. If you use the shared folderof Virtual Box, you cannot change the access permissions in this folder in Linux. Therefore, you can solve it after closing selinux.
可能与selinux有关。如果您使用的共享文件夹的虚拟盒,你不能在此文件夹中的Linux中更改访问权限。因此,您可以在关闭selinux后解决它。
回答by Cong IT
For reference of those coming later: In the conf for your site try to add: fastcgi_param PATH_INFO $fastcgi_path_info; Also look at what SELinux is doing. To turn it off: setenforce 0 But then figure what script is the issue and put back to setenforce 1
供以后参考:在您站点的 conf 中尝试添加: fastcgi_param PATH_INFO $fastcgi_path_info; 还要看看 SELinux 在做什么。关闭它: setenforce 0 但是然后找出问题所在的脚本并放回 setenforce 1
回答by joe_flash
This could also happen if there is no index.phpin your vhost document root.
如果index.php您的 vhost 文档根目录中没有,也可能发生这种情况。
Carefully double-check the www_rootparameter in your nginx configuration. Then double check that the php file you're trying to hit is actually in there.
仔细检查www_rootnginx 配置中的参数。然后仔细检查您尝试访问的 php 文件是否确实在那里。
In my case, I mis-typed the vhost doc root path and so pointed it to an empty directory, yielding a 403.
就我而言,我错误地输入了 vhost doc 根路径,因此将其指向一个空目录,产生了 403。
