Php – Access denied (403) for PHP files with Nginx + PHP-FPM
I have been spending few hours on that issue and despite the high number of posts related to it, I cannot solve it. I have a Fedora 20 box with Nginx + PHP-FPM that worked quite good until today (after I reloaded php-fpm.service I guess). Nginx is serving static files with no problem, but any PHP file triggers an error 403.
The permissions are ok, nginx and php-fpm are running under the user «nginx»:
root 13763 0.0 0.6 490428 24924 ? Ss 15:47 0:00 php-fpm: master process (/etc/php-fpm.conf) nginx 13764 0.0 0.1 490428 7296 ? S 15:47 0:00 php-fpm: pool www nginx 13765 0.0 0.1 490428 7296 ? S 15:47 0:00 php-fpm: pool www nginx 13766 0.0 0.1 490428 7296 ? S 15:47 0:00 php-fpm: pool www nginx 13767 0.0 0.1 490428 7296 ? S 15:47 0:00 php-fpm: pool www nginx 13768 0.0 0.1 490428 6848 ? S 15:47 0:00 php-fpm: pool www The served files have been set to nginx user as well, I even ended chmoding 777 those files to try, but still «Access denied» for any PHP files.
Below is a server of my Nginx config:
[www] . listen = 127.0.0.1:9000 user = nginx group = nginx . php-5.5.11 (as well as php-fpm-5.5.11 of course)
I am adding the Nginx error log:
FastCGI sent in stderr: "Access to the script '/var/www/html' has been denied (see security.limit_extensions)" while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: localhost, request: "GET /index.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "xxx.xxx.xxx.xxx" And precise that security.limit_extensions is correct, set to: security.limit_extensions = .php .
About the path permissions, /var/www/html can be traversed.
What am I missing?
Best Solution
Here are some possible solutions:
- In your php-fpm www.conf set security.limit_extensions to .php or .php5 or whatever suits your environment. For some users, completely removing all values or setting it to FALSE was the only way to get it working.
- In your nginx config file set fastcgi_pass to your socket address (e.g. unix:/var/run/php-fpm/php-fpm.sock; ) instead of your server address and port.
- Check your SCRIPT_FILENAME fastcgi param and set it according to the location of your files.
- In your nginx config file include fastcgi_split_path_info ^(.+\.php)(/.+)$; in the location block where all the other fastcgi params are defined.
- In your php.ini set cgi.fix_pathinfo to 1
Related Solutions
Linux – How to change permissions for a folder and its subfolders/files in one step
The other answers are correct, in that chmod -R 755 will set these permissions to all files and subfolders in the tree. But why on earth would you want to? It might make sense for the directories, but why set the execute bit on all the files?
I suspect what you really want to do is set the directories to 755 and either leave the files alone or set them to 644. For this, you can use the find command. For example:
To change all the directories to 755 ( drwxr-xr-x ):
find /opt/lampp/htdocs -type d -exec chmod 755 <> \; To change all the files to 644 ( -rw-r—r— ):
find /opt/lampp/htdocs -type f -exec chmod 644 <> \; - chmod 755 <> specifies the command that will be executed by find for each directory
- chmod 644 <> specifies the command that will be executed by find for each file
- <> is replaced by the path
- ; the semicolon tells find that this is the end of the command it’s supposed to execute
- \; the semicolon is escaped, otherwise it would be interpreted by the shell instead of find
Php – Nginx load balance with dedicated php-fpm server
If it’s a blank page with «Access denied» on it, it’s caused by security.limit_extensions directive that has been added to php-fpm.
If you don’t have it in your php-fpm configuration, it defaults to .php and prevents all other file types from being parsed by the PHP interpreter producing «Access denied» when trying to do so.
Related Question
Access Denied for PHP Files Only
That doesn’t include /srv/www/hostname/fcgid-bin/ ; assuming there’s no Allow applying to it elsewhere in your config, this is the problem. You’ll need to Allow access to this location.
Related videos on Youtube
![[Solved] XAMPP : My SQL PhpMyAdmin Access Denied Error](https://i.ytimg.com/vi/MTjGcjCQ6Zc/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLAVs0rmRKVDi8lOhz_KBiKh_o502g)
Hugh Guiney
Hi, my name’s Hugh Guiney (🗣 GUY-knee). I’m a UX Developer, which means I design and code thoughtful digital products. I’ve worked with organizations of all sizes, from startups to SMBs to household names. In my spare time I build open-source software (check out my interactive video player, RedBlue), play fighting games, and perform improv comedy. Last name is pronounced “GUY-knee”.
Updated on September 18, 2022
Comments
- Apache HTTP Server 2.2.21 with VirtualHosts under SuExec
- PHP 5.3.8 via fcgid
- Arch Linux 2011.08.19
I am getting 403 Access Denied errors from Apache any time I try to access a PHP file. HTML files and text files work fine. I’ve played with every conceivable permissions combination on the PHP files I can think of, from 644 to 777. Doesn’t change anything.
I also played with the permissions on the FCGI wrapper and parent folder. With o+x (777, 775, 773, 771), I get this in the browser:
Access forbidden!
You don’t have permission to access the requested object. It is either read-protected or not readable by the server.
…and this in the vhost error log:
client denied by server configuration: /srv/www/hostname/fcgid-bin/php-fcgid-wrapper
With o-x (776, 774, 772, 770, or below), I get this in the browser:
Forbidden
You don’t have permission to access /fcgid-bin/php-fcgid-wrapper/index.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
(13)Permission denied: access to /fcgid-bin/php-fcgid-wrapper/index.php denied
This is really boggling my mind seeing as my setup was working fine until I started getting this and I don’t know what I possibly could have done to change that. /usr/bin/php-cgi and the wrapper both work fine with the exact same input files when called directly.
ServerAdmin [email protected] DocumentRoot "/srv/www/hostname/public/" ServerName hostname.com ServerAlias www.hostname.com SuexecUserGroup hostname hostname ErrorLog "/srv/www/hostname/logs/error.log" LogLevel debug CustomLog "/srv/www/hostname/logs/access.log" combined Order allow,deny Allow from all # http://www.linode.com/forums/viewtopic.php?t=2982 AddHandler php-fcgi .php Action php-fcgi /fcgid-bin/php-fcgid-wrapper Alias /fcgid-bin/ /srv/www/hostname/fcgid-bin/ Check the ownership of the files you are trying to access (i.e. index.php) — suexec verifies that the files have the correct ownership (i.e. are owned by ‘hostname’) before executing them — running php directly would still execute the files (as long as they are readable, regardless of ownership), and offhand, I don’t think text/html files are run through suexec. Unlikely, perhaps, but it seems to fit the symptoms.
Access Denied for PHP Files Only
That doesn’t include /srv/www/hostname/fcgid-bin/ ; assuming there’s no Allow applying to it elsewhere in your config, this is the problem. You’ll need to Allow access to this location.
Related videos on Youtube
Hugh Guiney
Hi, my name’s Hugh Guiney (🗣 GUY-knee). I’m a UX Developer, which means I design and code thoughtful digital products. I’ve worked with organizations of all sizes, from startups to SMBs to household names. In my spare time I build open-source software (check out my interactive video player, RedBlue), play fighting games, and perform improv comedy. Last name is pronounced “GUY-knee”.
Updated on September 18, 2022
Comments
- Apache HTTP Server 2.2.21 with VirtualHosts under SuExec
- PHP 5.3.8 via fcgid
- Arch Linux 2011.08.19
I am getting 403 Access Denied errors from Apache any time I try to access a PHP file. HTML files and text files work fine. I’ve played with every conceivable permissions combination on the PHP files I can think of, from 644 to 777. Doesn’t change anything.
I also played with the permissions on the FCGI wrapper and parent folder. With o+x (777, 775, 773, 771), I get this in the browser:
Access forbidden!
You don’t have permission to access the requested object. It is either read-protected or not readable by the server.
…and this in the vhost error log:
client denied by server configuration: /srv/www/hostname/fcgid-bin/php-fcgid-wrapper
With o-x (776, 774, 772, 770, or below), I get this in the browser:
Forbidden
You don’t have permission to access /fcgid-bin/php-fcgid-wrapper/index.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
(13)Permission denied: access to /fcgid-bin/php-fcgid-wrapper/index.php denied
This is really boggling my mind seeing as my setup was working fine until I started getting this and I don’t know what I possibly could have done to change that. /usr/bin/php-cgi and the wrapper both work fine with the exact same input files when called directly.
ServerAdmin [email protected] DocumentRoot "/srv/www/hostname/public/" ServerName hostname.com ServerAlias www.hostname.com SuexecUserGroup hostname hostname ErrorLog "/srv/www/hostname/logs/error.log" LogLevel debug CustomLog "/srv/www/hostname/logs/access.log" combined Order allow,deny Allow from all # http://www.linode.com/forums/viewtopic.php?t=2982 AddHandler php-fcgi .php Action php-fcgi /fcgid-bin/php-fcgid-wrapper Alias /fcgid-bin/ /srv/www/hostname/fcgid-bin/ Check the ownership of the files you are trying to access (i.e. index.php) — suexec verifies that the files have the correct ownership (i.e. are owned by ‘hostname’) before executing them — running php directly would still execute the files (as long as they are readable, regardless of ownership), and offhand, I don’t think text/html files are run through suexec. Unlikely, perhaps, but it seems to fit the symptoms.
Php – Access Denied for PHP Files Only
I am getting 403 Access Denied errors from Apache any time I try to access a PHP file. HTML files and text files work fine. I’ve played with every conceivable permissions combination on the PHP files I can think of, from 644 to 777. Doesn’t change anything.
I also played with the permissions on the FCGI wrapper and parent folder. With o+x (777, 775, 773, 771), I get this in the browser:
Access forbidden!
You don’t have permission to access the requested object. It is either
read-protected or not readable by the server.
…and this in the vhost error log:
client denied by server configuration: /srv/www/hostname/fcgid-bin/php-fcgid-wrapper
With o-x (776, 774, 772, 770, or below), I get this in the browser:
Forbidden
You don’t have permission to access
/fcgid-bin/php-fcgid-wrapper/index.php on this server.Additionally, a 403 Forbidden error was encountered while trying to
use an ErrorDocument to handle the request.
(13)Permission denied: access to /fcgid-bin/php-fcgid-wrapper/index.php denied
This is really boggling my mind seeing as my setup was working fine until I started getting this and I don’t know what I possibly could have done to change that. /usr/bin/php-cgi and the wrapper both work fine with the exact same input files when called directly.
ServerAdmin admin@hostname.com DocumentRoot "/srv/www/hostname/public/" ServerName hostname.com ServerAlias www.hostname.com SuexecUserGroup hostname hostname ErrorLog "/srv/www/hostname/logs/error.log" LogLevel debug CustomLog "/srv/www/hostname/logs/access.log" combined Order allow,deny Allow from all # http://www.linode.com/forums/viewtopic.php?t=2982 AddHandler php-fcgi .php Action php-fcgi /fcgid-bin/php-fcgid-wrapper Alias /fcgid-bin/ /srv/www/hostname/fcgid-bin/ Best Answer
Order allow,deny Allow from all That doesn’t include /srv/www/hostname/fcgid-bin/ ; assuming there’s no Allow applying to it elsewhere in your config, this is the problem. You’ll need to Allow access to this location.