How to configure server on nginx, php-fpm to set file permissions correctly
Question
I think I have a small error /mistake in my configuration. I use a server for a magento shop.
My server setting for Nginx are:
user nobody;
worker_processes 2; ## = CPU qty
error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
index index.html index.php; ## Allow a static html file to be shown first
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#log_format error403 '$remote_addr - $remote_user [$time_local] '
# '$status "$request" "$http_x_forwarded_for"';
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
## Gzipping is an easy way to reduce page weight
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_types text/css application/x-javascript;
gzip_buffers 16 8k;
gzip_comp_level 8;
gzip_min_length 1024;
#ssl_session_cache shared:SSL:15m;
#ssl_session_timeout 15m;
keepalive_timeout 10;
## Use when Varnish in front
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
## Multi domain configuration
#map $http_host $storecode {
#www.domain1.com 1store_code; ## US main
#www.domain2.net 2store_code; ## EU store
#www.domain3.de 3store_code; ## German store
#www.domain4.com 4store_code; ## different products
#}
server {
listen 80; ## change to 8080 with Varnish
#listen 443 ssl;
server_name _; ## Domain is here
root /var/www/html;
access_log /var/log/nginx/access_mydomain.log main;
## Nginx will not add the port in the url when the request is redirected.
#port_in_redirect off;
####################################################################################
## SSL CONFIGURATION
#ssl_certificate /etc/ssl/certs/www_server_com.chained.crt;
#ssl_certificate_key /etc/ssl/certs/server.key;
#ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
#http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#http://serverfault.com/questions/417512/disable-deflate-compression-in-nginx-ssl
#ssl_ciphers AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
#ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
#ssl_prefer_server_ciphers on;
####################################################################################
## Server maintenance block. insert dev ip 1.2.3.4 static address www.whatismyip.com
#if ($remote_addr !~ "^(1.2.3.4|1.2.3.4)$") {
#return 503;
#}
#error_page 503 @maintenance;
#location @maintenance {
#rewrite ^(.*)$ /error_page/503.html break;
#internal;
#access_log off;
#log_not_found off;
#}
####################################################################################
## 403 error log/page
#error_page 403 /403.html;
#location = /403.html {
#root /var/www/html/error_page;
#internal;
#access_log /var/log/nginx/403.log error403;
#}
####################################################################################
## Main Magento location
location / {
try_files $uri $uri/ @handler;
}
####################################################################################
## These locations would be hidden by .htaccess normally, protected
location ~ (/(app/|includes/|/pkginfo/|var/|errors/local.xml)|/\.svn/|/.hta.+) {
deny all;
#internal;
}
####################################################################################
## Protecting /admin/ and /downloader/ 1.2.3.4 = static ip (www.whatismyip.com)
#location /downloader/ {
#allow 1.2.3.4;
#allow 1.2.3.4;
#deny all;
#rewrite ^/downloader/(.*)$ /downloader/index.php$1;
#}
#location /admin {
#allow 1.2.3.4;
#allow 1.2.3.4;
#deny all;
#rewrite / /@handler;
#}
####################################################################################
## Images, scripts and styles set far future Expires header
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
access_log off;
}
####################################################################################
## Main Magento location
location @handler {
rewrite / /index.php;
}
location ~ .php/ { ## Forward paths like /js/index.php/x.js to relevant handler
rewrite ^(.*.php)/ $1 last;
}
####################################################################################
## Execute PHP scripts
location ~ .php$ {
try_files $uri $uri/ =404;
#try_files $uri $uri/ @handler;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
## Store code with multi domain
#fastcgi_param MAGE_RUN_CODE $storecode;
## Default Store code
fastcgi_param MAGE_RUN_CODE default;
fastcgi_param MAGE_RUN_TYPE store; ## or website;
include fastcgi_params; ## See /etc/nginx/fastcgi_params
}
}
}
For php-fpm it is (its not the whole code, just what I changed)
;listen = 127.0.0.1:9000
listen = /var/run/php-fpm/php-fpm.sock
;listen.owner = nobody
listen.owner = nginx
;listen.group = nobody
listen.group = nginx
;listen.mode = 0666
listen.mode = 0664
user = nginx
group = nginx
[...]
Then I add myself as a user via:
user add byname -d /var/www/html -m
give myself a password (I use VSFTPD), add a group wwwftp , add myself to the group via:
usermod -g wwwftp myname
make /var/www/html owned by me:
chown byname /var/www/html
and change the group ( chgrp wwwftp /var/www/html )
Sometimes I have file permission issues. If Magento adds a file the file permissions are user 99 and group 99. Images can't be displayed. Files can't be opened unless I make them 777.
Maybe something in my config is wrong?
1 answers
solution1
1 2014-01-23 04:31:09
You have php-fpm set to run as user nginx and group nginx so any files created by magento will have that user and group (are those 99?).
But nginx itself is running as user 'nobody' (first line). So it can't access images that are owned by user/group 'nginx' (created by php-fpm). Setting permissions to 777 allows user 'nobody' to access files owned by 'nginx'.
But any php files written by magento would be fine, since they are created and read using user 'nginx' from php-fpm.
why do you want to set the /var/www/html to byname? what are you trying to accomplish? Are you trying to all an ftp connection to read/write those files? If so, you'd be better off adding your user to group 'nobody' and group 'nginx' so you can read/write both kinds of files.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.