• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

php-fpm + nginx + sockets restriction in jail ?

bryn1u

Well-Known Member

Thanks: 9
Messages: 328

#1
Hello guys,

Im using nginx + php-fpm or apache + proxy_fcgi. In both cases when i want to use socket instead listen 127.0.0.1 i always get permission denied and can't connect through socket. When i use listen on localhost port for example 127.0.0.1:9000 works like a charm. And my question is: does jail have any restriction to block socket connections ?
 

SnowCowboy

New Member

Thanks: 1
Messages: 4

#2
Yes, there is a restriction. You can't get a raw socket within a Jail. This behavior is mentioned in the manual.

You can allow them by adding the following line into /etc/sysctl.conf on the host side:

security.jail.allow_raw_sockets=1​

Mind you are deliberately breaking one of the security stand points and reasons of jails.

That is only under some circumstances though. If you are the only one managing the whole system, that shouldn't be a big deal. However if you are sharing the host and there is some untrusted users on other jails you'd better investigate further if this is something you can live with or not.
 

lebarondemerde

Daemon

Thanks: 590
Messages: 1,351

#3
There is no need to set security.jail.allow_raw_sockets=1 for that, unless php and the webserver are running in different jails.

You would just need to set this:

/usr/local/etc/php-fpm.d/www.conf
Code:
listen = /var/run/php-fpm.sock
 
Top