php-fpm + nginx + sockets restriction in jail ?

Hello guys,

Im using nginx + php-fpm or apache + proxy_fcgi. In both cases when i want to use socket instead listen 127.0.0.1 i always get permission denied and can't connect through socket. When i use listen on localhost port for example 127.0.0.1:9000 works like a charm. And my question is: does jail have any restriction to block socket connections ?
 
Yes, there is a restriction. You can't get a raw socket within a Jail. This behavior is mentioned in the manual.

You can allow them by adding the following line into /etc/sysctl.conf on the host side:

security.jail.allow_raw_sockets=1​

Mind you are deliberately breaking one of the security stand points and reasons of jails.

That is only under some circumstances though. If you are the only one managing the whole system, that shouldn't be a big deal. However if you are sharing the host and there is some untrusted users on other jails you'd better investigate further if this is something you can live with or not.
 
There is no need to set security.jail.allow_raw_sockets=1 for that, unless php and the webserver are running in different jails.

You would just need to set this:

/usr/local/etc/php-fpm.d/www.conf
Code:
listen = /var/run/php-fpm.sock
 
/usr/local/etc/php-fpm.d/www.conf

listen = /var/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660
 
Back
Top