# apache + suexec + mod_fastcgi + php-fpm permission issue

## trinite

About a year ago, I setup an apache + suexec + mod_fastcgi + php-fpm setup with multiple virtual host, in which each virtual hosts has it's own user, and it's own php-fpm pool running. This all worked fine (also over previous updates) until last week when I updated the setup from php 5.5.10 to php 5.5.12. 

The error I get: 

```
[Tue Jun 10 11:26:42 2014] [error] [client 192.168.1.2] (13)Permission denied: FastCGI: failed to connect to server "/var/www/cgi-bin.d/cgi-control/php-fpm": connect() failed

[Tue Jun 10 11:26:42 2014] [error] [client 192.168.1.2] FastCGI: incomplete headers (0 bytes) received from server "/var/www/cgi-bin.d/cgi-control/php-fpm"

```

After some research I found out the the error seems to be that the fastcgi process cannot connect to the php-fpm socket. The permissions I used to use: 

```
srw-rw---- 1 control control 0 Jun 10 12:08 /var/run/php-fpm-control.sock
```

 To get it working again, I have to change the permissions to 

```
srw-rw---- 1 control apache 0 Jun 10 12:08 /var/run/php-fpm-control.sock
```

 by setting the fpm pool settings from 

```
[control]

; Port or socket where apache can connect to 

listen = /var/run/php-fpm-$pool.sock

listen.owner = $pool

listen.group = $pool

; user under which the process runs

user = $pool

group = $pool
```

to 

```
[control]

; Port or socket where apache can connect to 

listen = /var/run/php-fpm-$pool.sock

listen.owner = $pool

listen.group = apache

; user under which the process runs

user = $pool

group = $pool
```

So it looks that the FastCGI process tries to access the socket using the apache user, and not as the pool user (control). Is there something changed in the new php-version? Did Suexec or mod_fastcgi change something? Or did I miss something else? 

Below is a short definition of my setup: 

/etc/conf.d/apache2

```

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D SUEXEC -D LANGUAGE -D FASTCGI -D PHP_FPM"

```

/etc/apache2/modules.d/20_mod_fastcgi.conf

```
<IfDefine FASTCGI>

LoadModule fastcgi_module modules/mod_fastcgi.so

AddHandler fastcgi-script fcg fcgi fpl

# FastCgiWrapper has to be enabled to enforce a user and group to the FastCGIServer directive

FastCgiWrapper /usr/sbin/suexec

</IfDefine>

```

/etc/apache2/modules.d/71_php-fpm.conf

```

<IfDefine PHP_FPM>

   AddHandler php-fpm .php

   AddHandler php-fpm .php5

   AddHandler php-fpm .phtml

   DirectoryIndex index.php index.php5 index.phtml

   # Note that an Alias for /php-fpm should be defined for

   # every virtual host

   Action php-fpm /php-fpm

</IfDefine>

```

/etc/apache2/modules.d/vhosts.d/001_control.conf

```

<VirtualHost *:80>

   DocumentRoot "/home/control/public_html"

   ServerName control.nl

   ServerAlias *.control.nl

   CustomLog /home/control/log/access_log combined

   Errorlog /home/control/log/error_log

   SuexecUserGroup control control

   FastCGIExternalServer /var/www/cgi-bin.d/cgi-control/php-fpm -socket /var/run/php-fpm-control.sock -user control -group control

   Alias /php-fpm /var/www/cgi-bin.d/cgi-control/php-fpm

   <Directory /home/control/public_html>

      Options +Indexes +FollowSymlinks

      Order deny,allow

      Allow from all

   </Directory>

   <IfModule alias_module>

      #enable cgi? put cgi files in /var/www/cgi-bin.d/cgi-control and uncomment the next line and the Directory block

      #ScriptAlias /cgi-bin/ "/var/www/cgi-bin.d/cgi-control/"

   </IfModule>

   # Leave this enabled, also when not using CGI, as php-fpm has it's virtual

   # path here

   <Directory "/var/www/cgi-bin.d/cgi-control">

      AllowOverride None

      Options None

      Order allow,deny

      Allow from all

   </Directory>

</VirtualHost>

```

cgi directory permissions: 

```
 ls -lah /var/www/cgi-bin.d/cgi-control/

total 8.0K

drwxrwxr-x 2 control control 4.0K Jul 29  2013 .

drwxr-xr-x 9 root    root    4.0K Aug  4  2013 ..
```

/etc/php/fpm-php5.5/php-fpm.conf

```
include=/etc/php/fpm-php5.5/pool.d/*.conf
```

/etc/php/fpm-php5.5/pool.d/001_control.conf

```
[control]

; Port or socket where apache can connect to

listen = /var/run/php-fpm-$pool.sock

listen.owner = $pool

listen.group = $pool

; user under which the process runs

user = $pool

group = $pool

; process manager

pm = dynamic

pm.max_children = 50

pm.start_servers = 1

pm.min_spare_servers = 1

pm.max_spare_servers = 25

```

----------

