0

I found error 'WARNING: [pool www] child 3715 said into stderr: "ERROR: Connection disallowed: IP address 'x.x.x.x' has been dropped." ' in php-fpm's log, where 'x.x.x.x' is my server's public ip.

Since the "listen.allowed_clients = 127.0.0.1" is set in php-fpm, the error is reasonable. But i wonder why nginx is connecting to php-fpm with its public ip, nginx and php-fpm are actually on the same server. Is there an approach to change nginx's behavior here?

UPDATE: detailed configurations added.

in nginx.conf, :

user  nginx; 
worker_processes  4; 
error_log  /var/log/nginx/error.log; 
pid        /run/nginx.pid; 
events { 
    worker_connections  1024; 
} 
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
    include /etc/nginx/conf.d/*.conf;
    index   index.html index.htm;
    upstream php {
        server 127.0.0.1:9000;
    }
}

in /etc/nginx/conf.d/test.conf:

server {
        listen 443 default_server ssl;
        ssl_certificate /usr/share/nginx/html/xxx.crt;
        ssl_certificate_key /usr/share/nginx/html/xxx/xxx.key;

        ## Your website name goes here.
        server_name x.x.x;
        ## Your only path reference.
        root /usr/share/nginx/html/xxx;
        ## This should be in your http block and if it is, it's not needed here.
        include       /etc/nginx/mime.types;
        index index.php

        location ~ \.php$ {
                #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
                include fastcgi.conf;
                fastcgi_intercept_errors on;
                fastcgi_pass php;
        }
}

in fastcgi.conf:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

php-fpm status:

[root@test-server ~]# netstat -tulnp | grep 9000
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      4134/php-fpm: maste

in php-fpm logs:

[03-Aug-2015 09:55:02] WARNING: [pool www] child 4109 said into stderr: "ERROR: Connection disallowed: IP address '1.2.3.4' has been dropped."

On my server: server_name 'x.x.x' truly resolved to '1.2.3.4' by dns, which i substitute my real server_name and public ip with these fake one. If it is confusing, sorry about that.

ALL config files above were not changed for a long time. Everything was just fine until i rebooted the server. I remembered that i added one line as "1.2.3.4 x.x.x" in my /etc/hosts, but removing that didn't help.

At present i changed listen.allowed_clients in php-fpm to bypass this problem. But i am curious about nginx and php-fpm's such behavior.

Improve this question
3
  • Because you said nginx to do so. What's in nginx config? Especially what's in fastcgi_pass directive?
    – Alexey Ten
    Commented Aug 3, 2015 at 11:13
  • @AlexeyTen i have edited the question and added more info. I thought there should be some configuration option for this and i hadn't known it. That's why i said nginx to do that. You think i should give more info, there i added. Thanks.
    – apporc
    Commented Aug 7, 2015 at 4:07
  • 1
    I'm not PHP guru, but since PHP-FPM already lisen to 127.0.0.1 there is no need to use listen.allowed_clients.
    – Alexey Ten
    Commented Aug 7, 2015 at 8:23

1 Answer 1

Reset to default
0

To explicitly set the request originating IP address you need to use one of the fastcgi_bind/proxy_bind directives together with corresponding *_pass directive.

This directive appeared in version 0.8.22. Makes outgoing connections to a FastCGI server originate from the specified local IP address with an optional port (1.11.2). Parameter value can contain variables (1.3.12). The special value off (1.3.12) cancels the effect of the fastcgi_bind directive inherited from the previous configuration level, which allows the system to auto-assign the local IP address and port.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .