I found error 'WARNING: [pool www] child 3715 said into stderr: "ERROR: Connection disallowed: IP address 'x.x.x.x' has been dropped." ' in php-fpm's log, where 'x.x.x.x' is my server's public ip.
Since the "listen.allowed_clients = 127.0.0.1" is set in php-fpm, the error is reasonable. But i wonder why nginx is connecting to php-fpm with its public ip, nginx and php-fpm are actually on the same server. Is there an approach to change nginx's behavior here?
UPDATE: detailed configurations added.
in nginx.conf, :
user nginx; worker_processes 4; error_log /var/log/nginx/error.log; pid /run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; keepalive_timeout 65; include /etc/nginx/conf.d/*.conf; index index.html index.htm; upstream php { server 127.0.0.1:9000; } }
in /etc/nginx/conf.d/test.conf:
server { listen 443 default_server ssl; ssl_certificate /usr/share/nginx/html/xxx.crt; ssl_certificate_key /usr/share/nginx/html/xxx/xxx.key; ## Your website name goes here. server_name x.x.x; ## Your only path reference. root /usr/share/nginx/html/xxx; ## This should be in your http block and if it is, it's not needed here. include /etc/nginx/mime.types; index index.php location ~ \.php$ { #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini include fastcgi.conf; fastcgi_intercept_errors on; fastcgi_pass php; } }
in fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200;
php-fpm status:
[root@test-server ~]# netstat -tulnp | grep 9000 tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 4134/php-fpm: maste
in php-fpm logs:
[03-Aug-2015 09:55:02] WARNING: [pool www] child 4109 said into stderr: "ERROR: Connection disallowed: IP address '1.2.3.4' has been dropped."
On my server: server_name 'x.x.x' truly resolved to '1.2.3.4' by dns, which i substitute my real server_name and public ip with these fake one. If it is confusing, sorry about that.
ALL config files above were not changed for a long time. Everything was just fine until i rebooted the server. I remembered that i added one line as "1.2.3.4 x.x.x" in my /etc/hosts, but removing that didn't help.
At present i changed listen.allowed_clients in php-fpm to bypass this problem. But i am curious about nginx and php-fpm's such behavior.
fastcgi_pass
directive?127.0.0.1
there is no need to uselisten.allowed_clients
.