Trouble adding /pma location to all virtual hosts

Ben Johnson ben at indietorrent.org
Tue Jun 25 20:18:34 UTC 2013 

Hello,

I'm trying to accomplish something that feels like it should be very
simple, yet I'm struggling. I'm new to nginx, and I feel a bit lost as I
try to "translate" everything that I've done in Apache over the years to
nginx. So, please bear with me. I've done my research and asking this
list for help is a last-resort.

I have an application, phpMyAdmin, installed in /var/www/pma. I would
like to modify the nginx configuration such that every virtual-host
whose configuration file is located in /etc/nginx/sites-available/ has
access to the files in this directory by browsing to the location /pma/,
relative to the domain root.

The filesystem information for /var/www/pma is as follows (the
permissions are set recursively on the entire directory -- for now):

# ls -lah /var/www | grep "pma"
drwxrwxr-x  9 www-data www-data 4.0K Jun 17 16:37 pma

I figured that it might be simpler to get phpMyAdmin working for a
single vhost before attempting the same move server-wide.

On the surface, it looks to be this simple:

location /pma/ {
    alias /var/www/pma/;
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_intercept_errors on;
}

When I try this configuration, I have the following in error.log:

2013/06/25 14:04:07 [error] 29741#0: *21 FastCGI sent in stderr:
"Primary script unknown" while reading response header from upstream,
client: 1.2.3.4, server: example.com, request: "GET /pma/ HTTP/1.1",
upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "example.com"

While researching the cause of this error, I have seen others state that
SCRIPT_FILENAME has to be modified when using an alias in this way, e.g.

fastcgi_param SCRIPT_FILENAME $request_filename;

but the error messages are the same with this line, too.

So, I tried to use the "root" directive, instead of "alias", as I have
no particular reason for using one over the other in this scenario.

location /pma/ {
    ##alias /var/www/pma/;
    root /var/www;
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_intercept_errors on;
}

This "kind of works". The index file at location /pma/index.php is
parsed via PHP, but requests for all other resources on the page yield
"403 Forbidden". The log states:

2013/06/25 14:21:46 [error] 30343#0: *12 FastCGI sent in stderr: "Access
to the script '/var/www/pma/favicon.ico' has been denied (see
security.limit_extensions)" while reading response header from upstream,
client: 1.2.3.4, server: example.com, request: "GET /pma/favicon.ico
HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host:
"example.com"

Obviously, the aim here is not to execute '/var/www/pma/favicon.ico' as
a PHP script.

I found a thread at
http://serverfault.com/questions/486368/nginx-and-php-fpm-403-forbidden
which seems to address this intended behavior (the rationale is sound).
So, I split my configuration up into the following sections, so that PHP
scripts would be handled via php-fpm and static content would be handled
directly:

location ~ /pma/.*\.php$ {
    root /var/www;
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_intercept_errors on;
}

location /pma/ {
    root /var/www;
    # Adding the following line makes no difference:
    index index.php;
}

With this configuration, PMA's index page won't even load. The location
/pma/ returns a 404, as does /pma/index.php.

Nothing is written to the vhost's error.log when /pma/ or /pma/index.php
is requested. Only the following (I've omitted the irrelevant bits) is
written to access.log:

"GET /pma/ HTTP/1.1" 404 200 "-"
"GET /pma/index.php HTTP/1.1" 404 200 "-"

I must be doing something completely asinine.

Other misc. details:

- PHP's open_basedir directive includes the path /var/www/pma.

- nginx is executing the request as the user "web2" who is in the group
"client2" (this is configured via ISPConfig).

- The group "client2" is in the group "www-data", and /var/www/pma's
user:group is www-data:www-data and the permissions on the directory are
0775, recursively.

Thanks in advance for any help here,

-Ben

More information about the nginx mailing list