LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-20-2015, 06:50 AM   #1
gacanepa
Member
 
Registered: May 2012
Location: San Luis, Argentina
Distribution: Debian
Posts: 203

Rep: Reputation: 26
Arrow Firewalld on CentOS 7 not letting PHP-FPM (+Apache 2.4) through


Hi everyone,

I recently switched from the prefork MPM to event in an Apache 2.4 installation on a CentOS 7 box. I have allowed http traffic through the firewall

Quote:
firewall-cmd --add-service=http
firewall-cmd --add-service=http --permanent
and also enabled 9000/tcp, the port used by php-fpm on localhost (127.0.0.1):

Quote:
firewall-cmd --add-port=9000/tcp
firewall-cmd --add-port=9000/tcp --permanent
However, when I browse to my virtual host, I get the following error:
Quote:
Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
Here's what I see in the virtual host log after each request:

Code:
[Fri Nov 20 11:44:11.982158 2015] [proxy_fcgi:error] [pid 3930:tid 140185148798720] (104)Connection reset by peer: [client AAA.BBB.CCC.DDD:33215] AH01074: Failed writing Environment to :
I am discarding this being a problem of the virtual host Apache configuration, since when I disable temporarily firewalld I am able to see the site without issues. Thus, I am leaning towards the idea of firewalld being responsible for the 503 error mentioned above, but I don't know what other ports I should open or if there is any other service I should allow through the firewall.

Any ideas will be more than appreciated. Thank you all in advance!
 
Old 11-20-2015, 11:00 AM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,599

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
According to the manpage, the "--permanent" only records the desired change. It does NOT make it active:

Code:
   Permanent Options
       --permanent
           The permanent option --permanent can be used to set options
           permanently. These changes are not effective immediately, only
           after service restart/reload or system reboot. Without the
           --permanent option, a change will only be part of the runtime
           configuration.

           If you want to make a change in runtime and permanent
           configuration, use the same call with and without the --permanent
           option.
There is the option reload:

Code:
       --reload
           Reload firewall rules and keep state information. Current permanent
           configuration will become new runtime configuration, i.e. all
           runtime only changes done until reload are lost with reload if they
           have not been also in permanent configuration.

Last edited by jpollard; 11-20-2015 at 11:02 AM.
 
1 members found this post helpful.
Old 11-20-2015, 11:28 AM   #3
gacanepa
Member
 
Registered: May 2012
Location: San Luis, Argentina
Distribution: Debian
Posts: 203

Original Poster
Rep: Reputation: 26
Quote:
Originally Posted by jpollard View Post
According to the manpage, the "--permanent" only records the desired change. It does NOT make it active:

Code:
   Permanent Options
       --permanent
           The permanent option --permanent can be used to set options
           permanently. These changes are not effective immediately, only
           after service restart/reload or system reboot. Without the
           --permanent option, a change will only be part of the runtime
           configuration.

           If you want to make a change in runtime and permanent
           configuration, use the same call with and without the --permanent
           option.
There is the option reload:

Code:
       --reload
           Reload firewall rules and keep state information. Current permanent
           configuration will become new runtime configuration, i.e. all
           runtime only changes done until reload are lost with reload if they
           have not been also in permanent configuration.
I forgot to add that I reloaded the configuration and even restarted firewalld after making the changes, to no avail .
 
Old 11-20-2015, 02:43 PM   #4
Doug G
Member
 
Registered: Jul 2013
Posts: 593

Rep: Reputation: Disabled
Does firewall-cmd --list-all show the services and ports you enabled?

Possibly you should enable https. And the partial error message you posted almost hints at some kind of permissions problem rather than a firewall problem.
 
1 members found this post helpful.
Old 11-20-2015, 05:28 PM   #5
gacanepa
Member
 
Registered: May 2012
Location: San Luis, Argentina
Distribution: Debian
Posts: 203

Original Poster
Rep: Reputation: 26
Quote:
Originally Posted by Doug G View Post
Does firewall-cmd --list-all show the services and ports you enabled?

Possibly you should enable https. And the partial error message you posted almost hints at some kind of permissions problem rather than a firewall problem.
First off, thank you for taking the time to comment on this question. Permissions were my first guess too, but why would disabling the firewall solve a permissions issue?
I checked whether https was enabled, and yes it is. Here's the output of firewall-cmd --list-all:
Code:
[root@centos7 ~]# firewall-cmd --list-all
public (default)
  interfaces: 
  sources: 
  services: dhcpv6-client http https ssh
  ports: 2222/tcp 9000/tcp
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@centos7 ~]#
I even added changed the configuration of php-fpm so that it would listen on all interfaces and not just on localhost (as it is the default), and I'm still getting this error. Surprisingly enough, I have the exact same setup on a Debian 8 box (or maybe not so exact, I am still trying to find a difference) with firewalld enabled -same ports and services- and it works like a charm. I also found out that turning masquerade on and off does not affect the result either.

I also thought it could be a SELinux issue, but SELinux is disabled on this particular host. So I keep running into blind alleys here.

Any further help will be more than appreciated.

Last edited by gacanepa; 11-20-2015 at 05:30 PM.
 
Old 11-20-2015, 09:20 PM   #6
Doug G
Member
 
Registered: Jul 2013
Posts: 593

Rep: Reputation: Disabled
I don't know, perhaps in your configuration there is some other port that needs to be opened. I never used php-fpm and I'm not familiar with it's requirements.

Maybe try accessing the site by IP rather than 'localhost'? You might verify that localhost is present in your /etc/hosts file, but if the site works with firewalld off that's probably not it.
 
1 members found this post helpful.
Old 11-20-2015, 09:34 PM   #7
gacanepa
Member
 
Registered: May 2012
Location: San Luis, Argentina
Distribution: Debian
Posts: 203

Original Poster
Rep: Reputation: 26
I finally found an answer to this question. I read somewhere (don't remember where) that someone had a similar issue on a cloud VPS (which is my case as well). So I followed the same installation steps in a CentOS 7 virtual machine and to my surprise, everything worked wonderfully right from the start.
As I mentioned today, I was suspicious of firewalld. First thing I checked on the VM was that firewalld was enabled, which it was. Then I listed its services and ports enabled for all zones:

Code:
[root@node1 ~]# firewall-cmd --list-all
internal (default, active)
  interfaces: enp0s3
  sources: 
  services: dhcpv6-client http ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:
It didn't take long to realize that the default zone was set to internal and the network interface was added properly. (Please note that I didn't have to add TCP port 9000).

So I went back to my VPS, and did:

Code:
firewall-cmd --zone=internal --add-interface=tun6to4
firewall-cmd --zone=internal --add-interface=tun6to4 --permanent
firewall-cmd --set-default-zone=internal
firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
The errors were gone and I was finally able to access my site again.

Thank you guys for your time and your insights. I am going to mark this thread as solved and add to your reputation.
 
Old 11-20-2015, 10:18 PM   #8
Doug G
Member
 
Registered: Jul 2013
Posts: 593

Rep: Reputation: Disabled
Thanks for posting the solution!
 
  


Reply

Tags
apache, centos7, firewalld, php-fpm, proxy_fcgi


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache / PHP-FPM - running vhosts with different users imadsani Linux - Server 0 09-11-2015 01:44 PM
LXer: How To Use Multiple PHP Versions (PHP-FPM & FastCGI) With ISPConfig 3 (CentOS 6.3) (Copy) LXer Syndicated Linux News 1 03-30-2015 04:14 PM
[SOLVED] PHP-FPM not working as PHP handler in Apache DarkSlayer Linux - Server 2 08-28-2013 03:25 AM
LXer: Using Multiple PHP Versions (PHP-FPM & FastCGI) With ISPConfig 3 (CentOS 6.3) LXer Syndicated Linux News 0 03-14-2013 09:10 PM
apache with php/suexec/fpm/fastcgi? hoodez Linux - Server 0 07-23-2010 02:26 AM


All times are GMT -5. The time now is 10:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration