Fastcgi Sent in Stderr: "Primary Script Unknown" While Reading Response Header

I encountered this error yesterday afterward upgraded php-* packages so restart its service. All my websites were stopped working, I got 'File not found.' message on the screen and constitute the ton repeated of error messages in log of nginx Primary script unknown.

Nginx/PHP-FPM: How to fix 'Primary script unknown' or 'file non constitute' effect

TL;DR:

• Since php-fpm version seven.4.0 php-fpm.service defines ProtectHome=true which restricts access to files located within /home, /root and /run/user, yielding the error bulletin No input file specified.
• To fix this problem, either set ProtectHome=false in php-fpm.service file or motility your certificate root.

The upshot I'm facing afterwards fully upgraded system, reboot my VPS:

• Browsing to information technology in browser returns the text "File not found".
• nginx error.log contains:
  

  2019/12/17 xv:36:09 [error] 1502#1502: *1 FastCGI sent in stderr: "Principal script unknown" while reading response header from upstream, …

The bulletin is telling u.s. that the FastCGI handler doesn't like whatever information technology was sent for some reason. The problem is that sometimes we have no idea what the reason is. On my experience of using nginx, the mistake message Primary script unknown is about ever related to a wrongly set SCRIPT_FILENAME in the nginx fastcgi_param directive or incorrect permissions. It's seem correctly answer when the php-fpm.service stopped working with error:

ERROR: failed to open configuration file '/etc/php/php-fpm.conf': Permission denied (13)

I tried turns out that the root location had to match the location of the files on the php-fpm as that's what was being past through via:

                fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name              

Merely it doesn't piece of work.
Well, if I remove my SCRIPT_FILENAME so all I go is an empty, white, bare folio by nginx. No error letters either. It's mean fastcgi_param is not cause of this trouble.
If the SCRIPT_FILENAME is wrong, it may as well be PHP is running as the wrong user/group. I have a look on php-fpm.conf, php-fpm.d/www.conf and double-checked for errors and inconsistencies. Everything is ok , no conflicted.
Just expect, I stored all LEMP'south config files in a folder then created symlinks of them to /etc/nginx/ and /etc/php folders. Everything was working fine before I upgraded php-fpm to version seven.iv.0. After that, the PHP service but started when all the symbolic links were replaced by real files. Furthermore, my website has 'file not found' error, it's pregnant the files on server is inaccessible. They were isolated.
And so I'thousand seem to figure out what is causing this. It'southward PHP-FPM service. It has ProtectHome gear up to true since seven.four.0!
This trouble was caused by ProtectHome=true in the php-fpm systemd unit file if you are serving files in /home such every bit in a virtual host environment. You can disable this feature by editing the php-fpm unit of measurement file and restarting php-fpm.

                # systemctl edit php-fpm              

Looking for ProtectHome=true then change it to imitation or add the post-obit:

                [Service] ProtectHome=false              

Alternatively, motility your document root.
If you are non sure about the ProtectHome is existed, here is the command to check information technology is running:

                $ sudo systemctl cat php-fpm.service | grep ProtectHome    ProtectHome=true              

Before restart php-fpm service, make sure to reload the systemd daemon:

                $ sudo systemctl daemon-reload              

It's washed. Everything is OK now.

What is ProtectHome?

Takes a boolean argument or the special values "read-but" or "tmpfs".

• If true, the directories /home, /root, and /run/user are fabricated inaccessible and empty for processes invoked by this unit.
• If set to "read-only", the iii directories are made read-only instead.
• If set to "tmpfs", temporary file systems are mounted on the three directories in read-only mode. The value "tmpfs" is useful to hide habitation directories not relevant to the processes invoked past the unit, while still assuasive necessary directories to be made visible when listed in BindPaths= or BindReadOnlyPaths=.

Setting this to "yes" is mostly equivalent to set the three directories in InaccessiblePaths=. Similarly, "read-only" is mostly equivalent to ReadOnlyPaths=, and "tmpfs" is more often than not equivalent to TemporaryFileSystem= with ":ro".
It is recommended to enable this setting for all long-running services (in item network-facing ones), to ensure they cannot go access to private user data, unless the services actually require admission to the user'south private information. This setting is implied if DynamicUser= is prepare. This setting cannot ensure protection in all cases. In general it has the aforementioned limitations as ReadOnlyPaths=.
This choice is only bachelor for organisation services and is not supported for services running in per-user instances of the service director.

freemancometwou.blogspot.com

Source: https://www.narga.net/how-to-fix-nginx-primary-script-unknown-file-not-found/

Share this post