Caddy 2 - 502 gateway error for index.php via php-fpm

geoidesic · April 17, 2024, 5:05pm

1. The problem I’m having:

I have caddy and php-fpm installed. I can serve an index.html file but for index.php I get 502 bad gateway.

2. Error messages and/or full log output:

{"level":"error","ts":1713372463.4369254,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"86.30.42.139","remote_port":"50202","client_ip":"86.30.42.139","proto":"HTTP/2.0","method":"GET","host":"www.sportch.co.uk","uri":"/status","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Dest":["document"],"Cookie":[],"Sec-Ch-Ua-Mobile":["?0"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["none"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["en-GB,en-US;q=0.9,en;q=0.8"],"Priority":["u=0, i"],"Cache-Control":["max-age=0"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"],"Sec-Fetch-Mode":["navigate"],"Sec-Ch-Ua":["\"Chromium\";v=\"124\", \"Google Chrome\";v=\"124\", \"Not-A.Brand\";v=\"99\""],"Sec-Fetch-User":["?1"],"Sec-Ch-Ua-Platform":["\"macOS\""]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"www.sportch.co.uk"}},"bytes_read":0,"user_id":"","duration":0.000364555,"size":0,"status":502,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

dnf install caddy
systemctl start caddy

a. System environment:

Alma Linux 9.8

b. Command:

systemctl start caddy

c. Service/unit/compose file:

N/A

d. My complete Caddy config:

{
        debug
}
www.sportch.co.uk, sportch.co.uk {
        root * /var/www/html/wordpress
        # handle the /status URL
        reverse_proxy /status unix//run/php-fpm/www.sock {
                transport fastcgi {
                        env SCRIPT_NAME /status
                }
        }

        php_fastcgi unix//run/php-fpm/www.sock

        file_server
        log {
                output file /var/log/caddy/access.log
        }
}

Here’s the php-fpm config:

[www]
user = wp
group = caddy
listen = /run/php-fpm/www.sock
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
slowlog = /var/log/php-fpm/www-slow.log
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/session
php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache
php_value[upload_max_filesize]  = 5MB
php_value[post_max_size]        = 5MB

5. Links to relevant resources:

N/A

geoidesic · April 18, 2024, 9:09am

The issue was permissions on the socket file.

srw-rw----. 1 root root 0 Apr 18 08:54 /run/php-fpm/www.sock

Because I’ve set php-fpm to user wp and group caddy, it can’t access the sock file and nor can caddy. To fix this one might expect you could simply chown it BUT that won’t work because when the php-fpm service restarts the ownership will be reset.
So it’s better to add an ACL:

setfacl -m u:caddy:rw- -m g:caddy:rw- /run/php-fpm/www.sock

francislavoie · April 18, 2024, 5:12pm

Glad you figured it out!

For issues like this, don’t look at your access logs, look at Caddy’s runtime logs instead, which will have more useful error messages from the proxy handler.

Access logs are simply the request/response, it doesn’t contain anything about actual handler problems.

geoidesic · April 18, 2024, 5:41pm

Thanks for the tip. I would love to “look at Caddy’s runtime logs” but I have absolutely no idea how to do that?

francislavoie · April 18, 2024, 6:23pm

See the docs: