My system was running Ubuntu 20.04 with NC25, nginx, php7.3 and mariadb. Now I updated the System to the latest Ubuntu LTS Version 22.04.
But NC throws out the 502 Error after the update.
I tried to install php8.0-fpm and php8.1-fpm, all necessary modules and edited the nginx config from: php7.3-fpm.sock to php8.0-fpm.sock and php8.1-fpm.sock but I still stuck with the bad gateway error.
Any ideas how to fix this?
I think I found the problem.
The sock for php8.0-fpm and php8.1-fpm on /run/PHP/ is missing.
Check your FPM pool configuration. From the sounds I’ve it I’d guess it to be in /etc/php/8.1/fpm/pool.d/www.conf. The path for the socket is in the listen line.
etc/php/8.1/fpm/pool.d/www.conf contains this line: listen = /run/php/php8.1-fpm.sock
etc/nginx/conf.d/mysite_nextcloud.conf contains this line fastcgi_pass unix:/run/php/php8.1-fpm.sock;
etc/nginx/conf.d/mysite.de.conf contains this line server unix:/run/php/php8.1-fpm.sock;
The php8.1-fpm.sock and the php8.1-fpm.pid files are available in /run/php/
It sounds you’re using a custom Nginx config of some sort.
It’s a little weird to be specifying the socket in two places and across two different sites.
Are you also running a reverse proxy on the same NGINX instance or something?
Can you provide a few of the the lines immediately before and after the server line in /etc/nginx/conf.d/mysite.de.conf?
Also, from the looks of it I’m guessing you aren’t using an upstream php-handler section in your /etc/nginx/conf.d/mysite_nextcloud.conf like is in the recommended config? Is that correct?
Don’t start changing it… I’m asking so I can understand what you’re doing before I make any further suggestion.
upstream php-handler {
server unix:/run/php/php8.1-fpm.sock;
}
server {
listen 80 default_server;
listen [::]:80 ipv6only=on default_server;
server_name my.site.com 192.168.178.32;
root /var/www;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_redirect off;
}
location / {
# Enforce HTTPS
# Use this if you always want to redirect to the DynDNS address (no local access).
return 301 https://$server_name$request_uri;
# Use this if you also want to access the server by local IP:
#return 301 https://$server_addr$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name my.site.com 192.168.178.32;
# Certificates used
ssl_certificate /etc/letsencrypt/live/my.site.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.site.com/privkey.pem;
# Not using TLSv1 will break:
# Android <= 4.4.40
# IE <= 10
# IE mobile <=10
# Removing TLSv1.1 breaks nothing else!
# TLSv1.3 is not supported by most clients, but it should be enabled.
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suite from https://cipherli.st/
# Max. security, but lower compatibility
ssl_ciphers '00000';
# Cipher suite from https://wiki.mozilla.org/Security/Server_Side_TLS
#ssl_ciphers '00000;
# (Modern) cipher suite from https://mozilla.github.io/server-side-tls/ssl-config-generator/
#ssl_ciphers '00000;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# Use multiple curves.
# secp521r1: Not supported by Chrome
# secp384r1: Not supported by Android (DAVdroid)
ssl_ecdh_curve 000000;
# Server should determine the ciphers, not the client
ssl_prefer_server_ciphers on;
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# This should be chain.pem
# See here: https://certbot.eff.org/docs/using.html
ssl_trusted_certificate /etc/letsencrypt/live/my.site.com/chain.pem;
resolver 192.168.178.1;
# SSL session handling
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
#
# Add headers to serve security related headers
#
# HSTS (ngx_http_headers_module is required)
# In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-Frame-Options "SAMEORIGIN";
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location = / {
# Disable access to the web root, otherwise nginx will show the default site here.
deny all;
}
#
# Nextcloud
#
location ^~ /nextcloud/ {
# Set max. size of a request (important for uploads to Nextcloud)
client_max_body_size 10G;
# Besides the timeout values have to be raised in nginx' Nextcloud config, these values have to be raised for the proxy as well
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
proxy_buffering off;
proxy_request_buffering off;
proxy_max_temp_file_size 10240m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:82;
proxy_redirect off;
}
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in the Nextcloud `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 $scheme://$host/nextcloud/remote.php/dav/; }
location = /.well-known/caldav { return 301 $scheme://$host/nextcloud/remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 $scheme://$host/nextcloud/index.php$request_uri;
}
location ^~ /mysite/ {
proxy_pass http://127.0.0.1:8199; # Local# ip and non SSL port
proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ^~ /mysite/ {
proxy_pass http://127.0.0.1:9999; # Local ip and non SSL port
proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ^~ /mysite/ {
proxy_pass http://127.0.0.1:5252; # Local ip and non SSL port
proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
/etc/nginx/conf.d/mysite_nextcloud.conf
server {
listen 127.0.0.1:82;
server_name 127.0.0.1;
# Path to the root of your installation
root /var/www/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /nextcloud {
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location /nextcloud {
rewrite ^ /nextcloud/index.php$request_uri;
}
location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
# Important: disable HTTPS, otherwise no log in will be possible!
#fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_param front_controller_active true;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_intercept_errors on;
# Raise timeout values.
# This is especially important when the Nextcloud setup runs into timeouts (504 gateway errors)
fastcgi_read_timeout 600;
fastcgi_send_timeout 600;
fastcgi_connect_timeout 600;
fastcgi_request_buffering off;
# Pass PHP variables directly to PHP.
# This is usually done in the php.ini. For more flexibility, these variables are configured in the nginx config.
# All the PHP parameters have to be set in one fastcgi_param. When using more 'fastcgi_param PHP_VALUE' directives, the last one will override all the others.
fastcgi_param PHP_VALUE "open_basedir=/var/www:/tmp/:/var/nextcloud_data:/dev/urandom:/proc/meminfo
upload_max_filesize = 10G
post_max_size = 10G
max_execution_time = 3600
max_input_time = 3600
output_buffering = off";
# Make sure that the real IP of the remote host is passed to PHP.
fastcgi_param REMOTE_ADDR $http_x_real_ip;
}
location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js|woff2?|svg|gif)$ {
try_files $uri /nextcloud/index.php$request_uri;
proxy_set_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers
# Use 'proxy_set_header' (not 'add_header') as the headers have to be passed
proxy_set_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
proxy_set_header X-Content-Type-Options nosniff;
proxy_set_header X-XSS-Protection "1; mode=block";
proxy_set_header X-Robots-Tag none;
proxy_set_header X-Download-Options noopen;
proxy_set_header X-Permitted-Cross-Domain-Policies none;
proxy_set_header Referrer-Policy no-referrer;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /nextcloud/index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
}