Nginx reports: FastCGI sent in stderr: "Unable to open primary script"

Hi, I recently successfully (kinda) set up Nextcloud on OpenSUSE, however I couldnā€™t get Apache to serve the ocs-provider, .well-known, etc things right, so I switched to Nginx.

I have Nginx and php running as the wwwrun user, serving nextcloud out of /srv/www/htdocs/nextcloud which I chown -R'd to wwwrun. When I run sudo -s wwwrun cat /srv/www/htdocs/nextcloud/index.php it works fine! But when I start up all the server components and try to access the URL it just says ā€œAccess deniedā€ with the following error in Nginxā€™s log:

2022/07/16 14:39:12 [error] 11915#11915: *19 FastCGI sent in stderr: "Unable to open primary script: /srv/www/htdocs/nextcloud/index.php (Permission denied)" while reading response header from upstreamcode here

Iā€™m using the default nginx.conf from the docs with just my server name and SSL cert file locations changed. The error message I get when hitting the URL is correctly served via HTTPS which is fun at least :smiley:

This is my php-fpm.conf:

[global]
include=/etc/php7/fpm/php-fpm.d/*.conf

And, the only file in php-fpm.d, www.conf:

[www]
user = wwwrun
group = www
listen = 127.0.0.1:9000
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

Any ideas on where I should look to solve this? In short:

  • php reports via fastcgi that it cannot access my index.php due to permission denied
  • I can independently verify that the user php runs as can, in fact, read the file

I found the problem. My configuration is fine. AppArmor was preventing the php-fpm process from reading files it needed to.
Interestingly, disabling the apparmor service did not change that. However, running aa-complain php-fpm as root solved it.

If only I read this 3 days agoā€¦
Here is OpenSuse Leap Yast solution:
Yast ā†’ AppArmor ā†’ Settings ā†’ Launch (or 2xL) ā†’ Confure Profile modes [Configure] ā†’ php-fpm ā†’ Set to ā€˜complainā€™