NGINX PROBLEM

[VictorA]

Hello,

I get "502 Bad Gateway" errors in browser and found this in logs:

- upstream prematurely closed connection while reading response header from upstream

- failed (111: Connection refused) while connecting to upstream

restarting Apache solves the problem temporarily.

I tried tweaking both nginx and php-fpm config files without success.

Have you experienced this issue?, I´m desperate.

 

[VictorA]

no replies?, please help...

 

[IgorG]

There are a lot of different related KB articles for different reasons of this issue. Have you tried to use them?

 

[VictorA]

Thanks Igor.

kb.odin.com/es/118757
kb.odin.com/es/122078
kb.odin.com/en/123735

are not related to my issue. Are there more to check?.

 

[VictorA]

Can you confirm is this file (/etc/php-fpm.d/www.conf) is correctly configured? I removed commented lines:

=====
[www]

listen = 127.0.0.1:9000

listen.backlog = 65536
listen.allowed_clients = 127.0.0.1

user = apache
group = apache

pm = dynamic

pm.max_children = 50

pm.start_servers = 5

pm.min_spare_servers = 5

pm.max_spare_servers = 35
pm.max_requests = 500

request_terminate_timeout = 300
slowlog = /var/log/php-fpm/www-slow.log
php_admin_value[error_log] = /var/log/php-fpm/www-error.log

php_admin_flag[log_errors] = on

php_value[session.save_handler] = files

php_value[session.save_path] = /var/lib/php/session
=====

one of the commented parts was this:

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0666
;listen.owner = nobody
;listen.group = nobody
;listen.mode = 0666

should I uncomment it?.

 

[VictorA]

and this is my /etc/nginx/nginx.conf

=====
#user nginx;
worker_processes 4;
worker_rlimit_nofile 100000;

#error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;

#pid /var/run/nginx.pid;


events {
worker_connections 10024;
}


http {
include mime.types;
default_type application/octet-stream;

#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';

#access_log /var/log/nginx/access.log main;

sendfile on;
#tcp_nopush on;

keepalive_timeout 600;
#tcp_nodelay on;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
client_max_body_size 100m;
client_body_buffer_size 128k;

#gzip on;
#gzip_disable "MSIE [1-6]\.(?!.*SV1)";

server_tokens off;

include /etc/nginx/conf.d/*.conf;
}
=====

anything wrong?

 

[VictorA]

last my /etc/php-fpm.conf:

=====
;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;

; All relative paths in this configuration file are relative to PHP's install
; prefix.

; Include one or more files. If glob(3) exists, it is used to include a bunch of
; files from a glob(3) pattern. This directive can be used everywhere in the
; file.
include=/etc/php-fpm.d/*.conf

;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;

[global]
; Pid file
; Default Value: none
pid = /run/php-fpm/php-fpm.pid

; Error log file
; Default Value: /var/log/php-fpm.log
error_log = /var/log/php-fpm/error.log

; Log level
; Possible Values: alert, error, warning, notice, debug
; Default Value: notice
;log_level = notice

; If this number of child processes exit with SIGSEGV or SIGBUS within the time
; interval set by emergency_restart_interval then FPM will restart. A value
; of '0' means 'Off'.
; Default Value: 0
emergency_restart_threshold = 10

; Interval of time used by emergency_restart_interval to determine when
; a graceful restart will be initiated. This can be useful to work around
; accidental corruptions in an accelerator's shared memory.
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
emergency_restart_interval = 1

; Time limit for child processes to wait for a reaction on signals from master.
; Available units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
process_control_timeout = 10s

; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
; Default Value: yes
daemonize = no

;;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;

; See /etc/php-fpm.d/*.conf
=====

if you need to see more config files please ask.

 

[VictorA]

no help?

 

[VictorA]

up, please help

 

[IgorG]

If community can't help you I can only recommend to create a request to support team to do in-depth investigation to find the reason and to fix it. Please create a ticket to support at https://www.odin.com/support/request/ .
You may have free support, please check what kind of Plesk license you use for available support options at http://kb.odin.com/en/121580 .
If there’s no free support in your case, you can order Plesk per-incident support at http://www.odin.com/support/buy-support/ Support team will contact you as soon as purchase is processed, and they will do the best to resolve it.
If it is found that your problem was caused by product bug w/o available solution or workaround from Parallels, then your purchase will be re-funded.

 

[Wijnand]

Suddenly, I had the same problem with getting a 502 bad gateway error from nginx on every website my VPS with Plesk 12.5 hosts.
I first stopped nginx in the services administration. All websites worked again.

After a lot of searching I found that Fail2Ban had listed the IP address of the VPS because of the jail plesk-modsecurity. Somehow ModSecurity blocked one or more internal requests from nginx to apache while first blocking the same requests from the real remove address. And the Fail2Ban jail picked it up and blocked the server IP.

My solution was simply put the external IP address of the server on the whitelist of Fail2Ban. Problem solved.
In all my searching I did not find this solution. Seems a bit strange no one had the same reason of the 'bad gateway' error I had.
Might be that nginx is supposed to forward a request internally using the 127.0.0.x IP address(?). That IP address range was already (maybe by default) on the whitelist of Fail2Ban.

 

[UFHH01]

My solution was simply put the external IP address of the server on the whitelist of Fail2Ban. Problem solved.

The whitelistings for EVERY trusted IP is a basic installation rule, as you might notice, when reading the documentation.

Protection Against Brute Force Attacks (Fail2Ban) ( Plesk online documentation for Plesk 12.5 )

If an IP address should not be blocked:

1. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Trusted IP Addresses > Add Trusted IP.
2. In the IP address field, provide an IP address, an IP range, or a DNS host name, and click OK.

 

[Wijnand]

Haha... who reads the manual??

You might be right on the basic rule. But I got a VPS with Plesk pre-installed. This is the 3 server with Plesk and I did not have to whitelist the external ip address before. It could be logical to NOT block it's own IP addresses or whitelist them automatically.
I wont forget this again.

 

[Burak Özdemir]

The whitelistings for EVERY trusted IP is a basic installation rule, as you might notice, when reading the documentation.

Protection Against Brute Force Attacks (Fail2Ban) ( Plesk online documentation for Plesk 12.5 )

​

is there a way to enter Trusted IP list to a file in the OS. I loook at the
/etc/fail2ban/jail.conf
and
/etc/fail2ban/fail2ban.conf
files but no the IPs I entered through interface does not exist, so they are not the right files.

I have got lots of IPs to enter, so any workaround for this?

thanks.

 

[UFHH01]

Hi Burak Özdemir,

sorry, but this is an absolutely wrong thread - topic when I look at your question. Pls. consider to open a new thread.

 

[Burak Özdemir]

Hi Burak Özdemir,

sorry, but this is an absolutely wrong thread - topic when I look at your question. Pls. consider to open a new thread.

sorry opening a new one....