Console9

Nginx: connect() to php-fpm.sock failed (13: Permission denied)

Fix the Nginx permission denied error for the PHP-FPM Unix socket by aligning the socket ownership, group, and mode with the Nginx worker user.

Nginx produces the "connect() to unix:/var/run/php-fpm.sock failed (13: Permission denied)" error when the Nginx worker process cannot access the PHP-FPM Unix socket file due to a permission or ownership mismatch.

The full error appears in the Nginx error log as:

*1 connect() to unix:/var/run/php-fpm.sock failed (13: Permission denied) while connecting to upstream, client: x.x.x.x, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", host: "x.x.x.x"

When Nginx Produces This Error

Nginx produces this permission denied error when it attempts to connect to the PHP-FPM Unix socket at the path specified in the fastcgi_pass directive. The Nginx worker process cannot open the socket because the file permissions or ownership exclude the Nginx user.

Nginx also produces this error after a PHP-FPM restart if the pool configuration creates the socket with different ownership than the Nginx worker user. The socket file is recreated every time PHP-FPM starts, so a misconfigured pool file causes the error to reappear after each restart.

What Causes the Permission Denied Error for php-fpm.sock in Nginx

Nginx returns permission denied when the PHP-FPM socket owner does not match the Nginx worker user.PHP-FPM creates the Unix socket file with the user and group specified by listen.owner and listen.group in the pool configuration. If these values do not match the Nginx worker user, the operating system denies Nginx access to the socket.

Nginx returns permission denied when the socket file mode is too restrictive.The listen.mode setting in the PHP-FPM pool configuration controls the file permissions on the socket. A mode of 0600 grants access only to the socket owner. Nginx requires at least 0660 to allow group-level access when the Nginx user shares a group with the PHP-FPM socket owner.

How to Fix the Permission Denied Error for php-fpm.sock in Nginx

  1. Find the user that runs the Nginx worker processes:
ps aux | grep nginx

The output shows the Nginx worker process user (typically www-data on Debian/Ubuntu or nginx on CentOS/RHEL).

  1. Open the PHP-FPM pool configuration file. The path depends on the PHP version and distribution:
sudo vi /etc/php/8.2/fpm/pool.d/www.conf

Other common paths:

  • /etc/php/7.4/fpm/pool.d/www.conf
  • /etc/php-fpm.d/www.conf (CentOS/RHEL)
  1. Set the user, group, listen.owner, listen.group, and listen.mode values to match the Nginx worker user:
user = www-data
group = www-data
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

Replace www-data with the user shown in the ps output from Step 1.

  1. If the socket file already exists with wrong ownership, change it manually:
sudo chown www-data:www-data /var/run/php/php8.2-fpm.sock
  1. Set cgi.fix_pathinfo to 0 in php.ini as a security precaution when using Unix sockets. This prevents PHP from executing unintended files when the script path does not match exactly.
sudo vi /etc/php/8.2/fpm/php.ini
cgi.fix_pathinfo = 0
  1. Restart PHP-FPM to recreate the socket with the correct ownership. Then reload Nginx.
sudo systemctl restart php8.2-fpm
sudo nginx -t
sudo systemctl reload nginx

How to Verify the Fix

Nginx connects to the PHP-FPM socket without permission errors when the ownership and mode are correct. Send a test request to a PHP page:

curl -I http://example.com/index.php

A 200 OK response confirms that Nginx communicates with PHP-FPM through the socket. Check the Nginx error log to confirm no new permission denied entries appear:

tail -20 /var/log/nginx/error.log

Edge Cases and Variations

Nginx returns permission denied after a PHP version upgrade.A PHP version upgrade changes the socket file path (e.g., from php7.4-fpm.sock to php8.2-fpm.sock) and creates a new pool configuration file. The new pool file may have different default ownership values. Update both the PHP-FPM pool configuration and the fastcgi_pass directive in nginx.conf.

Nginx returns permission denied when using systemd's PrivateTmp or ProtectSystem options.Some systemd service files restrict the directories PHP-FPM can access. Check the PHP-FPM systemd unit file for sandboxing directives that may prevent socket creation in the expected directory.

Nginx: 502 Bad Gateway-- The 502 error is the user-facing result of a failed PHP-FPM socket connection. The permission denied log message identifies the specific cause.

Nginx downloads PHP files instead of executing them-- A different socket configuration problem where the fastcgi_pass directive is missing entirely rather than blocked by permissions.

© 2026 - Console9