Access denied (403) for PHP files with Nginx + PHP-FPM

Here are some possible solutions:

  1. In your php-fpm www.conf set security.limit_extensions to .php or .php5 or whatever suits your environment. For some users, completely removing all values or setting it to FALSE was the only way to get it working.

  2. In your nginx config file set fastcgi_pass to your socket address (e.g. unix:/var/run/php-fpm/php-fpm.sock;) instead of your server address and port.

  3. Check your SCRIPT_FILENAME fastcgi param and set it according to the location of your files.

  4. In your nginx config file include fastcgi_split_path_info ^(.+\.php)(/.+)$; in the location block where all the other fastcgi params are defined.

  5. In your php.ini set cgi.fix_pathinfo to 1


Please note that the above solution (set cgi.fix_pathinfo to 1) is a terrible idea. See https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/ for a good overview.

The issue is probably down to your application relying on PATH_INFO. Enable access logging for php to get more information about how your application is called to help you debug this issue.

Once again, just to be sure - the accepted solution is a terrible idea, and will likely get your site hacked.


Do not forget to restart php5-fpm service after changing php.ini!!

service php5-fpm restart or service php5-fpm reload

fpm prestarts php5 so it is not enough to restart nginx to have the changes applied.