Cannot get Kirby site to run on nginx on Raspberry

Hi there,

I am trying to host a Kirby site on my Raspberry and was following the recipe on setting up nginx.

I created the kirby.conf file as described and adjusted the three lines that needed adjustment to what I believe should be the correct changes (but I’m not sure). I can restart nginx without any error now, but when I try to open my page over the IP (where I could open a simple html page before I created the kirby.conf file) I get an error:

20210908-021009_Screenshot_Firefox

My conf file looks pretty much like the boilerplate:

server {
  # listen 8080; # Can be omitted if Nginx runs on Port 80
  index index.php index.html;
  server_name localhost; # Adjust to your domain setup
  root /var/www/html; # Adjust to your setup

  location / {
    try_files $uri $uri/ /index.php$is_args$args;
  }

  location ~* \.php$ {
    try_files $uri =404;
    fastcgi_pass localhost:9000; # Adjust to your setup
    include fastcgi.conf;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    # fastcgi_param SERVER_PORT 8080; # Only needed if external port is different from the listen port
  }
}

The starterkit is placed into /var/www/html (that’s where the index.php is).

Does anyone know what might be wrong or how I could debug this? That would be great!

Thanks a lot!

I am more with Apache but 3 points to consider:

  1. You expose your server as localhost. This could lead to the fact that your web server would only listen for requests from your Pi and not from the network. Make sure it will listen and respond to requests from other machines.

  2. Make sure your PHP_FPM is running and listening on Port 9000 on your Pi. Maybe it is configured to listen on a UNIX socket only.

  3. Make sure that the processes under which the webserver and PHP_FPM are running, do have sufficient rights to the folder hierarchy where you installed the starterkit (the 403 error actually indicates a problem with permissions).

I guess nginx should write a logfile where you can check, but maybe this logfile has to be configured first.

Thanks a lot for your answer @Adspectus! I will try your suggestions this evening once I get back to my Raspberry and report back here.

Ok, I am not getting this to work unfortunately. I have very little experience with setting up stuff like this, so I’m really struggling to understand what I’m doing.

This one should probably be the case given the fact that I could access the nginx test page over the network from my Macbook, before I tried installing Kirby, right?

How would I do that? I found that you can run something like /etc/init.d/php7.3-fpm status, but it does not seem to give me any info on any port. I read that 9000 is PHP_FPM’s standard port though, so I don’t think it should be on any other port in this case.

I tried to look into this, but frankly, I have no idea what I need to do. I tried to follow this post, but I am not sure if that changed it for the better or worse.

I set up my Raspberry entirely from scratch now to see if that would avoid the issues, but now I have a situation where it does not show a 403 error, but where my browser downloads Kirby’s root level index.php file. I have no idea what is going on and why it would do that.

Can anybody give me any hints? Generally I think it would be great if the nginx recipe could contain some more details, especially on file permissions.

Thanks a lot!

Well, let’s dig to it step by step.

Since you can access your webserver on the Pi from the network, item 1 is ok.

  1. What is the output of the status command? You should see it is running (or active).

If it is running, check if it is listening on a TCP port or UNIX socket. This you will find in the configuration of PHP-FPM which should be a file named www.conf and which is located in /etc/php-fpm/... or /etc/php/7.x/fpm/pool.d/ depending on your OS-specific installation. In this file, you will find a line starts with listen and then either a path which ends in .sock or a IP4/6 address and/or a port.

Depending on what you have found here, you have to change your fastcgi_pass configuration directive in your nginx config from above. So, if in your pool config is:

listen = /run/php/php7.3-fpm.sock

then in your nginx config you should have:

fastcgi_pass unix:/run/php/php7.3-fpm.sock

Try that first and in the meantime I will install nginx on my Raspberry Pi in order to verify. If your problem is still not solved we can look into your permissions.

What you always should be able to do is to check the log files of nginx and check if your webserver is running and reachable (you already did that) and if the webserver is able to process PHP. E.g if the static sample HTML file is visible in a browser, go to the webserver root where this file is located (probably named index.html) and then create a index.php file in the same directory with only this line:

<?php phpinfo(); ?>

Open this via a browser and you will get an error or nothing if the webserver does not know what to do with PHP files or you will see a nice page with all kind of information about your webserver and PHP. If you encounter an error here, the next step is to check nginx log files.

Like @Adspectus mentioned it’s most likely your php-fpm settings.
What are the nginx error logs saying?

This is my boilerplate if you’re interested.

server {
	# ENABLE IPv4 and IPv6        
	server_name yourdomain.com www.yourdomain.com;
	
	# ROOT DIRECTORY LOCATION
	# the location of the site's default home directory:
	root /var/www/yourdomain.com;
	index index.html index.php;

	# SECURITY HEADERS:
	# 1) force browsers to activate their XSS filters:
	add_header X-XSS-Protection "1; mode=block";
	# 2) disable content sniffing:
	add_header X-Content-Type-Options nosniff;
	# 3) restrict content embedding, to stop iframe-ing and clickjacking:
	add_header X-Frame-Options SAMEORIGIN;


	# BROWSER CACHING HEADERS - for production sites:
	# adding headers to trigger long browser caching of static assets:
	location ~ ^/(media|assets) {
		expires 6M;
	}

	# 404 REDIRECTION
	# redirect all 404 errors to Kirby's own handler
	error_page 404 = /redirect404error;

	# DOT FILE BLOCKER
	# block requests for any ".file",
	# unless it's in the ".well-known" directory
	location ~ /\.(?!well-known/).* {
		return 404;
	}

	# CONTENT FOLDER BLOCKER
	# block direct requests for any data or php script files
	# inside the 'content' directory.
	location ~ ^/content/(.*).(txt|md|mdown|php)$ {
		return 404;
	}

	# SITE & KIRBY FOLDER BLOCKER
	# block direct access to all files in the site or kirby directories
	location ^~ /site/ {  return 404; }
	location ^~ /kirby/ { return 404; }

	# MAIN KIRBY ROUTING
	# Files that exist will be served directly.
	# Any request for a file of folder that doesn't exist
	# will be passed on to the main 'index.php' script
	location / {
		try_files $uri $uri/ /index.php?$uri&$args;
	}

	# PHP PROCESSING
	# pass the PHP scripts to the appropriate FastCGI process
	location ~ \.php$ {
		try_files $uri =404;
		fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;                
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		include fastcgi_params;
	}

	# SERVER ERROR REDIRECT
	# redirect server error pages to the static page /50x.html
	error_page   500 502 503 504  /50x.html;
	location = /50x.html {
		root /usr/share/nginx/html;
	}

	listen [::]:443 ssl http2 ipv6only=on;
	listen 443 ssl http2;
	ssl_certificate /root/.acme.sh/yourdomain.com/yourdomain.com.cer;
	ssl_certificate_key /root/.acme.sh/yourdomain.com/yourdomain.com.key;
	include /etc/nginx/ssl/options-ssl-nginx.conf;
}

server {
	if ($host = www.yourdomain.com) {
		return 301 https://$host$request_uri;
	}

	if ($host = yourdomain.com) {
		return 301 https://$host$request_uri;
	}

	listen  80;
	listen  [::]:80;
	server_name yourdomain.com www. yourdomain.com;
	return 404;
}

@Adspectus and @flokuek, thanks for looking into this, really appreciated. I am again at work right now, out of reach of my Raspberry. I will try your suggestions tonight and get back here to report if I got it to work or not.

Meanwhile, I installed nginx on my Pi. Without any configuration, nginx shows the file /var/www/html/index.nginx-debian.html and when I tried to change the URL in my browser from just http//192.168.1.4/ to http//192.168.1.4/phpinfo.php (yes, instead of index.php), it offers the file to download, i.e. nginx does not know how to handle this.

So there is one configuration change necessary for the default server configuration, which resides in /etc/nginx/sites-enabled/default (which is actually a symlink to /etc/nginx/sites-available/default).

	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
		fastcgi_pass unix:/run/php/php7.3-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	}

And yes, in its default configuration PHP-FPM is configured to listen on a UNIX socket, thats why it has to be configured here with fastcgi_pass.

After a restart, nginx shows the phpinfo in my browser:

1 Like

@Adspectus Thank you so much, with the change in default file, the general serving seems to be working now!

However, the Kirby starter Kit will look like this:

So apparently it cannot load any resources. Also, it did not create any media folder yet. I wonder if this might be related to permissions of the /var/www/html folder and its subfolders? Can somebody shed some light on this what permissions I would need to set there and how, to make Kirby work just normally? Also, I assume I would need to install things like gd and/or imagemagick right? Are there specific “flavors” of these tools that I need to install? Like, I noticed there is a php-gd tool, would that be the correct thing to install?

Thanks a lot!

Have a look again at your php-fpm config file (for me /etc/php-fpm.d/www.conf)and look for the below. I think by default it’s set to apache:apache. I’d usually change it to nginx:nginx and then permissions of the /var/www/html dir to nginx:nginx. Then reload both nginx and php-fpm.

listen.owner = nginx
listen.group = nginx
listen.mode = 0660
user = nginx
group = nginx

The way the starterkit is looking now is indeed due to the missing assets and this is most probably due to your network and virtual host settings. Have a look into the network tab of the developer tools in your browser (usually accessible by pressing F12) and you may find a couple of resources which couldn’t find because the hostname is different from what you expect. I assume you have set the name of your virtual host to localhost and open the site in your browser with the IP of your Raspberry Pi. However, both entries have to match.

Since you cannot open a website on your Pi by localhost from your Macbook, you will need to set a more descriptive virtual host name and tell your Macbook to reach out to your Pi when accessing this name. So, change the server_name localhost; directive to server_name kirby357; or whatever you like and restart nginx. Then, on your Macbook, edit the file /etc/hosts in which you will already fine some entries. Append the line

IP_OF_YOUR_PI kirby357

Immediatly you will find find the starterkit with correct layout - but maybe without images, which we can take care about next. First let us know, what you see in your browser now.

As a reference, my virtual host definition in /etc/nginx/sites-enabled/kirby-starterkit-3.5.7 (which is a symlink to the real file /etc/nginx/sites-available/kirby-starterkit-3.5.7) is:

server {
        listen 80;
        listen [::]:80;

        server_name kirby357;

        root /var/www/html/starterkit-3.5.7;
        index index.php index.html;

        location / {
                try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;
        }
}

and the /etc/hosts on my desktop computer is now:

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

192.168.1.4     kirby357

since the Pi has got the IP 192.168.1.4 in my local network.

@Adspectus Hm, something does not seem to work.
I made all the changes you suggested, but it didn’t change anything, the site still looked like in the screenshot above. Then I also did the changes that @flokuek suggested and replaced user var-www in /etc/php/7.3/fpm/pool.d/www.conf by user nginx.

Now after that change I’m getting a 502 error.

20210911-233231_Screenshot_Firefox

So, should I change those settings back to var-www?

Also, I noticed that I get an error when I try to restart PHP FPM by using sudo systemctl restart php7.3-fpm.service. I get this error:

Job for php7.3-fpm.service failed because the control process exited with error code.
See "systemctl status php7.3-fpm.service" and "journalctl -xe" for details.

When I look into the error log it says

[11-Sep-2021 22:28:55] ERROR: [pool www] cannot get uid for user 'nginx'

So, I guess this is also related to the nginx user change.

The change of the Pool config of PHP-FPM shouldn‘t be necessary and indeed leads to the error, because the User just does Not exist on your System. The default Settings should be Fine, or change to the user/group of your Webserver.

Which Pi do you use and which OS is installed? My Raspberry is a Raspberry Pi 4 Model B Rev 1.2 with Raspbian GNU/Linux 10 (buster).

But at this point, it would be better to get some more information about your environment:

How did you install nginx and php-fpm?
What are the versions of both programs?
Who is the running user of these both programs?
Have you already checked the logfiles?
Did you check the network log via developer tools of your browser as indicated above and what was the outcome?
How does the configuration of nginx and php-fpm look now?

Instead of just applying the suggestions people made (including me), who might be working on a completly different environment, you should tell and show us if our assumptions are correct or not.

Yes that looks like there’s no user nginx on your pi os. If you change it back to var-www what do you get in your nginx logs? I’m sure it will throw some sort of error when e.g. kirby tries to create the media folder.

Thanks @Adspectus and sorry for the slow response. I have to hand in my finals at uni next week, so I could not answer as timely as I usually would have wanted.

I originally planned to have this Raspberry hosted kirby website being part of my finals, but I realize now that it is above my head unfortunately and I am running out of time as I am pushing all-nighters to get everything else finished. So I might have to put this on pause for a week or two and then after my finals really take the time that this needs. Still, I really appreciate the support you are offering.

Raspberry Pi 4 Model B Rev 1.2, Raspbian Buster – so same as you.

Uff… I am not quite sure anymore tbh. I think it was

$ sudo apt install nginx
$ sudo apt install php-fpm

but I might be mistaken. I would also be willing to re-install any packages or set up the Raspberry from scratch if that would make things simple. The nginx-Kirby-setup would be pretty much the main thing that I want this Raspberry to do.

php7.3-fpm and nginx/1.14.2

both www-data (not var-www as I mistakenly stated above)

The logfiles of what exactly? nginx? Do I need to set up logging for this first?

I get this in my browser’s dev tools. Is this what you mean? Or do you mean another tab?
20210913-220946_Screenshot_GoogleChrome

The nginx configuration should be the default with the extra file applied that you provided above:

server {
        listen 80;
        listen [::]:80;

        server_name kirby357;

        root /var/www/html/starterkit-3.5.7;
        index index.php index.html;

        location / {
                try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;
        }
}

The php-fpm configuration should still be at the default after I reset the user as suggested. Or is there another configuration file still for that?

Thanks again! And as I said, I really would like to resolve this in the end, I just cannot guarantee that I can get back to it in the next few days.

First of all: good luck for your exams!

Yeah, thats why I asked all the other questions, I wondered why you have different settings here.

Make sure that your pool config of PHP-FPM is reset to the original, so the listening owner and group should be www-data and the user and group of PHP-FPM as well.

Your nginx config looks good, but did you do the change in your MacBooks /etc/hosts file?

You need to know your Pi’s IP address for that and hopefully it is a fixed one, which does not change when your Pi is restarted.

You need to restart nginx and/or PHP-FPM when you change the config of these.

If you finally see this:

then your website is running and we do just need to take care about the permissions of the /var/www/html/starterkit-3.5.7 directory.

No problem, you set the pace.