Question

Nginx Error 111: Connection refused

Posted June 8, 2016 140.4k views
NginxWordPress

I recently switched from Apache2 to Nginx for my web server because Apache was giving me some very weird issues that no one could seem to solve. I used this guide here to make the switch. Now, I see in my Nginx error log (located /var/log/nginx/error.log)

2016/06/07 18:41:50 [error] 3221#0: *53 connect() failed (111: Connection refused) while connecting to upstream, client: xxx.xxx.xxx.xxx, server: websitename.net, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi://127.0.0.1:9000", host: "xxx.xxx.xxx.xxx"

The site was working fine up until a few days ago. I did not change any settings during that time. Here is my full Nginx config.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
6 answers

@WASTECH

A few quick things to check. Login to the CLI and:

Open /etc/php5/fpm/pool.d/www.conf

  • Search for listen – are you using /var/run/php5-fpm.sock? If so, comment the line by adding a ; before it and then add listen = 127.0.0.1:9000 below it.

  • Search for listen.allowed_clients – is it commented or uncommented? If uncommented, comment it out by adding a ; before it.

  • Save /etc/php5/fpm/pool.d/www.conf.

Open /etc/nginx/sites-available/default or the name of the file you created for your server block:

  • Search for fastcgi_pass and change /var/run/php5-fpm.sock to 127.0.0.1:9000.

  • Save /etc/nginx/sites-available/default.

Now restart php-fpm and then nginx by running:

  • service php-fpm restart && service nginx restart

Let me know if that fixes the connection issue. If it does, the issue is because of the lack of read/write permissions on the /var/run/php5-fpm.sock file. If you’re running from the default php-fpm configuration, the user would be www-data and since this user is not a privileged user, it’s unable to read/write to files that are owned by root. Since the sock file has to be executable by the www-data user, and it’s owned by another, you won’t be able to connect.

You can undo the changes above and revert back to using the sock file, though using TCP (which is what the above details swap you over to) works just as well. Latency is negligible unless we’re dealing with a high-traffic scenario and even then, we’d still use TCP to connect to a secondary server.

  • This solved it! I had changed the line from /var/run/php5-fpm.sock to 127.0.0.1:9000 in /etc/nginx/sites-available/default but not /etc/php5/fpm/pool.d/www.conf

  • I upgraded ubuntu from 14 to 16 and my php pages stopped working. I’ve tried changing the above settings, but I’m still getting the 502 bad gateway:

    *1 connect() failed (111: Connection refused) while connecting to upstream, GET /php/info.php HTTP/1.1", upstream: “fastcgi://127.0.0.1:9000”

    /etc/php5/fpm/pool.d/www.conf:

    ; Note: This value is mandatory.
    listen = 127.0.0.1:9000
    ;/var/run/php5-fpm.sock

    /etc/nginx/sites-available/somedomain.com:

    location ~ .php$ {
    tryfiles $uri =404;
    fastcgi
    splitpathinfo ^(.+.php)(/.+)$;
    fastcgipass 127.0.0.1:9000;
    # unix:/var/run/php5-fpm.sock;
    fastcgi
    index index.php;
    fastcgiparam SCRIPTFILENAME $documentroot$fastcgiscript_name;

    Any other ideas?

  • Hi, just wanted to thank you in 2019.
    I was having the same problems and had to make some changes to your answer.
    They were: /etc/php7.2/fpm/pool.d/www.conf
    and the service php-fpm7.2 restart

    You just saved me a lot of trouble with cloudflare and digital ocean.

Looks like a xmlrpc attack. Look for the method in that linked document that best suites your need to mitigate the attack.

by Jon Schwenn
WordPress is a popular and powerful CMS (content management system) platform. Its popularity can bring unwanted attention in the form of malicious traffic specially targeted at a WordPress site. There are many instances where a server that has not been protected or optimized could experience issues or errors after receiving a small amount of malicious traffic. This guide will show you how to protect WordPress from XML-RPC attacks on an Ubuntu 14.04 system.
  • I followed those steps to deny xmlrpc, but the site is still down. Now I have this error:

    2016/06/08 20:21:17 [error] 11447#0: *5 connect() failed (111: Connection refused) while connecting to upstream, client: xxx.xxx.xxx.xxx, server: websitename.net, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "websitename.net", referrer: "http://websitename.net/"
    

@WASTECH

Is SELinux, by chance, enabled on your Droplet? If so, this could be the cause and you’d need to run either:

/usr/sbin/setsebool httpd_can_network_connect 1

or

/usr/sbin/setsebool httpd_can_network_connect true

… from the CLI. Once you have, restart NGINX using:

service nginx restart

or

/usr/sbin/nginx -s restart

If that doesn’t work, please post the output of your log after the commands have been executed as well as the configuration located in /etc/nginx/nginx.conf and your primary server block configured for the domain.

Hi,

Im getting a similar error, but I have:

    # With php7.0-cgi alone:
    #       fastcgi_pass 127.0.0.1:9000;
    #       # With php7.0-fpm:
    #       fastcgi_pass unix:/run/php/php7.0-fpm.sock;

do I need to change unix:/run/php/php7.0-fpm.sock to 127.0.0.1:9000?

Also, /etc/php7/fpm/pool.d/www.conf is not found

Mine issue was slightly different I was reverse-proxying my subdomain wordpress blog site on my main site, and I wasn’t using PHP-fpm for handling PHP pages.
the error was:

connect() failed (111: Connection refused) while connecting to upstream, client: xxx.xxx.xxx.xxx, server: “my.site.com”, request: GET /blog HTTP/1.0", upstream: “my.blog.site”, host: “my.site.com”

the issue was in my blog server’s firewall where WordPress was blocking my site IP address.

check status of firewall #ufw status verbose
if status active next

check the iptable #iptables -S
check if list contains “f2b-wordpress-hard -s xx.main.site.ip.xx/32 -j REJECT –reject-with icmp-port-unreachable”

do #fail2ban-client set wordpress-hard unbanip xx.main.site.ip.xx

for more details visit:
https://gist.github.com/stephenscaff/a0527da89b69dab57f93c09b4287b174

Submit an Answer