When configuring PHP security settings, open_basedir plays a crucial role in restricting which directories PHP can access. The error message clearly indicates that despite your nginx configuration attempt, the additional path (/usr/share/phppgadmin/) wasn't properly registered in PHP's runtime environment.
Here's what actually happens when you modify open_basedir settings for a specific vhost:
1. Nginx passes the FastCGI parameter to PHP-FPM
2. PHP-FPM processes the directive
3. The new restriction takes effect for that specific pool
For a phppgadmin subdomain, your nginx vhost configuration should include:
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param PHP_VALUE "open_basedir=/home/user/web/:/usr/share/phppgadmin/";
fastcgi_param PHP_ADMIN_VALUE "open_basedir=/home/user/web/:/usr/share/phppgadmin/";
}
Many administrators miss this essential step. After modifying any PHP-related configuration in nginx, you must restart PHP-FPM:
sudo systemctl restart php-fpm.service
# Or for older systems:
service php5-fpm restart
To verify your settings took effect, create a test PHP file with:
<?php
echo ini_get('open_basedir');
?>
If you still encounter issues, check:
- PHP-FPM error logs (/var/log/php-fpm.log)
- Nginx error logs (/var/log/nginx/error.log)
- File permissions on all specified directories
For more permanent solutions, consider setting open_basedir directly in the PHP-FPM pool configuration:
[www]
user = nginx
group = nginx
listen = /var/run/php-fpm/php-fpm.sock
php_admin_value[open_basedir] = /home/user/web/:/usr/share/phppgadmin/
Remember to restart PHP-FPM after making these changes.
When adding multiple paths to open_basedir:
- Always use absolute paths
- Include trailing slashes for directory paths
- Keep the list as restrictive as possible
- Regularly audit accessible directories
When setting up PHP applications under Nginx with PHP-FPM, you might encounter situations where you need to access files outside your document root while maintaining security through open_basedir restrictions. The common scenario looks like this:
fastcgi_param PHP_VALUE "open_basedir=/home/user/web/:/usr/share/phppgadmin/";But surprisingly, you still get the error:
PHP Warning: include_once(): open_basedir restriction in effect.
File(/usr/share/phppgadmin/libraries/lib.inc.php) is not within the allowed path(s): (/home/user/web/)The root cause is often overlooked - PHP-FPM maintains its own environment and configuration. When you modify Nginx's fastcgi parameters, you must restart PHP-FPM for changes to take effect. This is different from traditional mod_php setups where a web server restart would suffice.
Here's the proper way to implement multi-path open_basedir restrictions:
- First, edit your Nginx virtual host configuration:
location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.4-fpm.sock; fastcgi_param PHP_VALUE "open_basedir=/home/user/web/:/usr/share/phppgadmin/"; # Additional security parameter recommended: fastcgi_param PHP_ADMIN_VALUE "open_basedir=/home/user/web/:/usr/share/phppgadmin/"; } - Then restart both services:
sudo systemctl restart nginx sudo systemctl restart php7.4-fpm # Adjust version as needed
For better security and flexibility:
- Use separate PHP-FPM pools for different security contexts
- Consider using PHP_ADMIN_VALUE for stricter enforcement
- Always test with a simple PHP script before deploying:
<?php
echo ini_get('open_basedir');
// Should output: /home/user/web/:/usr/share/phppgadmin/
?>Watch out for:
- Caching in PHP-FPM (consider adding fastcgi_param PHP_VALUE "open_basedir=none" before your actual setting)
- Permission issues when accessing shared directories
- Trailing slashes in paths (they matter in some PHP versions)
For more permanent solutions, configure directly in PHP-FPM pool config:
; /etc/php/7.4/fpm/pool.d/yourdomain.conf
php_admin_value[open_basedir] = /home/user/web/:/usr/share/phppgadmin/This method provides more consistent behavior across all requests to that pool.