Solving nginx+php-fpm access denied issue

There can be various reasons for a generic 403 Forbidden page with nginx, the most common being permission or directory index issues, but also possibly x permissions on parent folders.

However, if you only see a blank page with "Access denied" on it, it doesn't have to do with the default 403 Forbidden error, nginx or file permissions.

The reason for this error is the security.limit_extensions directive that has been added to php-fpm and limits the extensions that can be parsed by PHP. If it is not specified in your php-fpm configuration file, it defaults to .php and prevents all other extensions from being parsed. This produces an "Access denied" page.

So, if you are using PHP with HTML or other file types, make sure you add them to security.limit_extensions in your php-fpm configuration. For PHP and HTML, it will be security.limit_extensions = .php .html

  • This can also occur when a directory is passed to SCRIPT_FILENAME as was the case with my issue, $fastcgi_script_name was not set to a valid value due to changes made to fastcgi_params by another dev.

  • vi

    this also can be fastcgi_pass param error.
    for example, in my config:
    fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; - it's Ok.
    fastcgi_pass 127.0.0.1:9000; - Access denied

  • Steve

    Usually, when you have to work around a default setting, you're doing something wrong. Your code should allow you to pass .html extensions to .php scripts. You should NOT (for security and lots of other reasons) run PHP code in other file extensions than .php. It's bad design and bad for security.

  • Dk Aiden Pearce

    I have the same problem with .jpg and static files.
    Php works fine, but If I try to open an media file for example I read 'Access denied'

    I could put jpg in php-fpm.. but it's stupid because I 'll show like a text and not like image.

    some Idea to fix this problem?