Hey there, let's work through this "connection refused" issue step by step—this is a common problem when pairing Nginx with spawn-fcgi, so we'll cover the most likely fixes to get your setup working.

1. Verify the Socket File Exists and Has Correct Permissions #

• First, confirm spawn-fcgi actually created the socket file. Run this command to check:

  ls -l /path/to/your/socket.sock
  

• Nginx (usually running as www-data or nginx user/group) needs read/write access to the socket. Fix permissions with:

  chmod 770 /path/to/your/socket.sock
  

• Alternatively, start spawn-fcgi with the same user/group as Nginx to avoid permission issues:

  spawn-fcgi -u www-data -g www-data -s /path/to/your/socket.sock /path/to/your/cgi/program
  

2. Check if spawn-fcgi is Actually Listening on the Socket #

• Use ss or netstat to verify a process is attached to the socket:

  ss -anp | grep /path/to/your/socket.sock
  

  or

  netstat -anp | grep /path/to/your/socket.sock
  

• If no process shows up, spawn-fcgi failed to start properly. Double-check your spawn-fcgi command: ensure the -s flag points to the correct socket path, and your CGI program path is valid and executable.

3. Confirm Nginx Configuration Uses the Exact Socket Path #

• Open your Nginx server block configuration (usually in /etc/nginx/sites-available/your-site) and verify the fastcgi_pass directive matches the socket path exactly:

  fastcgi_pass unix:/path/to/your/socket.sock;
  

• After making any config changes, restart Nginx to apply them:

  sudo systemctl restart nginx
  

4. Check for SELinux/AppArmor Restrictions #

• SELinux (RHEL/CentOS/Fedora):
  • Check if SELinux is enforcing: sestatus
  • If it's enabled, temporarily disable it to test: sudo setenforce 0
  • If the connection works after disabling, add a permanent rule:

    sudo setsebool -P httpd_can_network_connect 1
    

    Or set the correct SELinux context for the socket:

    sudo chcon -u system_u -t httpd_sys_content_t /path/to/your/socket.sock
    

• AppArmor (Ubuntu/Debian):
  • Check AppArmor status: sudo aa-status
  • If Nginx's profile is restricting access, edit /etc/apparmor.d/usr.sbin.nginx and add your socket path with read/write permissions:

    /path/to/your/socket.sock rw,
    

  • Then reload AppArmor: sudo systemctl reload apparmor

5. Test Your CGI Program Directly #

• Sometimes the socket exists, but the underlying CGI program crashed. Run the CGI program manually to check for errors:

  /path/to/your/cgi/program
  

• Look for missing dependencies, syntax errors, or permission issues that might be preventing it from running.

6. Dig Into Logs for More Clues #

• Check Nginx's error log for detailed failure messages:

  cat /var/log/nginx/error.log
  

• If spawn-fcgi isn't logging by default, redirect its output to a log file when starting:

  spawn-fcgi -s /path/to/your/socket.sock /path/to/your/cgi/program >> /var/log/spawn-fcgi.log 2>&1
  

  This will capture any startup errors from spawn-fcgi or your CGI program.

If you've gone through all these steps and still hit the connection refused error, feel free to share your spawn-fcgi startup command, Nginx configuration snippet, and relevant log lines—those details will help narrow down the issue further.

内容的提问来源于stack exchange，提问作者Andrey Tsarev