From 70c0f6988fb317731a6f22cf324808e11a2e9b4c Mon Sep 17 00:00:00 2001
From: Bas Zoetekouw <bas.zoetekouw@surf.nl>
Date: Thu, 16 May 2024 03:27:59 +0200
Subject: [PATCH] allow nginx/apache group to write to FPM socket (#1227)

---
 changelogs/fragments/1227-fpm-socket-permissions.yml | 2 ++
 roles/zabbix_web/templates/php-fpm.conf.j2           | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/1227-fpm-socket-permissions.yml

diff --git a/changelogs/fragments/1227-fpm-socket-permissions.yml b/changelogs/fragments/1227-fpm-socket-permissions.yml
new file mode 100644
index 000000000..22dd2f10d
--- /dev/null
+++ b/changelogs/fragments/1227-fpm-socket-permissions.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - zabbix_web - make the FPM socket group-writable so the web server can properly forward requests to the FPM process
diff --git a/roles/zabbix_web/templates/php-fpm.conf.j2 b/roles/zabbix_web/templates/php-fpm.conf.j2
index e6b02cc9e..3dd337e4d 100644
--- a/roles/zabbix_web/templates/php-fpm.conf.j2
+++ b/roles/zabbix_web/templates/php-fpm.conf.j2
@@ -8,7 +8,7 @@ listen.acl_users = {{ zabbix_php_fpm_conf_user if zabbix_php_fpm_conf_user is de
 {% endif %}
 listen.owner = {{ zabbix_php_fpm_conf_user if zabbix_php_fpm_conf_user is defined else zabbix_web_user }}
 listen.group = {{ _nginx_group if zabbix_web_http_server=='nginx' else _apache_group }}
-listen.mode = 0644
+listen.mode = 0660
 listen.allowed_clients = 127.0.0.1
 
 pm = dynamic