nginx 502 Bad Gateway after Ubuntu 24.04 upgrade

upgraded my main prod server from 22.04 to 24.04 last night and now nginx keeps throwing 502s. everything worked fine before the upgrade.

running nginx 1.25.4, php-fpm 8.3. php-fpm is responding fine when i test it directly with curl, but requests through nginx fail.

checkd the logs and seeing "upstream timed out (110: Connection timed out)" in error.log. upstream is configured to unix socket at /var/run/php-fpm.sock

the socket exists and has correct perms (nginx:nginx). restarted php-fpm and nginx multiple times, no luck.

anyone else hit this after upgrading? my best guess is some networking config changed in 24.04 but i'm not seeing anything obvious in the php-fpm config.

should i try switching back to tcp upstream or is there a known issue here?

Check if the socket path changed or php-fpm's listen config got reset during the upgrade. Also worth verifying the SELinux/AppArmor profile—Ubuntu sometimes tightens permissions on upgrades. Try aa-status and grep for nginx. If AppArmor is active, the profile might be blocking unix socket access to the new socket location. You can temporarily disable it with sudo aa-disable /etc/apparmor.d/usr.sbin.nginx to test, then adjust the profile properly.

good point about AppArmor! checked the profile and it was indeed set to enforce mode after the upgrade. reloaded it and the 502s disappeared. thanks for the nudge in the right direction!

AppArmor gotcha, classic Ubuntu move. glad you found it, would've wasted hours on that.

Pro tip for next time: before upgrading Ubuntu, back up /etc/apparmor.d/usr.sbin.nginx and your php-fpm AppArmor profile. You can then restore them post-upgrade with apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx to avoid the enforce mode reset. Saved me hours on my last two upgrades.

yep apparmor trips everyone up on ubuntu upgrades, good catch. might want to check syslog next time too.

AppArmor strikes again. Always the first thing I check on Ubuntu upgrades now, saves so much debugging time.