0

Environment: Nginx reverse proxy serving static resources and using proxy_pass to serve resources from 2 separate Node.js upstream server instances.

Simplified example nginx.conf:

server {
    server_name example.com;
    location ~* \.(jpg)$ {}
    location / {
        proxy_pass http://127.0.0.1:8080;
    }
}

server {
    server_name subdomain.example.com;
    location ~* \.(jpg)$ {}
    location / {
        proxy_pass http://127.0.0.1:8081;
    }
}

The top block can serve both static files and Node.js resources through proxy_pass without error. The bottom block can serve static files but throws an SELinux permissions error when I hit the Node.js server through proxy_pass. With SELinux set to permissive no error is thrown.

Client error: Chrome displays a 502 Bad Gateway error.

From the error log:

2020/12/11 14:49:03 [crit] 2113#2113: *24 connect() to 127.0.0.1:8081 failed (13: Permission denied) while connecting to upstream, client: 0:0:0:0:0:0:0:0, server: subdomain.example.com, request: "GET /random-page HTTP/2.0", upstream: "http://127.0.0.1:8081/random-page", host: "subdomain.example.com", referrer: "https://subdomain.example.com/"

I have httpd_can_network_relay set to on. This seems to be enough to make the top block work but not the bottom block.

httpd_can_network_relay (on , on) Allow httpd to can network relay

What else might I need to set in SELinux to get rid of the error?

UPDATE:

As suggested below I threw the error and then ran,

$ sudo ausearch -m AVC -ts recent

The error in the log is outside my ability to understand it. I'm not sure where to start.

time->Fri Dec 11 20:39:08 2020 type=PROCTITLE msg=audit(1607744348.594:791): proctitle=6E67696E783A20776F726B65722070726F63657373 type=SYSCALL msg=audit(1607744348.594:791): arch=c000003e syscall=42 success=no exit=-13 a0=11 a1=55c9f3d0ab50 a2=10 a3=7ffeab2adb5c items=0 ppid=1187 pid=1191 auid=4294967295 uid=989 gid=986 euid=989 suid=989 fsuid=989 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1607744348.594:791): avc: denied { name_connect } for pid=1191 comm="nginx" dest=8081 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:transproxy_port_t:s0 tclass=tcp_socket permissive=0

stackedAndOverflowed
  • 109
  • 4
  • 10
  • 2
    Generate the error, and then run this command to get the specific SELinux denied message: `ausearch -m AVC -ts recent` - when you do that, you should get a better idea of why, exactly, SELinux is denying something. – David W Dec 12 '20 at 01:03
  • @DavidW Thanks David I updated my answer to reflect your advice. Unfortunately the error is not readable. At least not by me. – stackedAndOverflowed Dec 12 '20 at 03:54
  • 1
    `httpd_can_network_relay` does not actually open all outbound ports; there's no reason to use it here. See the linked post for the solution to this issue. – Michael Hampton Dec 12 '20 at 04:48
  • @MichaelHampton Because these are ports on upstream node.js servers being referenced with `proxy_pass` is that the same as external `http_port_t` ports? – stackedAndOverflowed Dec 12 '20 at 05:00
  • @btw my apologies I should have used the real port numbers instead of 1111 and 2222. I never thought that was relevant. I'll fix my question they were 8080 and 8081. – stackedAndOverflowed Dec 12 '20 at 05:02
  • `httpd_can_network_relay` opens port 8080 (and a few others) but not port 8081. – Michael Hampton Dec 12 '20 at 05:50

0 Answers0