8

I'm trying to run multiple Nodejs applications on Nginx server running on CentOS 7. I noticed that when I run a Nodejs app on some ports I get an 502 Bad Gateway error in the browser so I checked the error logs:

[notice] 12806#0: signal process started
[crit] 12807#0: *13 connect() to 127.0.0.1:7777 failed (13: Permission denied) while connecting to upstream, client: **.**.99.58, server: myapp.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:7777/", host: "myapp.com"
[crit] 12807#0: *13 connect() to [::1]:7777 failed (13: Permission denied) while connecting to upstream, client: **.**.99.58, server: myapp.com, request: "GET / HTTP/1.1", upstream: "http://[::1]:7777/", host: "myapp.com"

when I change the app to listen to 8008 for example everything is working fine. I checked permissions and if the process is running as root and everything seems ok. I played with the timeouts as well but no result. Can anyone help?

user1
  • 181
  • 1
  • 1
  • 3

1 Answers1

24

By default SELinux only allows the web server to make outbound connections to a limited set of ports.

# semanage port --list
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

To fix the problem, you simply need to add your own desired port number to the list.

# semanage port --add --type http_port_t --proto tcp 7777

Then you will see the port number added into the list, and your connections should then work.

# semanage port --list
http_port_t                    tcp      7777, 80, 81, 443, 488, 8008, 8009, 8443, 9000
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • 1
    Thanks a lot Michael! I had wasted entire days looking for this specific answer. – Germán Carrillo May 24 '16 at 21:17
  • 1
    on CentOS 7, `yum install policycoreutils-python` to get semanage – Jingshao Chen Aug 01 '16 at 02:53
  • Hi Michael, when I ran the command `semanage port --add --type http_port_t --proto tcp 7001`. I got `ValueError: Port tcp/7001 already defined` – Isaac Sep 05 '19 at 07:29
  • And when I ran command `semanage port --list`, I see `afs3_callback_port_t tcp 7001` and `afs3_callback_port_t udp 7001` – Isaac Sep 05 '19 at 07:30
  • @Isaac Use a different port. If you can't change the port because someone else runs the service, see [here](https://serverfault.com/a/699885/126632) but be aware that this will reduce your security. – Michael Hampton Sep 05 '19 at 07:30