Nginx upstream returns «site unavailable», while they work

Question

I use upstream and proxy for load balancing.

[root@192.168.1.135 ~]# cat /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    upstream sites {
        server 192.168.1.237:8080;
        server 192.168.1.240:8080;
    }
    server {
        listen       80 default_server;
        listen       [::]:80 default_server;

        server_name  _;
        root         /usr/share/nginx/html;
        include /etc/nginx/default.d/*.conf;

        location / {
            proxy_pass http://sites;
        }
    }
}

When I open 192.168.1.135 in browser, it tells me, that «Site is temporarily unavailable».

All pings from 192.168.1.135 are working:

PING 192.168.1.237 (192.168.1.237) 56(84) bytes of data.
64 bytes from 192.168.1.237: icmp_seq=1 ttl=64 time=0.803 ms
64 bytes from 192.168.1.237: icmp_seq=2 ttl=64 time=0.329 ms
64 bytes from 192.168.1.237: icmp_seq=3 ttl=64 time=0.676 ms
64 bytes from 192.168.1.237: icmp_seq=4 ttl=64 time=0.579 ms

PING 192.168.1.240 (192.168.1.240) 56(84) bytes of data.
64 bytes from 192.168.1.240: icmp_seq=1 ttl=64 time=0.607 ms
64 bytes from 192.168.1.240: icmp_seq=2 ttl=64 time=0.264 ms
64 bytes from 192.168.1.240: icmp_seq=3 ttl=64 time=0.358 ms
64 bytes from 192.168.1.240: icmp_seq=4 ttl=64 time=0.253 ms

When I point my browser to http://192.168.1.237:8080 or http://192.168.1.240:8080 — they succesfully open.

nginx error.log

2016/04/13 18:36:59 [crit] 5427#0: *20 connect() to 192.168.1.240:8080 failed (13: Permission denied) while connecting to upstream, client: 192.168.1.15, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.240:8080/", host: "192.168.1.135"
2016/04/13 18:36:59 [crit] 5427#0: *20 connect() to 192.168.1.237:8080 failed (13: Permission denied) while connecting to upstream, client: 192.168.1.15, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.237:8080/", host: "192.168.1.135"

What went wrong? Thank you.

Did you try `wget` or `curl` those two backends from `192.168.1.135`? — Hang, Apr 13 '16 at 16:13
I even see the site via `elinks`. Just tried `wget` — worked perfect. — lopar, Apr 13 '16 at 16:26
@MichaelHampton, that won't help, because I'm listening to 80 port. And my system is CentOS 7 Minimal. And there is no `semanage` command at all, so I can't even use it «just for test». — lopar, Apr 13 '16 at 16:47
Okay, I installed it, and got the same output as at your link. What next? Port 80 is already there. Change the place of 8080 from `http_cache_port_t` to `http_port_t`? Is it safe? — lopar, Apr 13 '16 at 17:07

lopar · Accepted Answer · 2016-04-21T10:17:46.360

Working config part:

location / {
   proxy_pass http://sites;
   proxy_redirect http://192.168.1.135:8080 http://192.168.1.135;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

If problems with SELinux won't dissapear you need to turn httpd_can_network_connect directive on:

# sudo setsebool httpd_can_network_connect on -P

Nginx upstream returns «site unavailable», while they work

1 Answers1