Issues with ProxyPass and ProxyPassReverse when proxying to localhost and a different TCP port

I am attempting to use ProxyPass and ProxyPassReverse to proxy requests through Apache to another server instance that is bound to the localhost on a different TCP port that the Vhost exists (VHost is bound to :80, when the target is bound to :5000).

However, I am repeatedly receiving HTTP 503 when accessing the Location.

According to the ProxyPass documentation...

<VirtualHost *:80>
    ServerName apacheserver.domain.local
    DocumentRoot /var/www/redmine/public
    ErrorLog logs/redmine_error

    <Directory /var/www/redmine/public>
            Allow from all
            Options -MultiViews
            Order allow,deny
            AllowOverride all
    </Directory>
</VirtualHost>
PassengerTempDir /tmp/passenger

<Location /rhodecode>
  ProxyPass http://127.0.0.1:5000/rhodecode
  ProxyPassReverse http://127.0.0.1:5000/rhodecode
  SetEnvIf X-Url-Scheme https HTTPS=1
</Location>

I have tested binding the alternate server to the interface IP address, and the same issue occurs.

The server servicing request is an instance of python paste:httpserver, and it has been configured to use the /rhodecode suffix (as I saw this to be mentioned in other posts about ProxyPass). The documentation from the project itself, Rhodecode, reports to use the above.

The issue is persistent if I target another server that is serving on a different port.

Does ProxyPass allow proxying to a different TCP port?

[update]

I won't delete this, in case someone comes across the same issue.

I had set an ErrorLog, and in that ErrorLog the following error was reported:

[Wed Nov 09 11:36:35 2011] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:5000 (192.168.100.100) failed
[Wed Nov 09 11:36:35 2011] [error] ap_proxy_connect_backend disabling worker for (192.168.100.100)

After some more research, I attempted to set SELinux to permissive (echo 0 >/selinux/enforce), and try again.

It turns out the SELinux boolean httpd_can_network_connect must be set to 1.

For persistence on reboot:

setsebool -P httpd_can_network_connect=1

Thanks man. I spotted that boolean on this manpage on die.net. It indicates: SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. This would prevent a hacker from breaking into you httpd server and attacking other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. I believe the "httpd scripts are not allowed to connect out to the network" is a default policy. Meaning, regardless of the port policy, wouldn't this boolean also have to be set to 1?

Well, I had to perform setsebool -P httpd_can_network_connect=1, just tuning the port label didn't do it. Fedora 29.

Matthrex, @DavidTonhofer - adding the port to http_port_t only works if a SE-boolean that guards http_port_t usage is enabled, as well - such us httpd_can_network_relay. Note that httpd_can_network_relay is disabled, by default - and that it also guards some other port labels such as http_cache_port_t. Enabling httpd_can_network_connect always works because it allows connections to any port. Thus the advantage of using something else is to have less ports reachable from a compromised http server.

Seems on EL7 and EL8 there are a few booleans that control it which are on by default. [root@scratch-el8 ~]# sesearch -s httpd_t --allow -t http_port_t -p name_connect allow httpd_t http_port_t:tcp_socket name_connect; [ httpd_can_network_relay ]:True allow httpd_t http_port_t:tcp_socket name_connect; [ httpd_graceful_shutdown ]:True allow httpd_t port_type:tcp_socket name_connect; [ httpd_can_network_connect ]:True allow nsswitch_domain reserved_port_type:tcp_socket name_connect; [ nis_enabled ]:True In particular httpd_graceful_shutdown