Issues with ProxyPass and ProxyPassReverse when proxying to localhost and a different TCP port
A nicer way to fix this (to have your cake and eat it) with regards to SELinux is to run this command to make httpd_t types aware of the port you are using..
semanage port -a -p tcp -t http_port_t 5000
You can turn off that boolean then and still get it to work.
Comments
-
mbrownnyc almost 2 years
I am attempting to use ProxyPass and ProxyPassReverse to proxy requests through Apache to another server instance that is bound to the localhost on a different TCP port that the Vhost exists (VHost is bound to :80, when the target is bound to :5000).
However, I am repeatedly receiving HTTP 503 when accessing the Location.
According to the ProxyPass documentation...
<VirtualHost *:80> ServerName apacheserver.domain.local DocumentRoot /var/www/redmine/public ErrorLog logs/redmine_error <Directory /var/www/redmine/public> Allow from all Options -MultiViews Order allow,deny AllowOverride all </Directory> </VirtualHost> PassengerTempDir /tmp/passenger <Location /rhodecode> ProxyPass http://127.0.0.1:5000/rhodecode ProxyPassReverse http://127.0.0.1:5000/rhodecode SetEnvIf X-Url-Scheme https HTTPS=1 </Location>
I have tested binding the alternate server to the interface IP address, and the same issue occurs.
The server servicing request is an instance of python paste:httpserver, and it has been configured to use the /rhodecode suffix (as I saw this to be mentioned in other posts about ProxyPass). The documentation from the project itself, Rhodecode, reports to use the above.
The issue is persistent if I target another server that is serving on a different port.
Does ProxyPass allow proxying to a different TCP port?
[update]
I won't delete this, in case someone comes across the same issue.
I had set an ErrorLog, and in that ErrorLog the following error was reported:
[Wed Nov 09 11:36:35 2011] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:5000 (192.168.100.100) failed [Wed Nov 09 11:36:35 2011] [error] ap_proxy_connect_backend disabling worker for (192.168.100.100)
After some more research, I attempted to set SELinux to permissive (
echo 0 >/selinux/enforce
), and try again.It turns out the SELinux boolean
httpd_can_network_connect
must be set to1
.For persistence on reboot:
setsebool -P httpd_can_network_connect=1
-
David over 12 yearsIf you connect to 127.0.0.1:5000/rhodecode directly do you get a response?
-
mbrownnyc over 12 yearsYes, I have tested this with
lynx
on the local machine. -
mbrownnyc over 12 yearsSeems like it could be related to SELinux. I will changed to permissive and attempt again
-
-
mbrownnyc over 12 yearsThanks man. I spotted that boolean on this manpage on die.net. It indicates:
SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. This would prevent a hacker from breaking into you httpd server and attacking other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
I believe the "httpd scripts are not allowed to connect out to the network" is a default policy. Meaning, regardless of the port policy, wouldn't this boolean also have to be set to 1? -
David Tonhofer about 5 yearsWell, I had to perform
setsebool -P httpd_can_network_connect=1
, just tuning the port label didn't do it. Fedora 29. -
maxschlepzig over 3 yearsMatthrex, @DavidTonhofer - adding the port to
http_port_t
only works if a SE-boolean that guardshttp_port_t
usage is enabled, as well - such ushttpd_can_network_relay
. Note thathttpd_can_network_relay
is disabled, by default - and that it also guards some other port labels such ashttp_cache_port_t
. Enablinghttpd_can_network_connect
always works because it allows connections to any port. Thus the advantage of using something else is to have less ports reachable from a compromised http server. -
Matthew Ife over 3 yearsSeems on EL7 and EL8 there are a few booleans that control it which are on by default.
[root@scratch-el8 ~]# sesearch -s httpd_t --allow -t http_port_t -p name_connect allow httpd_t http_port_t:tcp_socket name_connect; [ httpd_can_network_relay ]:True allow httpd_t http_port_t:tcp_socket name_connect; [ httpd_graceful_shutdown ]:True allow httpd_t port_type:tcp_socket name_connect; [ httpd_can_network_connect ]:True allow nsswitch_domain reserved_port_type:tcp_socket name_connect; [ nis_enabled ]:True
In particularhttpd_graceful_shutdown