How to Diagnose and Fix SELinux Blocking Nginx Connections
Recently, I was setting up a new Nginx reverse proxy on a hardened RHEL9 server. While configuring proxies for the standard ports (80 and 443) went smoothly, I ran into an unusual issue when trying to set up a reverse proxy to a backend service running on port 30080. After a lot of debugging, I discovered the root cause: SELinux.
Start by inspecting the error logs to understand why Nginx is failing. Use the following command:
tail -f /var/log/nginx /error.logIn my case, this was the error message:
2024/11/16 10: 31: 11[crit] 155243#155243: * 24 connect() to 10.33.33.33: 30080 failed(13: Permission denied) while connecting to upstream, client: 10.59.1.10, server: xxx, request: "GET / HTTP/2.0", upstream: "http://10.33.33.33:30080/", host: "xxx"The error mentions "permission denied," which could indicate that SELinux is blocking the connection. To confirm, use the following command:
audit2allow -w -a(Alternatively, you can inspect the logs directly with tail -f /var/log/audit/audit.log.)
audit2allow -w -atype=AVC msg=audit(1731771071.154:1804): avc: denied { name_connect } for pid=155243 comm="nginx" dest=30080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 Was caused by: One of the following booleans was set incorrectly. Description: Allow httpd to can network connect Allow access by executing: # setsebool -P httpd_can_network_connect 1 Description: Allow nis to enabled Allow access by executing: # setsebool -P nis_enabled 1Based on the output, execute the appropriate command(s) to allow Nginx to make network connections:
setsebool -P httpd_can_network_connect 1After running the command, Nginx could successfully connect to the backend service on port 30080.