I have problems getting a nginx reverse proxy set up. When I examine the audit logs, I see this:
Code: Select all
sudo cat /var/log/audit/audit.log | grep nginx | grep denied | tail -n 2
type=AVC msg=audit(1581877569.448:81): avc: denied { name_connect } for pid=798 comm="nginx" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1581878362.267:181): avc: denied { name_connect } for pid=798 comm="nginx" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
After doing some research I run below commands to get insights in the system configuration:
Processes
Code: Select all
ps aux | grep nginx
root 786 0.0 0.1 128132 2284 ? Ss 19:26 0:00 nginx: master process /usr/sbin/nginx
nginx 787 0.0 0.4 159068 7584 ? S 19:26 0:00 nginx: worker process
codings+ 4823 0.0 0.0 12108 984 pts/0 R+ 19:28 0:00 grep --color=auto nginx
Permission
Code: Select all
sudo ls -la /var/lib/nginx/
total 12
drwxrwx---. 3 nginx nginx 4096 Oct 7 21:17 .
drwxr-xr-x. 28 root root 4096 Feb 10 11:50 ..
drwxrwx---. 7 nginx nginx 4096 Oct 7 21:17 tmp
Code: Select all
cat /etc/passwd | grep nginx
nginx:x:995:992:Nginx web server:/var/lib/nginx:/sbin/nologin
SELinux
Code: Select all
sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
httpd
Code: Select all
getsebool -a | grep httpd
httpd_anon_write --> on
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> off
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
Code: Select all
sudo firewall-cmd --state
running
Code: Select all
sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client http https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: