On Пят, 18 жні 2023, John W. Himpel wrote:
All,
The Fedora Server Working Group wishes Wildfly to be accessed via port
80 instead of 8080 (as configured in the src tarball).
Since Wildfly runs as a non-privileged user (non-root), it cannot open
port 80. I am investigating using nginx as a reverse proxy to redirect
port 80 input traffic to port 8080 for wildfly on the same host.
My nginx knowledge is quite sparse. The following is my
/etc/nginx/nginx.conf file:
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name sisyphos.resdigita.eu;
root /usr/share/nginx/html;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass "http://78.46.110.40:8080";
}
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
nmap shows ports 8080 open on the server and connected to wildfly. It
also shows port 80 open and connected to nginx.
Yet I get the following errors:
2023/08/18 23:16:34 [crit] 104773#104773: *7 connect() to
78.46.110.40:8080 failed (13: Permission denied) while connecting to
upstream, client: 47.50.223.174, server: sisyphos.resdigita.eu,
request: "GET / HTTP/1.1", upstream: "http://78.46.110.40:8080/",
host:
"sisyphos.resdigita.eu"
2023/08/18 23:16:34 [crit] 104773#104773: *7 connect() to
78.46.110.40:8080 failed (13: Permission denied) while connecting to
upstream, client: 47.50.223.174, server: sisyphos.resdigita.eu,
request: "GET /nginx-logo.png HTTP/1.1", upstream:
"http://78.46.110.40:8080/nginx-logo.png", host:
"sisyphos.resdigita.eu", referrer: "http://sisyphos.resdigita.eu/"
2023/08/18 23:16:35 [crit] 104773#104773: *7 connect() to
78.46.110.40:8080 failed (13: Permission denied) while connecting to
upstream, client: 47.50.223.174, server: sisyphos.resdigita.eu,
request: "GET / HTTP/1.1", upstream: "http://78.46.110.40:8080/",
host:
"sisyphos.resdigita.eu"
2023/08/18 23:16:36 [crit] 104773#104773: *7 connect() to
78.46.110.40:8080 failed (13: Permission denied) while connecting to
upstream, client: 47.50.223.174, server: sisyphos.resdigita.eu,
request: "GET /nginx-logo.png HTTP/1.1", upstream:
"http://78.46.110.40:8080/nginx-logo.png", host:
"sisyphos.resdigita.eu", referrer: "http://sisyphos.resdigita.eu/"
2023/08/18 23:24:08 [crit] 104772#104772: *13 connect() to
78.46.110.40:8080 failed (13: Permission denied) while connecting to
upstream, client: 107.170.247.28, server: sisyphos.resdigita.eu,
request: "GET /manager/text/list HTTP/1.1", upstream:
"http://78.46.110.40:8080/manager/text/list", host: "78.46.110.40"
2023/08/18 23:25:30 [crit] 104772#104772: *15 connect() to
78.46.110.40:8080 failed (13: Permission denied) while connecting to
upstream, client: 31.7.60.114, server: sisyphos.resdigita.eu, request:
"GET / HTTP/1.1", upstream: "http://78.46.110.40:8080/", host:
"78.46.110.40:80", referrer: "http://78.46.110.40:80/left.html"
Any suggestions on fixing this problem would be greatly appreciated.
If SELinux is enabled (default in Fedora), you need to make sure SELinux
policy allows actions you are doing in the context you are running in.
All web servers in Fedora use the same context: httpd_exec_t. This
applies to Apache httpd, nginx, lighttpd, cherokee, thttpd, and php-fpm.
All these servers are limited by default in their ability to initiate
outgoing TCP connections. Your use of reverse proxy means a need to
connect over TCP to a different end-point and it is not allowed by the
default SELinux policy.
Hence, you need to enable this operation by setting up a particular
SELinux boolean: httpd_can_network_connect.
This is how it is defined (in contrib/apache.te in selinux-policy):
tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
Use `setsebool -P httpdc_can_network_connect 1` to force permanent
change to the policy.
--
/ Alexander Bokovoy