All,
The Fedora Server Working Group wishes Wildfly to be accessed via port 80 instead of 8080 (as configured in the src tarball).
Since Wildfly runs as a non-privileged user (non-root), it cannot open port 80. I am investigating using nginx as a reverse proxy to redirect port 80 input traffic to port 8080 for wildfly on the same host.
My nginx knowledge is quite sparse. The following is my /etc/nginx/nginx.conf file:
include /etc/nginx/conf.d/*.conf;
server { listen 80; listen [::]:80; server_name sisyphos.resdigita.eu; root /usr/share/nginx/html;
location / { proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_pass "http://78.46.110.40:8080"; }
# Load configuration files for the default server block. include /etc/nginx/default.d/*.conf;
error_page 404 /404.html; location = /404.html { }
error_page 500 502 503 504 /50x.html; location = /50x.html { } }
nmap shows ports 8080 open on the server and connected to wildfly. It also shows port 80 open and connected to nginx.
Yet I get the following errors:
2023/08/18 23:16:34 [crit] 104773#104773: *7 connect() to 78.46.110.40:8080 failed (13: Permission denied) while connecting to upstream, client: 47.50.223.174, server: sisyphos.resdigita.eu, request: "GET / HTTP/1.1", upstream: "http://78.46.110.40:8080/", host: "sisyphos.resdigita.eu" 2023/08/18 23:16:34 [crit] 104773#104773: *7 connect() to 78.46.110.40:8080 failed (13: Permission denied) while connecting to upstream, client: 47.50.223.174, server: sisyphos.resdigita.eu, request: "GET /nginx-logo.png HTTP/1.1", upstream: "http://78.46.110.40:8080/nginx-logo.png", host: "sisyphos.resdigita.eu", referrer: "http://sisyphos.resdigita.eu/" 2023/08/18 23:16:35 [crit] 104773#104773: *7 connect() to 78.46.110.40:8080 failed (13: Permission denied) while connecting to upstream, client: 47.50.223.174, server: sisyphos.resdigita.eu, request: "GET / HTTP/1.1", upstream: "http://78.46.110.40:8080/", host: "sisyphos.resdigita.eu" 2023/08/18 23:16:36 [crit] 104773#104773: *7 connect() to 78.46.110.40:8080 failed (13: Permission denied) while connecting to upstream, client: 47.50.223.174, server: sisyphos.resdigita.eu, request: "GET /nginx-logo.png HTTP/1.1", upstream: "http://78.46.110.40:8080/nginx-logo.png", host: "sisyphos.resdigita.eu", referrer: "http://sisyphos.resdigita.eu/" 2023/08/18 23:24:08 [crit] 104772#104772: *13 connect() to 78.46.110.40:8080 failed (13: Permission denied) while connecting to upstream, client: 107.170.247.28, server: sisyphos.resdigita.eu, request: "GET /manager/text/list HTTP/1.1", upstream: "http://78.46.110.40:8080/manager/text/list", host: "78.46.110.40" 2023/08/18 23:25:30 [crit] 104772#104772: *15 connect() to 78.46.110.40:8080 failed (13: Permission denied) while connecting to upstream, client: 31.7.60.114, server: sisyphos.resdigita.eu, request: "GET / HTTP/1.1", upstream: "http://78.46.110.40:8080/", host: "78.46.110.40:80", referrer: "http://78.46.110.40:80/left.html"
Any suggestions on fixing this problem would be greatly appreciated.
John
Am 18.08.2023 um 23:29 schrieb John W. Himpel john@jlhimpel.net:
13: Permission denied)
I think, the nginx configuration is correct. My first suspicion is either selinux or firewall. Did you tried what happens with setenforce 0 and what with systemctl stop firewalls ?
And you opened port 8080, I’m not sure about the consequences of this.
An in most cases I used either localhost as forwarding path or the internal interface.
Did you try these things already?
Best Peter
-- Peter Boy https://fedoraproject.org/wiki/User:Pboy PBoy@fedoraproject.org
Timezone: CET (UTC+1) / CEST /UTC+2)
Fedora Server Edition Working Group member Fedora Docs team contributor and board member Java developer and enthusiast
On Пят, 18 жні 2023, John W. Himpel wrote:
All,
The Fedora Server Working Group wishes Wildfly to be accessed via port 80 instead of 8080 (as configured in the src tarball).
Since Wildfly runs as a non-privileged user (non-root), it cannot open port 80. I am investigating using nginx as a reverse proxy to redirect port 80 input traffic to port 8080 for wildfly on the same host.
My nginx knowledge is quite sparse. The following is my /etc/nginx/nginx.conf file:
include /etc/nginx/conf.d/*.conf;
server { listen 80; listen [::]:80; server_name sisyphos.resdigita.eu; root /usr/share/nginx/html;
location / { proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_pass "http://78.46.110.40:8080"; } # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { }
}
nmap shows ports 8080 open on the server and connected to wildfly. It also shows port 80 open and connected to nginx.
Yet I get the following errors:
2023/08/18 23:16:34 [crit] 104773#104773: *7 connect() to 78.46.110.40:8080 failed (13: Permission denied) while connecting to upstream, client: 47.50.223.174, server: sisyphos.resdigita.eu, request: "GET / HTTP/1.1", upstream: "http://78.46.110.40:8080/", host: "sisyphos.resdigita.eu" 2023/08/18 23:16:34 [crit] 104773#104773: *7 connect() to 78.46.110.40:8080 failed (13: Permission denied) while connecting to upstream, client: 47.50.223.174, server: sisyphos.resdigita.eu, request: "GET /nginx-logo.png HTTP/1.1", upstream: "http://78.46.110.40:8080/nginx-logo.png", host: "sisyphos.resdigita.eu", referrer: "http://sisyphos.resdigita.eu/" 2023/08/18 23:16:35 [crit] 104773#104773: *7 connect() to 78.46.110.40:8080 failed (13: Permission denied) while connecting to upstream, client: 47.50.223.174, server: sisyphos.resdigita.eu, request: "GET / HTTP/1.1", upstream: "http://78.46.110.40:8080/", host: "sisyphos.resdigita.eu" 2023/08/18 23:16:36 [crit] 104773#104773: *7 connect() to 78.46.110.40:8080 failed (13: Permission denied) while connecting to upstream, client: 47.50.223.174, server: sisyphos.resdigita.eu, request: "GET /nginx-logo.png HTTP/1.1", upstream: "http://78.46.110.40:8080/nginx-logo.png", host: "sisyphos.resdigita.eu", referrer: "http://sisyphos.resdigita.eu/" 2023/08/18 23:24:08 [crit] 104772#104772: *13 connect() to 78.46.110.40:8080 failed (13: Permission denied) while connecting to upstream, client: 107.170.247.28, server: sisyphos.resdigita.eu, request: "GET /manager/text/list HTTP/1.1", upstream: "http://78.46.110.40:8080/manager/text/list", host: "78.46.110.40" 2023/08/18 23:25:30 [crit] 104772#104772: *15 connect() to 78.46.110.40:8080 failed (13: Permission denied) while connecting to upstream, client: 31.7.60.114, server: sisyphos.resdigita.eu, request: "GET / HTTP/1.1", upstream: "http://78.46.110.40:8080/", host: "78.46.110.40:80", referrer: "http://78.46.110.40:80/left.html"
Any suggestions on fixing this problem would be greatly appreciated.
If SELinux is enabled (default in Fedora), you need to make sure SELinux policy allows actions you are doing in the context you are running in.
All web servers in Fedora use the same context: httpd_exec_t. This applies to Apache httpd, nginx, lighttpd, cherokee, thttpd, and php-fpm.
All these servers are limited by default in their ability to initiate outgoing TCP connections. Your use of reverse proxy means a need to connect over TCP to a different end-point and it is not allowed by the default SELinux policy.
Hence, you need to enable this operation by setting up a particular SELinux boolean: httpd_can_network_connect.
This is how it is defined (in contrib/apache.te in selinux-policy):
tunable_policy(`httpd_can_network_connect',` corenet_tcp_connect_all_ports(httpd_t) ')
Use `setsebool -P httpdc_can_network_connect 1` to force permanent change to the policy.
* John W. Himpel [18/08/2023 16:29] :
Any suggestions on fixing this problem would be greatly appreciated.
As Alexander suggested, I suspect your issue is due to the SELinux boolean httpd_can_network_connect.
You can run the command "/usr/sbin/getsebool httpd_can_network_connect" to get the current value (this is off by default).
In your case, this should be on so you'll need to run the command "setsebool -P httpd_can_network_connect on" and your ansible playbook will need to do the equivalent using ansible's selinux module.
I'm not sure if this is needed if Wildfly is listening only on the localhost interface (which I would seriously recommend).
Emmanuel
All,
I issued a "setbool http_can_network_connect=1" command and "Poof" everything started working fine.
Thanks to all who responded for pointing me in the right direction.
Alexander Bokovoy suggested that since we have a proxy, I should possibly restrict access to wildfly connects to come from the proxy on the local host.
I think pboy was thinking the proxy would serve as a load balancer and as a way to serve requests via a second wildfly instance if the first instance is down. I am reading between the lines and thinking he (pboy) was assuming the wilfly instances would reside on separate servers, but perhaps I am assuming too much. Pboy, any input would be welcome.
John
On Sat, 2023-08-19 at 23:27 +0200, Emmanuel Seyman wrote:
- John W. Himpel [18/08/2023 16:29] :
Any suggestions on fixing this problem would be greatly appreciated.
As Alexander suggested, I suspect your issue is due to the SELinux boolean httpd_can_network_connect.
You can run the command "/usr/sbin/getsebool httpd_can_network_connect" to get the current value (this is off by default).
In your case, this should be on so you'll need to run the command "setsebool -P httpd_can_network_connect on" and your ansible playbook will need to do the equivalent using ansible's selinux module.
I'm not sure if this is needed if Wildfly is listening only on the localhost interface (which I would seriously recommend).
Emmanuel _______________________________________________ server mailing list -- server@lists.fedoraproject.org To unsubscribe send an email to server-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
server@lists.fedoraproject.org