发表新帖
发表新帖

proxy_pass isn't working when SELinux is enabled, why?

前端 未结
关注
4 523
醉话见心
醉话见心 2021-02-04 04:03

I\'m having an application listening on port 8081 and Nginx running on port 8080. The proxy pass statement looks like:

$ cat /var/etc/opt/lj/output/services/abc.
相关标签:
4条回答
  • 臣服心动
    2021-02-04 04:28

    If you have another port or custom port allow it:

    Show allow port in http:

    semanage port -l | grep http

    This is output in my localhost:

    http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

    And allow 8081:

    semanage port -a -t http_port_t -p tcp 8081
    0 讨论(0)
  • 有刺的猬
    2021-02-04 04:43

    Read about audit2allow and used it to create a policy to allow access to the denied requests for Nginx.

    Step 1 involves running audit2allow targeting nginxlocalconf:

    $ sudo grep nginx /var/log/audit/audit.log | \
     grep denied | audit2allow -m nginxlocalconf > nginxlocalconf.te

    Step 2, review results:

    $ cat nginxlocalconf.te 

module nginxlocalconf 1.0;

require {
    type httpd_t;
    type var_t;
    type transproxy_port_t;
    class tcp_socket name_connect;
    class file { read getattr open };
}

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t transproxy_port_t:tcp_socket name_connect;
allow httpd_t var_t:file { read getattr open };

    Review steps to activate:

    $ sudo grep nginx /var/log/audit/audit.log | grep denied | \
   audit2allow -M nginxlocalconf
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i nginxlocalconf.pp

    Step 3, active:

    $ sudo semodule -i nginxlocalconf.pp
    0 讨论(0)
  • 轻奢々
    2021-02-04 04:48

    Always prefer changing types to creating custom policies. In this case, Nginx will serve files with the httpd_sys_content_t type. Assuming your files are located in /var/www:

    semanage fcontext -a -t httpd_sys_content_t /var/www/*
restorecon -R -v /var/www
    0 讨论(0)
  • 粉色の甜心
    2021-02-04 04:49

    Worth noting for beginners in SELinux that if your proxied service is running on 8080, you can use the command below without compiling a policy.

    $ sudo setsebool httpd_can_network_connect 1 -P
    0 讨论(0)
 看不清?
提交回复
热议问题