Httpd – Issues with ProxyPass and ProxyPassReverse when proxying to localhost and a different TCP port

httpdproxypassreverse-proxyselinux

I am attempting to use ProxyPass and ProxyPassReverse to proxy requests through Apache to another server instance that is bound to the localhost on a different TCP port that the Vhost exists (VHost is bound to :80, when the target is bound to :5000).

However, I am repeatedly receiving HTTP 503 when accessing the Location.

According to the ProxyPass documentation

<VirtualHost *:80>
    ServerName apacheserver.domain.local
    DocumentRoot /var/www/redmine/public
    ErrorLog logs/redmine_error

    <Directory /var/www/redmine/public>
            Allow from all
            Options -MultiViews
            Order allow,deny
            AllowOverride all
    </Directory>
</VirtualHost>
PassengerTempDir /tmp/passenger

<Location /rhodecode>
  ProxyPass http://127.0.0.1:5000/rhodecode
  ProxyPassReverse http://127.0.0.1:5000/rhodecode
  SetEnvIf X-Url-Scheme https HTTPS=1
</Location>

I have tested binding the alternate server to the interface IP address, and the same issue occurs.

The server servicing request is an instance of python paste:httpserver, and it has been configured to use the /rhodecode suffix (as I saw this to be mentioned in other posts about ProxyPass). The documentation from the project itself, Rhodecode, reports to use the above.

The issue is persistent if I target another server that is serving on a different port.

Does ProxyPass allow proxying to a different TCP port?

[update]

I won't delete this, in case someone comes across the same issue.

I had set an ErrorLog, and in that ErrorLog the following error was reported:

[Wed Nov 09 11:36:35 2011] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:5000 (192.168.100.100) failed
[Wed Nov 09 11:36:35 2011] [error] ap_proxy_connect_backend disabling worker for (192.168.100.100)

After some more research, I attempted to set SELinux to permissive (echo 0 >/selinux/enforce), and try again.

It turns out the SELinux boolean httpd_can_network_connect must be set to 1.

For persistence on reboot:

setsebool -P httpd_can_network_connect=1

Best Answer

A nicer way to fix this (to have your cake and eat it) with regards to SELinux is to run this command to make httpd_t types aware of the port you are using..

semanage port -a -p tcp -t http_port_t 5000

You can turn off that boolean then and still get it to work.

Related Topic