Hide Forgot
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6 Description of problem: Bad: mod_proxy fail if selinux is enabled [Wed Aug 03 13:52:12 2005] [debug] proxy_http.c(67): proxy: HTTP: canonicalising URL //webmail.XXX.be/exchange/ [Wed Aug 03 13:52:12 2005] [debug] mod_proxy.c(419): Trying to run scheme_handler [Wed Aug 03 13:52:12 2005] [debug] proxy_http.c(1062): proxy: HTTP: serving URL https://webmail.XXX.be/exchange/ [Wed Aug 03 13:52:12 2005] [debug] proxy_http.c(186): proxy: HTTP connecting https://webmail.XXX.be/exchange/ to webmail.XXX.be:443 [Wed Aug 03 13:52:12 2005] [debug] proxy_util.c(1139): proxy: HTTP: fam 2 socket created to connect to webmail.XXX.be Bad: [Wed Aug 03 13:52:12 2005] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 123.123.123.123:443 (webmail.XXX.be) failed Version-Release number of selected component (if applicable): selinux-policy-targeted-1.25.3-9 httpd-2.0.54-10.1 How reproducible: Always Steps to Reproduce: 1.setenforce 1 2.access your http server configured ro reverse proxying 3.fail with message: BAD gateway 4. setenforce 0 5. it work. Expected Results: I would expect the default policy to allow proxying and Message is not explicit and I had to search a long time to understand.... Additional info:
This is due to the SELinux policy, which prevents httpd processes from making outgoing network connections by default. The httpd_can_network_connect boolean can be used to change this behaviour; to allow connections: setsebool httpd_can_network_connect=1 passing the -P argument to set the boolean permanently (across reboots). For further information on SELinux/Apache integration in Fedora Core, please see: http://fedora.redhat.com/docs/selinux-apache-fc3/ For general information on SELinux in Fedora Core, please see: http://fedora.redhat.com/docs/selinux-faq-fc3/