Centos 5 - Apache 2.2.3 Proxy Balancer: Permission denied: proxy: HTTP
I am setting up a new server for our office. It is going to host many things for us including the SVN and Trac for several OS Community Projects. But one of the things it needs to do right now is act as a load balance for a Rails site we are hosting internally. I was excited that Centos 5 comes with Apache 2.2 so I could use the Apache Proxy Balancer to proxy to a pack of mongrel servers. I got the requisite apache configuration stuff done but then I was presented with a forwarding error. Actually apache told me that it couldnt do what i wanted right now, which is the friendly error message meaning something went wrong. So I went and checked my logs and I noticed that I was receiving errors for all my mongrel instances.
[Wed Aug 01 09:30:59 2007] [error] ap_proxy_connect_backend disabling worker for (192.168.1.150)
And I got this error for each of my mongrel instances. A quick google of my error turned up this post on How to use re-write module of Apache web server 2.2.3 on FC6 Which explained how to fix the problem on Fedora Core 6. The problem is that he used the GUI to change the setting and Centos 5 has a bug that doesnt allow the modify settings section to display. So I went to digging and found out how to make that change without the gui. In the Centos 5 Documentation is a section called 44.2.6. Enabling or Disabling Enforcement which outlines the commands. I ran `sestatus -b | grep httpd` to get the list of boolean flags regarding httpd. After comparing the names of those to what was visible in the GUI in Mukul’s entry above. I decided that the flag I was looking for was the “httpd_can_network_connect” option. I then toggled its value by executing `togglesebool httpd_can_network_connect` and tested that all was working. Wooo Hoo I had a winner. ToggleSEBool command does not make any boot time configuration changes though, it only changes the runtime. So next time I rebooted the server everything would have gone back to broken. So to update the configuration files I ran `setsebool -P httpd_can_network_connect=1`
Now my server can forward and I am a happy guy. Thanks to the folks who posted the original fixes. I could not have done it without out :)
technorati tags:selinux, centos, apache, proxybalancer, mongrel
01 Aug 2007 Simeon
Thanks for writing this!
After struggling couple of hours, I found your post and solved the problem.
Glad my post helped you out. Sorry you had to spend a couple hours on it before you found my post though :( I was hoping to save folks that trouble.
Only took 5 minutes for me to find, and very useful!
Word! Thanks for the tip. I just deployed my first rails app, and this saved me a headache.
Cheers!
You’ve saved my time - thanks.
Thanks for the tip, been banging my head for a while, I was looking at ssl error logs too, doh
Thanks to your post I was able to get my reverse proxy set up! I was trying several edits to httpd.conf and looking through the Apache error logs to no avail, and Apache’s “Service Temporarily Unavailable” wasn’t helping. It was when I looked in the error log for the virtual site that I found the “Permission denied” message and got here. Thanks!
Man I gotta say I am super pleased to see one of my posts seeing such lasting benefits to people.
Thanks for the comments. Glad I could help.
simeon