SysAdmin's Journey

Apache Mod_proxy '[Error] (13)Permission Denied' Error on RHEL

Bad news: this blog is no longer maintained. Good news: I have a new blog!

It’s no secret that this blog has been short on content for quite awhile. Sometimes you just lose the urge to write. I didn’t feel like writing about about little things, and I wasn’t able to commit the time to write about the little things. A little over a year ago, I took an opportunity to move into InfoSec at the same company. I’ve decided to write a bit about what I learn, come see me there at Blue Wanting Red.

It’s going to be a blog where I write mostly about Red Team topics, but from a Blue Team’s perspective. My goal will be to outline the attacker’s perspective, and then explain what the defender can do to protect themselves.

I’m certainly not the first person to do this, but it’s the first time in a long time I’ve felt the urge to write about anything technical. Also, sometimes reading about the same topic from a different author can cause the “click” to occur. If I can help that “click” for a few people, then it’s all worth it.

Had an interesting issue today working on a mod_proxy setup of Apache forwarding requests in a reverse proxy setup to a backend Tomcat server. No matter what I did, I kept getting this in Apache’s error log:

[error] (13)Permission denied: proxy: AJP: attempt to connect to 10.x.x.x:7009 (virtualhost.virtualdomain.com) failed

I thought for sure it was proxy permissions, but nothing I did fixed the issue. Then it hit me: SELinux! Why I always think of SELinux last when it’s responsible for 90% of my problems, I’ll never know. SELinux on RHEL/CentOS by default ships so that httpd processes cannot initiate outbound connections, which is just what mod_proxy attempts to do. If this is your problem, you’ll see something like this in /var/log/audit/audit.log:

type=AVC msg=audit(1265039669.305:14): avc:  denied  { name_connect } for  pid=4343 comm="httpd" dest=7009 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

To fix this, first test by setting the boolean dynamically (not permanent yet):

 /usr/sbin/setsebool httpd_can_network_connect 1

If that works, you can set it so that the default policy is changed and this setting will persist across reboots:

 /usr/sbin/setsebool -P httpd_can_network_connect 1

Hope this saves others some time!

Comments