Apache mod_proxy '[error] (13)Permission denied' error on RHEL

published on Mon, 02/01/2010 - 10:46

Had an interesting issue today working on a mod_proxy setup of Apache forwarding requests in a reverse proxy setup to a backend Tomcat server. No matter what I did, I kept getting this in Apache's error log:

[error] (13)Permission denied: proxy: AJP: attempt to connect to 10.x.x.x:7009 (virtualhost.virtualdomain.com) failed

I thought for sure it was proxy permissions, but nothing I did fixed the issue. Then it hit me: SELinux! Why I always think of SELinux last when it's responsible for 90% of my problems, I'll never know. SELinux on RHEL/CentOS by default ships so that httpd processes cannot initiate outbound connections, which is just what mod_proxy attempts to do. If this is your problem, you'll see something like this in /var/log/audit/audit.log:

type=AVC msg=audit(1265039669.305:14): avc:  denied  { name_connect } for  pid=4343 comm="httpd" dest=7009 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

To fix this, first test by setting the boolean dynamically (not permanent yet):

 /usr/sbin/setsebool httpd_can_network_connect 1

If that works, you can set it so that the default policy is changed and this setting will persist across reboots:

 /usr/sbin/setsebool -P httpd_can_network_connect 1

Hope this saves others some time!

Comments

Submitted by cao (not verified) on Tue, 04/27/2010 - 02:31

I just had same problem and this fix the issue.

Whe i try to access via browser, it says:

"503 Service Temporarily Unavailable"

thanks!!

Submitted by Jesus (not verified) on Fri, 05/07/2010 - 11:43

Dear friends,

 

I have this issue getting error 13 on my website for a month.

The hosting company blames the software company and viceversa.

Is there any nice soul on here who can please tell me what to do?

Here is the error that I get and thank you in advance,

 

Jesus

 

Error: the XML response that was returned from the server is invalid.
Received:
<pre>Error: E_NOTICE
URL: http://www.chatnblog.com/_server/server.php
File: /mnt/target03/358826/441486/www.chatnblog.com/web/content/_include/core/main_start.php
Line: 0
Message: session_start() [<a href='function.session-start'>function.session-start</a>]:

ps_files_cleanup_dir: opendir(/var/lib/php/session) failed: Permission denied (13)</pre>

Submitted by aurelien (not verified) on Thu, 01/12/2012 - 06:52

Thanks for this advice, i was in the same context, and i spent a few hours searching for the solution.
Changing the default policy resolved it, and now the ajp connector works well!

Many thanks !

Submitted by Anonymous (not verified) on Sun, 01/22/2012 - 19:45

Huge thanks. I just wasted about an hour rewriting my apache conf trying to understand what I was doing wrong after moving from an ubuntu development machine to a fedora one.

Add new comment

Subscribe to SysAdmin's Journey RSS