Pages

Friday, April 25, 2025

Fixing “Permission Denied” Errors in Nginx Reverse Proxy Setups with SELinux

Running Nginx as a reverse proxy on a system with SELinux enabled can sometimes lead to frustrating errors like:

[crit] connect() to 172.16.5.32:32400 failed (13: Permission denied) while connecting to upstream, client: 172.16.0.1, server: rplex.adminz.in, request: "GET /web/index.html HTTP/2.0", upstream: "http://172.16.5.32:32400/web/index.html", host: "rplex.adminz.in:8443"

If you’re seeing this, SELinux is likely blocking Nginx from making outbound network connections to your upstream servers. Here’s how you can diagnose and fix the issue.

Understanding the Problem

When SELinux is in enforcing mode, it restricts what processes can do—even if you’re running as root. By default, Nginx (and other web servers running under the httpd_t SELinux context) cannot make arbitrary outbound network connections. This is a security feature, but it can block legitimate reverse proxy setups.

Typical log entries look like this:

[crit] connect() to <backend-ip>:<port> failed (13: Permission denied) while connecting to upstream, ...

Diagnosing SELinux Denials

To confirm SELinux is the culprit:

Check your Nginx error logs for “(13: Permission denied)” messages.

Inspect the SELinux audit logs:

sudo grep nginx /var/log/audit/audit.log | grep denied

If you see denials related to name_connect on a TCP socket, SELinux is blocking the connection.

The Solution: Allow Nginx Network Connections

SELinux controls network permissions for web servers using Boolean flags. The most relevant for Nginx reverse proxies is httpd_can_network_connect.

What does httpd_can_network_connect do?

Enabling this Boolean allows Nginx (and other httpd processes) to make outgoing network connections to any port.

This is required for Nginx to proxy requests to other backend servers, especially if they’re not on standard HTTP/HTTPS ports.

How to Enable It

Make the change persistent with:

setsebool -P httpd_can_network_connect true

The -P flag makes the change survive reboots.

After running this command, restart Nginx:

systemctl restart nginx

This should resolve the “permission denied” errors when connecting to upstream servers.

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)