I am setting up a new server for our office. It is going to host many things for us including the SVN and Trac for several OS Community Projects. But one of the things it needs to do right now is act as a load balance for a Rails site we are hosting internally. I was excited that Centos 5 comes with Apache 2.2 so I could use the Apache Proxy Balancer to proxy to a pack of mongrel servers. I got the requisite apache configuration stuff done but then I was presented with a forwarding error. Actually apache told me that it couldnt do what i wanted right now, which is the friendly error message meaning something went wrong. So I went and checked my logs and I noticed that I was receiving errors for all my mongrel instances.
[Wed Aug 01 09:30:59 2007] [error] ap_proxy_connect_backend disabling worker for (192.168.1.150)
And I got this error for each of my mongrel instances. A quick google of my error turned up this post on How to use re-write module of Apache web server 2.2.3 on FC6 Which explained how to fix the problem on Fedora Core 6. The problem is that he used the GUI to change the setting and Centos 5 has a bug that doesnt allow the modify settings section to display. So I went to digging and found out how to make that change without the gui. In the Centos 5 Documentation is a section called 44.2.6. Enabling or Disabling Enforcement which outlines the commands. I ran `sestatus -b | grep httpd` to get the list of boolean flags regarding httpd. After comparing the names of those to what was visible in the GUI in Mukul’s entry above. I decided that the flag I was looking for was the “httpd_can_network_connect” option. I then toggled its value by executing `togglesebool httpd_can_network_connect` and tested that all was working. Wooo Hoo I had a winner. ToggleSEBool command does not make any boot time configuration changes though, it only changes the runtime. So next time I rebooted the server everything would have gone back to broken. So to update the configuration files I ran `setsebool -P httpd_can_network_connect=1`
Now my server can forward and I am a happy guy. Thanks to the folks who posted the original fixes. I could not have done it without out :)
technorati tags:selinux, centos, apache, proxybalancer, mongrel
30 Responses to “Centos 5 – Apache 2.2.3 Proxy Balancer: Permission denied: proxy: HTTP”
Trackbacks/Pingbacks
- Favoretti’s Braindumps » CentOS 5, default SELinux disallows mod_proxy - [...] to Simeon Says.. (new [...]
- Apache proxy not working for a localhost port | PHP Developer Resource - [...] So right after I posted this I found the answer at http://www.simb.net/2007/08/01/centos-5-apache-223-proxy-balancer-permission-denied-proxy-http/If I do: sestatus -b | grep httpdI ...
Thanks for writing this!
After struggling couple of hours, I found your post and solved the problem.
Glad my post helped you out. Sorry you had to spend a couple hours on it before you found my post though :( I was hoping to save folks that trouble.
Only took 5 minutes for me to find, and very useful!
Word! Thanks for the tip. I just deployed my first rails app, and this saved me a headache.
Cheers!
You’ve saved my time – thanks.
Thanks for the tip, been banging my head for a while, I was looking at ssl error logs too, doh
Thanks to your post I was able to get my reverse proxy set up! I was trying several edits to httpd.conf and looking through the Apache error logs to no avail, and Apache’s “Service Temporarily Unavailable” wasn’t helping. It was when I looked in the error log for the virtual site that I found the “Permission denied” message and got here. Thanks!
Man I gotta say I am super pleased to see one of my posts seeing such lasting benefits to people.
Thanks for the comments. Glad I could help.
simeon
Priceless!!! Tonight i’ll sleep calm. Thank you.
Thanks, this tip was extremely useful!!!
Great tip, tnx!
10 second search, 10 second fix.
Cheers
Thank you very much it solved my issue.
Since the error itself doesn’t explain why the connection failed it’s a tricky issue
Nice post. It solved my problem (one of many) getting a Paster app (Pyblosxom) to work on Fedora 11.
It took me several hours to find the post. I must be getting slower as I grow older.
Thanks
Just wanted to leave a thanks! This solved my problem very quickly!
Thank you!!!
I’m just crazy about that!!!
Thanks buddy.. It worked for me too..
Thanks a bunch for this! Right on!
Thank you very much.
Saved me lots of time!!!
Thanks.. saved my bacon.
If you’re ever in Kansas City, look me up. I owe you at LEAST 1 beer for this post.
I struggled was coming up with nothing on a CentOS 5 install. Thanks and somehow I owe you one…
Wow, thanks! This was driving me nuts.
Thanks, just a note that the SELinux setting is on the box that is serving as the proxy and not the target box ;-)
You saved my Saturday :)
I had the same issue but with lighttpd, try to look for a solution and got this one.
The solution works for me also. You save my time!
Thank you
Thanks buddy… a little late to save me embarrassment on #httpd, but that’s okay!
Thanks. You saved my morning.
Thanks +1 more, mate. :)
Thanks +1, for Apache + Perl Dancer Standalone.