Apache « Wuhai’s Weblog

February 19, 2009

mod_proxy / selinux

Filed under: Apache, Linux, RedHat — wuhai @ 4:36 am

Refer to: http://blog.simb.net/2007/08/01/centos-5-apache-223-proxy-balancer-permission-denied-proxy-http/

If getting the following errors:

Service Temporarily Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Feb 18 18:13:53 xx01p kernel: audit(1235002433.312:12): avc: denied { name_connect } for pid=18276 comm=”httpd” dest=9000 scontext=user_u:system_r:httpd_t:s0 tcontext=system
_u:object_r:port_t:s0 tclass=tcp_socket

[Wed Feb 18 18:29:09 2009] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 10.xx.1.xx:9000 (10.xx.1.xx) failed
[Wed Feb 18 18:29:09 2009] [error] ap_proxy_connect_backend disabling worker for (10.235.1.97)
[Wed Feb 18 18:29:13 2009] [error] proxy: HTTP: disabled connection for (10.235.1.97)

# sestatus -b | grep httpd
allow_httpd_anon_write                 off
allow_httpd_bugzilla_script_anon_write off
allow_httpd_mod_auth_pam               off
allow_httpd_nagios_script_anon_write   off
allow_httpd_squid_script_anon_write    off
allow_httpd_sys_script_anon_write      off
httpd_builtin_scripting                on
httpd_can_network_connect              off
httpd_can_network_connect_db           off
httpd_can_network_relay                off
httpd_disable_trans                    off
httpd_enable_cgi                       on
httpd_enable_ftp_server                off
httpd_enable_homedirs                  on
httpd_rotatelogs_disable_trans         off
httpd_ssi_exec                         off
httpd_suexec_disable_trans             off
httpd_tty_comm                         on
httpd_unified                          on
# togglesebool httpd_can_network_connect
httpd_can_network_connect: active
# sestatus -b | grep httpd
allow_httpd_anon_write                 off
allow_httpd_bugzilla_script_anon_write off
allow_httpd_mod_auth_pam               off
allow_httpd_nagios_script_anon_write   off
allow_httpd_squid_script_anon_write    off
allow_httpd_sys_script_anon_write      off
httpd_builtin_scripting                on
httpd_can_network_connect              on
httpd_can_network_connect_db           off
httpd_can_network_relay                off
httpd_disable_trans                    off
httpd_enable_cgi                       on
httpd_enable_ftp_server                off
httpd_enable_homedirs                  on
httpd_rotatelogs_disable_trans         off
httpd_ssi_exec                         off
httpd_suexec_disable_trans             off
httpd_tty_comm                         on
httpd_unified                          on
# setsebool -P httpd_can_network_connect=1

October 16, 2008

Apache 2.2.3/RHEL5 + Active Directory

Filed under: Apache — wuhai @ 5:23 am

Based on LDAP proxy

<Location /secure_url/>
AuthType Basic
AuthName “Secure Place”
AuthBasicProvider ldap
AuthLDAPBindDN “DC=dot,DC=com”
AuthLDAPURL ldap://ip address:389/DC=dot,DC=com?sAMAccountName?sub
AuthLDAPURL ldap://ip2:389/DC=dot,DC=com?sAMAccountName?sub
AuthzLDAPAuthoritative off
Require user user1 user2
</Location>

Wuhai’s Weblog

February 19, 2009

mod_proxy / selinux

October 16, 2008

Apache 2.2.3/RHEL5 + Active Directory

linuxjournal

Categories

Meta