AWS + SELinux, Permission denied while connecting upstream to jetty server from nginx using ssl

Question

I'm trying to install a standalone archiva server and running into a problem with an nginx ssl proxy. I can hit the proxy, but I get a 502 bad gateway error to the jetty server behind it. Nginx returns this:

connect() to 127.0.0.1:8080 failed (13: Permission denied) while connecting to upstream.
  client: xxx.xx.xx.xxx, 
  server: server.at.aws, 
  request: "GET /archiva HTTP/1.1", 
  upstream: "http://127.0.0.1:8080/archiva", 
  host: "server.at.aws"

This is on an AWS instance. The jetty server is listening on port 127.0.0.1:8080. I have confirmed that I can get to the archiva server from within the instance itself. Is there any special configuration that the Jetty server needs to make it accept the proxy connection?

Answer 1

I forgot what turns out to be a very important detail to this configuration. It's on a Fedora server running selinux. Port 8080 was out of context in nginx and being denied.

type=AVC msg=audit(1380053745.510:1730): avc:  denied  { name_connect } for  
   pid=12145 comm="nginx" dest=8080 scontext=system_u:system_r:**httpd_t**:s0
   tcontext=system_u:object_r:**http_cache_port_t**:s0 tclass=tcp_socket

http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

I reset the jetty server to listen on 8008, and I'm not getting those permissions denied errors at least. The server still isn't working, but for reasons not in the context of this question.

Answer 2

There is no access for nginx to other than default ports. That access is defined in default SELinux policy, so the default port works.

In your case, it is the most easy way to create a new policy and install it using audit2allow tool that can create the policy module from audit log.

See https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html