3

Consider the following system configurations:

  • Fedora 27
  • SELinux enabled
  • Apache/2.4.33
  • PHP 7.1.17

And the below code snippet that is used to issue an http request to Sphere-Engine Compilers API:

$ch = curl_init('http://xxxxxxxx.compilers.sphere-engine.com/api/v4/test?access_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'GET'); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 
curl_setopt($ch, CURLOPT_TIMEOUT, 3.0);
$x = curl_exec($ch);
print_r($x);

The above script works completely fine when I run the following CLI:

php script.php

And I get the intended output.

However, when I try to run it through the web browser it produces:

CURLE_COULDNT_CONNECT (7) Failed to connect() to host or proxy.

I have found many suggestions such as adding 

curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);

Which wasn't really a solution for me. Turning off SELinux which I will not do.

Note: The URL itself is working fine when I issue it and gives me the intended output too.

Any suggestions? Thanks in advance.

ndrwnaguib
  • 5,623
  • 3
  • 28
  • 51
  • error is quite clear, can you run that url in a browser? –  Jun 12 '18 at 00:23
  • Yeah works completely fine. – ndrwnaguib Jun 12 '18 at 00:23
  • `curl_setopt($ch, CURLOPT_VERBOSE, true);` add that and see if you get anything usefull –  Jun 12 '18 at 00:25
  • Nothing actually. – ndrwnaguib Jun 12 '18 at 00:28
  • Can you connect to other URLs using `curl` from the webserver? – Barmar Jun 12 '18 at 00:29
  • @Barmar Nope, I can't. [ Through the web browser ] – ndrwnaguib Jun 12 '18 at 00:35
  • Then it sounds like an issue with the `php.ini` for the webserver has `curl` disabled. Or maybe SELinux has the webserver sandboxed so it can't make outgoing HTTP requests. – Barmar Jun 12 '18 at 00:36
  • But if it's the SELinux case, wouldn't apache report something to the `error_log`, which shows nothing that helps? – ndrwnaguib Jun 12 '18 at 00:41
  • 1
    Same problem here, Fedora 29, couldn't find an error anywhere until I looked in `/var/log/messages`: `audit[2320]: AVC avc: denied { name_connect } for pid=2320 comm="php-fpm" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0` and I wouldn't have remembered SELinux otherwise – rymo Jan 05 '19 at 22:16
  • Great you checked that file tho! – ndrwnaguib Jan 06 '19 at 19:23

1 Answers1

16

Try this to see if SELinux will let the web server connect to the network:

getsebool httpd_can_network_connect

If not, allow it with

setsebool -P httpd_can_network_connect on

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-the_apache_http_server-booleans

user2182349
  • 9,569
  • 3
  • 29
  • 41