Chapter 8: Nginx Setup on CentOS 7

[Isaac Kim]

I'm trying to follow the Nginx setup steps in Chapter 8, but doing it on CentOS 7. I've done it correctly before on Ubuntu on AWS and it worked. So far I had no luck on CentOS 7 (it's actually running on VirtualBox locally with all the port forwarding setup correctly), I also tried following the tutorial in DigitalOcean https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-on-centos-7. I set up the proxy_pass, but it doesn't seem like the requests are being passed to Django when I have runserver running.

Django (serving on 127.0.0.1:8000):

./manage runserver

Nginx (nginx.conf):

[...]

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

    include /etc/nginx/sites-enabled/*.conf;
    server_names_has_bucket_size 64;
}

sites-available (project-staging.conf):

server {
    listen 80;
    server_name localhost;

    location / {
        proxy_pass http://localhost:8000;
    }
}

sites-enabled (project-staging.conf):

projmgmt-staging.centos.conf -> /etc/nginx/sites-available/projmgmt-staging.centos.conf

On the host system, I can open up the page and I still see the default Nginx welcome page. I'm wondering if the default server block (before my include for sites-enabled) takes precedence. When I shift things around, it doesn't really change the behavior. When I play with the ports to use something other than Port 80, I get a Bad Gateway message.

If I change the nginx.conf file's default server block to specify the proxy_pass in the location to my Django runserver, it gives me the default Nginx error page.

Any suggestions on how to trace what's going on?

[Isaac Kim]

A little more detail...

Nginx error log:

2016/03/18 12:33:26 [crit] 2723#0: *1 connect() to 127.0.0.1:8000 failed (13: Permission denied) while connecting to upstream, client: 10.0.2.2, server: localhost, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8000/", host: "localhost:8888"
2016/03/18 12:33:26 [crit] 2723#0: *1 connect() to [::1]:8000 failed (13: Permission denied) while connecting to upstream, client: 10.0.2.2, server: localhost, request: "GET / HTTP/1.1", upstream: "http://[::1]:8000/", host: "localhost:8888"

VirtualBox Guest (CentOS) has Host Port 8888 forwarding to Guest Port 80. Not sure why I'm getting the Permission Denied message.

[Isaac Kim]

It looks like it was SELinux that was causing the problem and getting me to see a 502 Bad Gateway page.

http://stackoverflow.com/questions/23948527/13-permission-denied-while-connecting-to-upstreamnginx

This command resolves the issue:

setsebool httpd_can_network_connect on

I'm not very familiar with SELinux and why this was happening. I couldn't quite make sense the comments in the StackOverflow page either. Can anyone help explain what was happening?

[Isaac Kim]

Digging around, I found a good article from Nginx that explains this: https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/

I ran the following command to see if any SELinux messages pop up regarding nginx when I get the 502 Bad Gateway page:

$ tail -f /var/log/audit/audit.log | grep nginx

type=AVC msg=audit(1458334023.687:9833): avc:  denied  { name_connect } for  pid=3735 comm="nginx" dest=8000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:soundd_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1458334023.687:9833): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=7f8a0c1c5358 a2=1c a3=7ffcf2337870 items=0 ppid=3733 pid=3735 auid=4294967295 uid=995 gid=993 euid=995 suid=995 fsuid=995 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)

Then I used audit2why to interpret the message:

$ grep 1458334023.687:9833 /var/log/audit/audit.log| audit2why

type=AVC msg=audit(1458334023.687:9833): avc:  denied  { name_connect } for  pid=3735 comm="nginx" dest=8000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:soundd_port_t:s0 tclass=tcp_socket


        Was caused by:
        The boolean httpd_can_network_connect was set incorrectly.
        Description:
        Allow httpd to can network connect


        Allow access by executing:
        # setsebool -P httpd_can_network_connect 1

Reading the article I posted, they say:

By default, the SELinux configuration does not allow NGINX to connect to a remote web, fastCGI, or other server...

I hope this helps anyone having a similar issue. 

[Harry Percival]

Impressive debugging work Isaac!

What made you choose SELinux, out of interest?

------------------------------
Harry J.W. Percival
------------------------------
Twitter: @hjwp
Mobile:  +44 (0) 78877 02511
Skype:         harry.percival

--
You received this message because you are subscribed to the Google Groups "Obey the testing goat! Test-Driven Web Development with Python book" group.
To unsubscribe from this group and stop receiving emails from it, send an email to obey-the-testing-go...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Isaac Kim]

Thanks Harry. Btw, I really enjoy reading the book and learning a lot from it.

I guess you can say it was an accident I installed SELinux. I wasn't quite sure what all the different security profiles were in the CentOS 7 installation, nor did I take the time to look into it. It just so happens selecting one of them installed SELinux. And just in case anyone wonders, I chose CentOS 7 just because I'm a bit more familiar with it than Ubuntu (even though I did use an AWS Ubuntu instance for this before).