0

Disclaimer: I'm no devops, so please tell me if I'm doing this wrong.

I have a webapp in a container. I use Podman and Podman Compose to bring it up. In compose.yml, I expose the port 5000 and bind it to the internal port 80. Here's a quick diagram:

 ┌────────────────────────────────────┐ │ PODMAN COMPOSE │ │ │ │ ┌────────────────────────────────┐ │ │ │ PODMAN CONTAINER │ │ ┌─────────────────┐ │ │ │ │ │ │ proxy_pass │ │ │ │ │ │ http://localhost:5000 │ │ NAME: my_container │ │ │ NGINX │───────────────────────────►│ │ │ │ │ │ │ │ INTERNAL PORT: 80 │ │ │ │ │ │ EXTERNAL PORT: 5000 │ │ └─────────────────┘ │ │ │ │ │ │ NETWORK: my_container_default │ │ │ │ │ │ │ └────────────────────────────────┘ │ │ │ └────────────────────────────────────┘

Note: Nginx is running on the server directly and I want it to be a reverse proxy for the several apps that I'll install on my server (e.g. if this domain, go to localhost with port 5000, but with this domain, go to localhost with port 5001, etc. etc.).

This works... but only if I set SELinux to permissive :/

I tried to add some rules with semanage but I really don't know what to do here. While in enforcing mode, I tried this command-line: sudo semanage port -a -t http_port_t -p tcp 5000 but it didn't seem to work.

So I've got two questions:

  1. Is my design correct? (i.e. raw Nginx forwarding to container)
  2. If it is, what's the correct semanage command-line? If it's not, what's the correct design?

Thanks!

Improve this question
6
  • Doesn't permissive mode log the correct command to enable access in enforcing mode? (it's been a while since I messed with SELinux on Fedora, so I may be out of date) Commented Nov 5 at 17:36
  • 1
    You need to turn on the httpd_can_network_connect SELinux boolean as described here: serverfault.com/questions/1082399/… The design itself, having a single host-wide nginx instance, is perfectly fine (I'd use exactly this option if I needed to serve several different dockerized web apps), though it requires you to manage a larger and more complex combined nginx configuration. Commented Nov 5 at 17:59
  • @IvanShatsky Thanks for this answer! What would be the other design? I've seen people using Nginx Docker containers, but I don't see how the reverse proxy would work with this design... Commented Nov 6 at 0:28
  • The other design is to use an additional nginx container per each app compose. This way each app has its own specific nginx configuration, and the host-wide nginx does name-based routing only: server { server_name app1.example.com; location / { proxy_pass http://127.0.0.1:<exposed_app1_port>; } } (somewhat simplified). Using the joined configuration at the top level nginx allows you to eliminate an extra proxying layer (better performance) though you'd need to assemble the joined configuration yourself. Commented Nov 6 at 1:10
  • Additionally, when using a host-wide nginx instance, you can optionally use path-based routing (e.g., server { server_name example.com; location /app1/ { proxy_pass ... } location /app2/ { proxy_pass ... } ... }). Generally, the apps should be set up to use the appropriate base path unless the app is able to detect such a prefix automatically. Commented Nov 6 at 1:14

1 Answer 1

Reset to default
0

As Ivan says in the comment, it's been answered here: configure nginx to use a proxy when connecting to upstream

TL;DR: type this:

setsebool -P httpd_can_network_connect 1

If you want to debug SELinux issues in the future, toggle permissive mode, take a look at /var/log/audit/audit.log and use audit2why.

Example:

$ sudo setenforce 0 # toggles permissive mode $ sudo grep httpd /var/log/audit/audit.log | audit2why type=AVC msg=audit(1762426507.977:11179): avc: denied { name_connect } for pid=1003 comm="nginx" dest=5000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket permissive=1 Was caused by: The boolean httpd_can_network_connect was set incorrectly. Description: Allow httpd to can network connect Allow access by executing: # setsebool -P httpd_can_network_connect 1

As you can see, audit2why explains what's happening and how to fix it.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.