Bug 66546 - Hint to httpd_can_network_connect
Summary: Hint to httpd_can_network_connect
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 2.4.56
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: HTTP Server Documentation List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-30 10:08 UTC by Jochen Wiedmann
Modified: 2023-03-30 10:08 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jochen Wiedmann 2023-03-30 10:08:33 UTC 
According to a Google search for
  site:httpd.apache.org httpd_can_network_connect
the following fact isn't mentioned anywhere in the Httpd documentation. I think, this should be changed.

A properly configured proxy request can fail on Red Hat Enterprise, Fedora, CentOS, and other SE-Linux based systems can fail, if the SE boolean httpd_can_network_connect prevents network access to the proxy server.

If that is the case, the error_log will contain a message like

  AH01114: HTTP: failed to make connection to backend: 127.0.0.1

Accordingly, the end user will see something like http status 503:

  Service unavailable
  The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Mitigation:

  1.) Check the status of the httpd_can_network_connect boolean:
      $ sudo getsebool httpd_can_network_connect
      httpd_can_network_connect --> off

  2.) If the value is "on", then nothing must be changed. Otherwise,
      change the value with
      $ sudo setsebool httpd_can_network_connect 1
      $ sudo setsebool -P httpd_can_network_connect 1
      (The first line will change the current runtime only. The -P flag makes
      the change permanent.)

Reference: http://sysadminsjourney.com/content/2010/02/01/apache-modproxy-error-13permission-denied-error-rhel/