The SELinux security control of Linux is used for ports in addition to the file system, which enables processes that are started as services to be monitored only on a specified number of ports. For the narrative convenience we call the controlled port.
Nginx Monitor Port
To see which managed ports are currently executable:
grep ' ^http_port_t ' http_port_t tcp 44348880088009 84439000
This shows eight port numbers, including 80 ports. Because Nginx defaults to 80 port monitoring, it starts normally.
# service Nginx Start
We can then do an experiment to see if Nginx can listen on other ports, such as Port 8888. For this new add/etc/nginx/conf.d/test.conf file:
#/etc/nginx/conf.d/test.confserver { Listen 8888; server_name localhost;
You can also change the/etc/nginx/conf.d/default.conf file directly without adding the new file.
When done, let Nginx reload the configuration:
# nginx-s Reload
Although the command executed successfully, the 8888 port is not actually listening:
grep 8888
The netstat command above has no output, which indicates that the 8888 port is not in the listening state. Further we look at the audit log:
VI /var/log/audit/audit.log
The following two lines are found at the end of the file:
1TYPE=AVC Msg=audit (1452146884.454:2430): avc:denied {Name_bind} forPid=1268comm="Nginx"Src=8888Scontext=system_u:system_r:httpd_t:s0 Tcontext=system_u:object_r:port_t:s0 tclass=Tcp_socket2Type=syscall Msg=audit (1452146884.454:2430): arch=c000003e syscall= theSuccess=no exit=- -A0=b A1=1B5CC60 a2=TenA3=7FFDAF0BE83C items=0Ppid=1Pid=1268Auid=4294967295Uid=0Gid=0Euid=0Suid=0Fsuid=0Egid=0Sgid=0Fsgid=0Tty= (None) ses=4294967295comm="Nginx"Exe="/usr/sbin/nginx"Subj=system_u:system_r:httpd_t:s0 key= (NULL)
I do not know the detailed meaning here, but it is certain that Nginx does not have permission to listen on port 8888. If you do want Nginx to listen on port 8888, you can register the 8888 port number as a managed port. Please check if Port 8888 has been registered before registering:
grep 8888
If there is an output indicating that port 8888 is registered, swap with another port.
To register an HTTP 8888 port number, perform the following:
8888
As a good habit we should check the list of controlled ports again to see if there are any newly registered port numbers:
grep ' ^http_port_t '
Finally, let Nginx reload the configuration:
# nginx-s Reload
At this point the 8888 port should be in listening state:
grep 8888
Nginx Reverse Proxy port
If you want your application to be Nginx reverse proxy, the port number of the reverse proxy must also be a managed port.
Other Instructions
Somehow, when you start the Nginx as a service, the eloquence is controlled by Linux security, which is not controlled if you run Nginx directly.
Permissions issues for Nginx listener ports and reverse proxy ports