Permissions issues for Nginx listener ports and reverse proxy ports

The SELinux security control of Linux is used for ports in addition to the file system, which enables processes that are started as services to be monitored only on a specified number of ports. For the narrative convenience we call the controlled port.

Nginx Monitor Port

To see which managed ports are currently executable:

grep ' ^http_port_t ' http_port_t                    tcp      44348880088009  84439000

This shows eight port numbers, including 80 ports. Because Nginx defaults to 80 port monitoring, it starts normally.

# service Nginx Start

We can then do an experiment to see if Nginx can listen on other ports, such as Port 8888. For this new add/etc/nginx/conf.d/test.conf file:

#/etc/nginx/conf.d/test.confserver {    Listen       8888;    server_name  localhost;

You can also change the/etc/nginx/conf.d/default.conf file directly without adding the new file.

When done, let Nginx reload the configuration:

# nginx-s Reload

Although the command executed successfully, the 8888 port is not actually listening:

grep 8888

The netstat command above has no output, which indicates that the 8888 port is not in the listening state. Further we look at the audit log:

VI /var/log/audit/audit.log

The following two lines are found at the end of the file:

1TYPE=AVC Msg=audit (1452146884.454:2430): avc:denied {Name_bind} forPid=1268comm="Nginx"Src=8888Scontext=system_u:system_r:httpd_t:s0 Tcontext=system_u:object_r:port_t:s0 tclass=Tcp_socket2Type=syscall Msg=audit (1452146884.454:2430): arch=c000003e syscall= theSuccess=no exit=- -A0=b A1=1B5CC60 a2=TenA3=7FFDAF0BE83C items=0Ppid=1Pid=1268Auid=4294967295Uid=0Gid=0Euid=0Suid=0Fsuid=0Egid=0Sgid=0Fsgid=0Tty= (None) ses=4294967295comm="Nginx"Exe="/usr/sbin/nginx"Subj=system_u:system_r:httpd_t:s0 key= (NULL)

I do not know the detailed meaning here, but it is certain that Nginx does not have permission to listen on port 8888. If you do want Nginx to listen on port 8888, you can register the 8888 port number as a managed port. Please check if Port 8888 has been registered before registering:

grep 8888

If there is an output indicating that port 8888 is registered, swap with another port.

To register an HTTP 8888 port number, perform the following:

8888

As a good habit we should check the list of controlled ports again to see if there are any newly registered port numbers:

grep ' ^http_port_t '

Finally, let Nginx reload the configuration:

# nginx-s Reload

At this point the 8888 port should be in listening state:

grep 8888

Nginx Reverse Proxy port

If you want your application to be Nginx reverse proxy, the port number of the reverse proxy must also be a managed port.

Other Instructions

Somehow, when you start the Nginx as a service, the eloquence is controlled by Linux security, which is not controlled if you run Nginx directly.

Permissions issues for Nginx listener ports and reverse proxy ports