nginx reverse proxy for docker swarm - 502 bad gatewayHow to make nginx reverse proxy let 503 error pages pass through to client?NGINX reverse proxy beind another nginx reverse proxyNginx Reverse Proxy 502 Bad GatewayDocker containers behind reverse proxy - rewrite issues with CMS'sreverse proxy nginx bad gatewaynginx reverse proxy inside docker with proxy_redirect defaultnginx reverse proxy + docker spring war applicationnginx reverse proxy for Docker 1.13 “Swarm Mode” clusterReverse Proxy for Docker Swarm with Dynamic Portsnginx reverse proxy to docker containers is timing out
GFCI Outlet in Bathroom, Lights not working
Unconventional Opposites
If a problem only occurs randomly once in every N times on average, how many tests do I have to perform to be certain that it's now fixed?
Is it legal in the UK for politicians to lie to the public for political gain?
Applicants clearly not having the skills they advertise
What is a simple, physical situation where complex numbers emerge naturally?
Credit card offering 0.5 miles for every cent rounded up. Too good to be true?
Explain Ant-Man's "not it" scene from Avengers: Endgame
Comma Code - Ch. 4 Automate the Boring Stuff
Opposite of "Squeaky wheel gets the grease"
Why were the Night's Watch required to be celibate?
Is it possible for people to live in the eye of a permanent hypercane?
Word for a small burst of laughter that can't be held back
How can I grammatically understand "Wir über uns"?
Did thousands of women die every year due to illegal abortions before Roe v. Wade?
How can I add depth to my story or how do I determine if my story already has depth?
Do adult Russians normally hand-write Cyrillic as cursive or as block letters?
PhD student with mental health issues and bad performance
How can Iron Man's suit withstand this?
Why was it possible to cause an Apple //e to shut down with SHIFT and paddle button 2?
Was the 1959 Tibetan Uprising really an uprising?
Rotated Position of Integers
Why is Colorado so different politically from nearby states?
Creating Fictional Slavic Place Names
nginx reverse proxy for docker swarm - 502 bad gateway
How to make nginx reverse proxy let 503 error pages pass through to client?NGINX reverse proxy beind another nginx reverse proxyNginx Reverse Proxy 502 Bad GatewayDocker containers behind reverse proxy - rewrite issues with CMS'sreverse proxy nginx bad gatewaynginx reverse proxy inside docker with proxy_redirect defaultnginx reverse proxy + docker spring war applicationnginx reverse proxy for Docker 1.13 “Swarm Mode” clusterReverse Proxy for Docker Swarm with Dynamic Portsnginx reverse proxy to docker containers is timing out
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I am running a docker swarm on "swarm.example.com". On the server, there's a container running that can be accessed on "swarm.example.com:3000".
On server "example.com" I'm running an nginx reverse proxy with following rules
server
listen 80;
server_name app.example.com;
location /
proxy_pass http://swarm.example.com:3000;
When I try to access app.example.com im getting 502 Bad Gatway error. Am I missing something ?
All servers are running CentOS 7.6
Thanks!
nginx centos reverse-proxy selinux
edited May 18 at 8:23
Gerald Schneider
7,14732748
asked May 17 at 19:34
Branislav B.Branislav B.
152
|
show 2 more comments
I am running a docker swarm on "swarm.example.com". On the server, there's a container running that can be accessed on "swarm.example.com:3000".
On server "example.com" I'm running an nginx reverse proxy with following rules
server
listen 80;
server_name app.example.com;
location /
proxy_pass http://swarm.example.com:3000;
When I try to access app.example.com im getting 502 Bad Gatway error. Am I missing something ?
All servers are running CentOS 7.6
Thanks!
nginx centos reverse-proxy selinux
edited May 18 at 8:23
Gerald Schneider
7,14732748
asked May 17 at 19:34
Branislav B.Branislav B.
152
Anything in the nginx error log?
– Gerald Schneider
May 17 at 19:51
1
also check the selinux audit.log, selinux might cause problems
– Gerald Schneider
May 17 at 19:53
Is your proxy also in a container? If they are both in containers, are the connected to the same network? If the proxy is not in a container and on the same network, then have you 'published' the port 3000? Please consider giving us more details about your containers/networks.
– Zoredache
May 17 at 21:38
@Zoredache no the proxy is on a different physical server
– Branislav B.
May 17 at 22:23
2
Don't disable SELinux, fix the problem instead.
– Michael Hampton♦
May 18 at 1:46
|
show 2 more comments
I am running a docker swarm on "swarm.example.com". On the server, there's a container running that can be accessed on "swarm.example.com:3000".
On server "example.com" I'm running an nginx reverse proxy with following rules
server
listen 80;
server_name app.example.com;
location /
proxy_pass http://swarm.example.com:3000;
When I try to access app.example.com im getting 502 Bad Gatway error. Am I missing something ?
All servers are running CentOS 7.6
Thanks!
nginx centos reverse-proxy selinux
edited May 18 at 8:23
Gerald Schneider
7,14732748
asked May 17 at 19:34
Branislav B.Branislav B.
152
I am running a docker swarm on "swarm.example.com". On the server, there's a container running that can be accessed on "swarm.example.com:3000".
On server "example.com" I'm running an nginx reverse proxy with following rules
server
listen 80;
server_name app.example.com;
location /
proxy_pass http://swarm.example.com:3000;
When I try to access app.example.com im getting 502 Bad Gatway error. Am I missing something ?
All servers are running CentOS 7.6
Thanks!
nginx centos reverse-proxy selinux
nginx centos reverse-proxy selinux
edited May 18 at 8:23
Gerald Schneider
7,14732748
asked May 17 at 19:34
Branislav B.Branislav B.
152
edited May 18 at 8:23
Gerald Schneider
7,14732748
asked May 17 at 19:34
Branislav B.Branislav B.
152
edited May 18 at 8:23
Gerald Schneider
7,14732748
edited May 18 at 8:23
Gerald Schneider
7,14732748
edited May 18 at 8:23
Gerald Schneider
7,14732748
7,14732748
asked May 17 at 19:34
Branislav B.Branislav B.
152
asked May 17 at 19:34
Branislav B.Branislav B.
152
asked May 17 at 19:34
Branislav B.Branislav B.
152
152
Anything in the nginx error log?
– Gerald Schneider
May 17 at 19:51
1
also check the selinux audit.log, selinux might cause problems
– Gerald Schneider
May 17 at 19:53
Is your proxy also in a container? If they are both in containers, are the connected to the same network? If the proxy is not in a container and on the same network, then have you 'published' the port 3000? Please consider giving us more details about your containers/networks.
– Zoredache
May 17 at 21:38
@Zoredache no the proxy is on a different physical server
– Branislav B.
May 17 at 22:23
2
Don't disable SELinux, fix the problem instead.
– Michael Hampton♦
May 18 at 1:46
|
show 2 more comments
Anything in the nginx error log?
– Gerald Schneider
May 17 at 19:51
1
also check the selinux audit.log, selinux might cause problems
– Gerald Schneider
May 17 at 19:53
Is your proxy also in a container? If they are both in containers, are the connected to the same network? If the proxy is not in a container and on the same network, then have you 'published' the port 3000? Please consider giving us more details about your containers/networks.
– Zoredache
May 17 at 21:38
@Zoredache no the proxy is on a different physical server
– Branislav B.
May 17 at 22:23
2
Don't disable SELinux, fix the problem instead.
– Michael Hampton♦
May 18 at 1:46
Anything in the nginx error log?
– Gerald Schneider
May 17 at 19:51
Anything in the nginx error log?
– Gerald Schneider
May 17 at 19:51
1
1
also check the selinux audit.log, selinux might cause problems
– Gerald Schneider
May 17 at 19:53
also check the selinux audit.log, selinux might cause problems
– Gerald Schneider
May 17 at 19:53
Is your proxy also in a container? If they are both in containers, are the connected to the same network? If the proxy is not in a container and on the same network, then have you 'published' the port 3000? Please consider giving us more details about your containers/networks.
– Zoredache
May 17 at 21:38
Is your proxy also in a container? If they are both in containers, are the connected to the same network? If the proxy is not in a container and on the same network, then have you 'published' the port 3000? Please consider giving us more details about your containers/networks.
– Zoredache
May 17 at 21:38
@Zoredache no the proxy is on a different physical server
– Branislav B.
May 17 at 22:23
@Zoredache no the proxy is on a different physical server
– Branislav B.
May 17 at 22:23
2
2
Don't disable SELinux, fix the problem instead.
– Michael Hampton♦
May 18 at 1:46
Don't disable SELinux, fix the problem instead.
– Michael Hampton♦
May 18 at 1:46
|
show 2 more comments
1 Answer
1
active
oldest
votes
Trying to access the backend via the reverse proxy results in a 502 Bad Gateway error:
$ wget -S --spider http://nginxtest.example.com/
Spider mode enabled. Check if remote file exists.
--2019-05-18 10:12:11-- http://nginxtest.example.com/
Resolving nginxtest.example.com (nginxtest.example.com)... 192.168.15.20
Connecting to nginxtest.example.com (nginxtest.example.com)|192.168.15.20|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 502 Bad Gateway
Server: nginx/1.12.2
Date: Sat, 18 May 2019 08:12:11 GMT
Content-Type: text/html
Content-Length: 3693
Connection: keep-alive
ETag: "5a9e5ebd-e6d"
Remote file does not exist -- broken link!!!
This is most probably because selinux by default doesn't allow outgoing connections for webservers, because that's usually something they don't do.
You will find entries like this in /var/log/nginx/error.log:
2019/05/18 10:12:11 [crit] 1041#0: *5 connect() to 192.168.15.52:3000 failed (13: Permission denied) while connecting to upstream, client: 146.140.37.47, server: _, request: "HEAD / HTTP/1.1", upstream: "http://192.168.15.52:3000/", host: "nginxtest.example.com"
Additionally, you will find entries like this in /var/log/audit/audit.log:
type=AVC msg=audit(1558167131.910:463): avc: denied name_connect for pid=1041 comm="nginx" dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1558167131.910:463): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=562671c4eef0 a2=10 a3=7ffcfbc72530 items=0 ppid=1006 pid=1041 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
Run the following command to allow nginx to connect to other hosts:
setsebool -P httpd_can_network_connect true
(The parameter -p makes the setting persistent. Otherwise it would be reset after the next reboot.)
And now the proxy works:
$ wget -S --spider http://nginxtest.example.com/
Spider mode enabled. Check if remote file exists.
--2019-05-18 10:15:14-- http://nginxtest.example.com/
Resolving nginxtest.example.com (nginxtest.example.com)... 192.168.15.20
Connecting to nginxtest.example.com (nginxtest.example.com)|192.168.15.20|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sat, 18 May 2019 08:15:15 GMT
Content-Type: text/html
Content-Length: 40
Connection: keep-alive
Last-Modified: Sat, 18 May 2019 08:08:16 GMT
ETag: "5cdfbd70-28"
Accept-Ranges: bytes
Length: 40 [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.
If you want to know more, there is a very detailed article about nginx and selinux on the nginx website.
answered May 18 at 8:23
Gerald SchneiderGerald Schneider
7,14732748
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f967826%2fnginx-reverse-proxy-for-docker-swarm-502-bad-gateway%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Trying to access the backend via the reverse proxy results in a 502 Bad Gateway error:
$ wget -S --spider http://nginxtest.example.com/
Spider mode enabled. Check if remote file exists.
--2019-05-18 10:12:11-- http://nginxtest.example.com/
Resolving nginxtest.example.com (nginxtest.example.com)... 192.168.15.20
Connecting to nginxtest.example.com (nginxtest.example.com)|192.168.15.20|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 502 Bad Gateway
Server: nginx/1.12.2
Date: Sat, 18 May 2019 08:12:11 GMT
Content-Type: text/html
Content-Length: 3693
Connection: keep-alive
ETag: "5a9e5ebd-e6d"
Remote file does not exist -- broken link!!!
This is most probably because selinux by default doesn't allow outgoing connections for webservers, because that's usually something they don't do.
You will find entries like this in /var/log/nginx/error.log:
2019/05/18 10:12:11 [crit] 1041#0: *5 connect() to 192.168.15.52:3000 failed (13: Permission denied) while connecting to upstream, client: 146.140.37.47, server: _, request: "HEAD / HTTP/1.1", upstream: "http://192.168.15.52:3000/", host: "nginxtest.example.com"
Additionally, you will find entries like this in /var/log/audit/audit.log:
type=AVC msg=audit(1558167131.910:463): avc: denied name_connect for pid=1041 comm="nginx" dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1558167131.910:463): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=562671c4eef0 a2=10 a3=7ffcfbc72530 items=0 ppid=1006 pid=1041 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
Run the following command to allow nginx to connect to other hosts:
setsebool -P httpd_can_network_connect true
(The parameter -p makes the setting persistent. Otherwise it would be reset after the next reboot.)
And now the proxy works:
$ wget -S --spider http://nginxtest.example.com/
Spider mode enabled. Check if remote file exists.
--2019-05-18 10:15:14-- http://nginxtest.example.com/
Resolving nginxtest.example.com (nginxtest.example.com)... 192.168.15.20
Connecting to nginxtest.example.com (nginxtest.example.com)|192.168.15.20|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sat, 18 May 2019 08:15:15 GMT
Content-Type: text/html
Content-Length: 40
Connection: keep-alive
Last-Modified: Sat, 18 May 2019 08:08:16 GMT
ETag: "5cdfbd70-28"
Accept-Ranges: bytes
Length: 40 [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.
If you want to know more, there is a very detailed article about nginx and selinux on the nginx website.
answered May 18 at 8:23
Gerald SchneiderGerald Schneider
7,14732748
add a comment |
Trying to access the backend via the reverse proxy results in a 502 Bad Gateway error:
$ wget -S --spider http://nginxtest.example.com/
Spider mode enabled. Check if remote file exists.
--2019-05-18 10:12:11-- http://nginxtest.example.com/
Resolving nginxtest.example.com (nginxtest.example.com)... 192.168.15.20
Connecting to nginxtest.example.com (nginxtest.example.com)|192.168.15.20|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 502 Bad Gateway
Server: nginx/1.12.2
Date: Sat, 18 May 2019 08:12:11 GMT
Content-Type: text/html
Content-Length: 3693
Connection: keep-alive
ETag: "5a9e5ebd-e6d"
Remote file does not exist -- broken link!!!
This is most probably because selinux by default doesn't allow outgoing connections for webservers, because that's usually something they don't do.
You will find entries like this in /var/log/nginx/error.log:
2019/05/18 10:12:11 [crit] 1041#0: *5 connect() to 192.168.15.52:3000 failed (13: Permission denied) while connecting to upstream, client: 146.140.37.47, server: _, request: "HEAD / HTTP/1.1", upstream: "http://192.168.15.52:3000/", host: "nginxtest.example.com"
Additionally, you will find entries like this in /var/log/audit/audit.log:
type=AVC msg=audit(1558167131.910:463): avc: denied name_connect for pid=1041 comm="nginx" dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1558167131.910:463): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=562671c4eef0 a2=10 a3=7ffcfbc72530 items=0 ppid=1006 pid=1041 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
Run the following command to allow nginx to connect to other hosts:
setsebool -P httpd_can_network_connect true
(The parameter -p makes the setting persistent. Otherwise it would be reset after the next reboot.)
And now the proxy works:
$ wget -S --spider http://nginxtest.example.com/
Spider mode enabled. Check if remote file exists.
--2019-05-18 10:15:14-- http://nginxtest.example.com/
Resolving nginxtest.example.com (nginxtest.example.com)... 192.168.15.20
Connecting to nginxtest.example.com (nginxtest.example.com)|192.168.15.20|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sat, 18 May 2019 08:15:15 GMT
Content-Type: text/html
Content-Length: 40
Connection: keep-alive
Last-Modified: Sat, 18 May 2019 08:08:16 GMT
ETag: "5cdfbd70-28"
Accept-Ranges: bytes
Length: 40 [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.
If you want to know more, there is a very detailed article about nginx and selinux on the nginx website.
answered May 18 at 8:23
Gerald SchneiderGerald Schneider
7,14732748
add a comment |
Trying to access the backend via the reverse proxy results in a 502 Bad Gateway error:
$ wget -S --spider http://nginxtest.example.com/
Spider mode enabled. Check if remote file exists.
--2019-05-18 10:12:11-- http://nginxtest.example.com/
Resolving nginxtest.example.com (nginxtest.example.com)... 192.168.15.20
Connecting to nginxtest.example.com (nginxtest.example.com)|192.168.15.20|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 502 Bad Gateway
Server: nginx/1.12.2
Date: Sat, 18 May 2019 08:12:11 GMT
Content-Type: text/html
Content-Length: 3693
Connection: keep-alive
ETag: "5a9e5ebd-e6d"
Remote file does not exist -- broken link!!!
This is most probably because selinux by default doesn't allow outgoing connections for webservers, because that's usually something they don't do.
You will find entries like this in /var/log/nginx/error.log:
2019/05/18 10:12:11 [crit] 1041#0: *5 connect() to 192.168.15.52:3000 failed (13: Permission denied) while connecting to upstream, client: 146.140.37.47, server: _, request: "HEAD / HTTP/1.1", upstream: "http://192.168.15.52:3000/", host: "nginxtest.example.com"
Additionally, you will find entries like this in /var/log/audit/audit.log:
type=AVC msg=audit(1558167131.910:463): avc: denied name_connect for pid=1041 comm="nginx" dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1558167131.910:463): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=562671c4eef0 a2=10 a3=7ffcfbc72530 items=0 ppid=1006 pid=1041 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
Run the following command to allow nginx to connect to other hosts:
setsebool -P httpd_can_network_connect true
(The parameter -p makes the setting persistent. Otherwise it would be reset after the next reboot.)
And now the proxy works:
$ wget -S --spider http://nginxtest.example.com/
Spider mode enabled. Check if remote file exists.
--2019-05-18 10:15:14-- http://nginxtest.example.com/
Resolving nginxtest.example.com (nginxtest.example.com)... 192.168.15.20
Connecting to nginxtest.example.com (nginxtest.example.com)|192.168.15.20|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sat, 18 May 2019 08:15:15 GMT
Content-Type: text/html
Content-Length: 40
Connection: keep-alive
Last-Modified: Sat, 18 May 2019 08:08:16 GMT
ETag: "5cdfbd70-28"
Accept-Ranges: bytes
Length: 40 [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.
If you want to know more, there is a very detailed article about nginx and selinux on the nginx website.
answered May 18 at 8:23
Gerald SchneiderGerald Schneider
7,14732748
Trying to access the backend via the reverse proxy results in a 502 Bad Gateway error:
$ wget -S --spider http://nginxtest.example.com/
Spider mode enabled. Check if remote file exists.
--2019-05-18 10:12:11-- http://nginxtest.example.com/
Resolving nginxtest.example.com (nginxtest.example.com)... 192.168.15.20
Connecting to nginxtest.example.com (nginxtest.example.com)|192.168.15.20|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 502 Bad Gateway
Server: nginx/1.12.2
Date: Sat, 18 May 2019 08:12:11 GMT
Content-Type: text/html
Content-Length: 3693
Connection: keep-alive
ETag: "5a9e5ebd-e6d"
Remote file does not exist -- broken link!!!
This is most probably because selinux by default doesn't allow outgoing connections for webservers, because that's usually something they don't do.
You will find entries like this in /var/log/nginx/error.log:
2019/05/18 10:12:11 [crit] 1041#0: *5 connect() to 192.168.15.52:3000 failed (13: Permission denied) while connecting to upstream, client: 146.140.37.47, server: _, request: "HEAD / HTTP/1.1", upstream: "http://192.168.15.52:3000/", host: "nginxtest.example.com"
Additionally, you will find entries like this in /var/log/audit/audit.log:
type=AVC msg=audit(1558167131.910:463): avc: denied name_connect for pid=1041 comm="nginx" dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1558167131.910:463): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=562671c4eef0 a2=10 a3=7ffcfbc72530 items=0 ppid=1006 pid=1041 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
Run the following command to allow nginx to connect to other hosts:
setsebool -P httpd_can_network_connect true
(The parameter -p makes the setting persistent. Otherwise it would be reset after the next reboot.)
And now the proxy works:
$ wget -S --spider http://nginxtest.example.com/
Spider mode enabled. Check if remote file exists.
--2019-05-18 10:15:14-- http://nginxtest.example.com/
Resolving nginxtest.example.com (nginxtest.example.com)... 192.168.15.20
Connecting to nginxtest.example.com (nginxtest.example.com)|192.168.15.20|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sat, 18 May 2019 08:15:15 GMT
Content-Type: text/html
Content-Length: 40
Connection: keep-alive
Last-Modified: Sat, 18 May 2019 08:08:16 GMT
ETag: "5cdfbd70-28"
Accept-Ranges: bytes
Length: 40 [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.
If you want to know more, there is a very detailed article about nginx and selinux on the nginx website.
answered May 18 at 8:23
Gerald SchneiderGerald Schneider
7,14732748
answered May 18 at 8:23
Gerald SchneiderGerald Schneider
7,14732748
answered May 18 at 8:23
Gerald SchneiderGerald Schneider
7,14732748
answered May 18 at 8:23
Gerald SchneiderGerald Schneider
7,14732748
7,14732748
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f967826%2fnginx-reverse-proxy-for-docker-swarm-502-bad-gateway%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Anything in the nginx error log?
– Gerald Schneider
May 17 at 19:51
1
also check the selinux audit.log, selinux might cause problems
– Gerald Schneider
May 17 at 19:53
Is your proxy also in a container? If they are both in containers, are the connected to the same network? If the proxy is not in a container and on the same network, then have you 'published' the port 3000? Please consider giving us more details about your containers/networks.
– Zoredache
May 17 at 21:38
@Zoredache no the proxy is on a different physical server
– Branislav B.
May 17 at 22:23
2
Don't disable SELinux, fix the problem instead.
– Michael Hampton♦
May 18 at 1:46