nginx + SELinux = me mad

I changed my preferred blogging language to english as this might be of interest to a wider audience.

Some background  information.

I have a multi tenant rails application which relies on setting the correct subdomains to identify the correct tenant. To get this working properly on my local development machine, i am using nginx as a proxy with a wildcard .local domain match that proxies all my requests to the rails development server on port 3000. The config looks like this:

upstream myapp {
  server localhost:3000;
server {
  listen       80;
  server_name  *.myapp.local;
  client_max_body_size 2048M;
  root /srv/www/myapp;
  proxy_set_header  X-Real-IP  $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $host;
  proxy_redirect off;
  location / {
    if (-f $request_filename) {
    if (!-f $request_filename) {
      proxy_pass http://platform;

I have put all the stuff from the apps public directory in a separate webserver accessible directory located under /srv/www/myapp and changed directory and file permissions accordingly so that everything is owned by user the user running the webserver (nginx in my case). Everything fine so far… (and yes, i have a script to keep directories in sync).

After setting everything up i restarted the nginx and started the rails app server (i am using passenger standlone). I expected to see my app showing up in the browser but the only thing i saw was the nginx 502 Bad Gateway error page.

I was a littlebit surprised and checked the nginx error log which was flooded with errors like this:

2013/07/20 06:53:20 [crit] 31515#0: *42 stat() "/srv/www/myapp/" failed (13: Permission denied), client:, server: *.myapp.local, request: "GET / HTTP/1.1
", host: "myapp.adams.local"

Hmm, seems to be a permission issue. I double checked the permissions of all the directories (owner nginx, executable bit set etc…) but everything was fine. Even changing the permissions to mode 0777 did not help. That was really strange behavior.

I fiddled with permissions and configuration settings for about half an hour but nothing seems to help. I am considering myself an advanced linux user with about 15 years of experience administering various Linux/UNIX systems so i got a littlebit frustrated not solving this simple issue…

Ten minutes, a lot of thinking about the environment, operating system (Fedora 19 Schrödingers Cat) and searching other system logs later i came up with a small evil guy i call “SELinux”. Grepping through /var/log/messages showed up the following

Jul 20 06:57:38 elsa setroubleshoot: SELinux is preventing /usr/sbin/nginx from getattr access on the directory /srv/www/myapp. For complete SELinux messages. run sealert -l a2c49735-da53-4779-bdb0-10abdb3afea1

I cried out loudly…

So, what to do to fix this issue? That was quite simple after some googling and reading about the SELinux chcon utility. I used the command

chcon -Rt httpd_sys_content_t /srv/www/myapp/

to change the security context of the directory recursively so nginx will be allowed to serve it.

Cool… i reloaded my browser and… stil the 502 Bad Gateway, damn!! Investigating the logs revealed the next SELinux problem

Jul 20 07:01:14 elsa setroubleshoot: SELinux is preventing /usr/sbin/nginx from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l d5fe2ebb-0d8d-4025-b37d-dbbf4cb67da2

Ughhh… SELinux again!

The last problem was quite easy to solve as the command sealert -l d5fe2ebb-0d8d-4025-b37d-dbbf4cb67da2 provided all necessary information to allow network access. So running the command

setsebool -P httpd_can_network_connect 1

solved the issue finally. I reloaded my browser and the 502 error was gone, my app was showing up as expected… Yay!


I have learned a lot about SELinux and i am still not sure if i like it or not. In the beginning the errors were really hard to track but thanks to the good logging you will find most of the required information in the logs which will aid greatly in solving your issues.

2 Comments to “nginx + SELinux = me mad”

  1. Free Piano

    Free links Thanks for the great article indeed…

  2. […]     解决错误参考网址: […]

Leave a Reply

You must be logged in to post a comment.