NGINX – (13: Permission denied) while connecting to upstream node.js server

While experimenting with simple node.js server on CentOS 7 and nginx upstream directive I run into some issues. I was able to access the node.js server running on port 8080 but when trying to access it via nginx I was getting error msg: (13: Permission denied) while connecting to upstream and 502 Bad Gateway error in the browser.

2016/01/10 14:34:55 [crit] 16705#0: *2 connect() to [::1]:8080 failed (13: Permission denied) while connecting to upstream, client: 172.31.123.123, server: www.mynode.local, request: "GET / HTTP/1.0", upstream: "http://[::1]:8080/", host: "www.mynode.local"

It turned out to be SELinux issue. I checked for errors in the SELinux logs:
cat /var/log/audit/audit.log | grep nginx | grep denied
where I found few clues:
type=AVC msg=audit(1452436495.252:181): avc: denied { name_connect } for pid=16705 comm="nginx" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

And found that running the following commands fixed my issue:
cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
semodule -i mynginx.pp

After that everything was working as expected.

NGINX – upstream directive

Scenario:

we have a server running on a none standard port ie. 8080 and we want to proxy it via nginx to port 80

Solution:

use nginx upstream directive – basic example of that looks like this:

upstream mynode {
    server localhost:8080;
}

server {
    server_name www.mynode.local mynode;

    location / {
        proxy_pass http://mynode;
    }
}

 

RHEL/CentOS – How to install NGINX

Pre-requisites:

make sure EPEL is enabled – see here.

Once that is done just issue:

yum install nginx

and when installed enable the service so it starts with they OS:

[root]# chkconfig nginx
Note: Forwarding request to 'systemctl is-enabled nginx.service'.
disabled
[root]# chkconfig nginx on
Note: Forwarding request to 'systemctl enable nginx.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
[root]# chkconfig nginx
Note: Forwarding request to 'systemctl is-enabled nginx.service'.
enabled

Let’s Encrypt and NGINX

After a long wait Let’s Encrypt if finally in a Beta stage.

After I have received email from them, the installation bit of the email:

Quick Start

To use Let’s Encrypt’s official client to obtain your real certificates, you will need to provide the production API URL on the command line:

https://acme-v01.api.letsencrypt.org/directory

When running the Python client (installation directions [1]), be sure to specify the --server argument with the production URL:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto –agree-dev-preview –server \
https://acme-v01.api.letsencrypt.org/directory auth

If you are using a different ACME client, be sure to configure it to use the production URL in order to get valid certificates. Many clients will default to the staging URL.

Full text is available here: https://community.letsencrypt.org/t/beta-program-announcements/1631

And that is pretty much it. But let’s have a closer look at what I did – as instructed I run this command:
Lets1

Lets2

Perhaps an oversight on my behalf but I could not see anything saying that the web server must be stopped:
Lets3

so I stopped the service and tried again:

Lets4

Quick look to check if the certificates are where they supposed to be:

Lets5

Last thing remaining is to update Nginx config to point to the newly generated certs:

ssl_certificate   /etc/letsencrypt/live/it.awroblew.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/it.awroblew.biz/privkey.pem;

then reload nginx:

service nginx reload

and job done.

However I have noticed that with the default config the certs were only 2048 bits. I prefer 4096 so some tiny manual config was required – under /etc/letsencrypt/ create file called cli.ini

and type this in:

rsa-key-size = 4096

then, stop nginx and run:

Lets1

since I have already generated my certs I got this:

Lets6

hit replace, start nginx and voila job done:

cert_show

So for me it is goodbye StartSSL and hello Let’s Encrypt!

For reference here is a link to Let’s Encrypt documentation website – https://letsencrypt.readthedocs.org/en/latest/using.html