Fixing “Permission Denied” Errors in Nginx Reverse Proxy Setups with SELinux

Running Nginx as a reverse proxy on a system with SELinux enabled can sometimes lead to frustrating errors like:

[crit] connect() to 172.16.5.32:32400 failed (13: Permission denied) while connecting to upstream, client: 172.16.0.1, server: rplex.adminz.in, request: "GET /web/index.html HTTP/2.0", upstream: "http://172.16.5.32:32400/web/index.html", host: "rplex.adminz.in:8443"

If you’re seeing this, SELinux is likely blocking Nginx from making outbound network connections to your upstream servers. Here’s how you can diagnose and fix the issue.

Understanding the Problem

When SELinux is in enforcing mode, it restricts what processes can do—even if you’re running as root. By default, Nginx (and other web servers running under the httpd_t SELinux context) cannot make arbitrary outbound network connections. This is a security feature, but it can block legitimate reverse proxy setups.

Typical log entries look like this:

[crit] connect() to <backend-ip>:<port> failed (13: Permission denied) while connecting to upstream, ...

Diagnosing SELinux Denials

To confirm SELinux is the culprit:

Check your Nginx error logs for “(13: Permission denied)” messages.

Inspect the SELinux audit logs:

sudo grep nginx /var/log/audit/audit.log | grep denied

If you see denials related to name_connect on a TCP socket, SELinux is blocking the connection.

The Solution: Allow Nginx Network Connections

SELinux controls network permissions for web servers using Boolean flags. The most relevant for Nginx reverse proxies is httpd_can_network_connect.

What does httpd_can_network_connect do?

Enabling this Boolean allows Nginx (and other httpd processes) to make outgoing network connections to any port.

This is required for Nginx to proxy requests to other backend servers, especially if they’re not on standard HTTP/HTTPS ports.

How to Enable It

Make the change persistent with:

setsebool -P httpd_can_network_connect true

The -P flag makes the change survive reboots.

After running this command, restart Nginx:

systemctl restart nginx

This should resolve the “permission denied” errors when connecting to upstream servers.

Harvester Setup and Configuration

Harvester is an open-source hyperconverged infrastructure (HCI) software that provides a powerful and easy-to-use platform for deploying and managing virtual machines (VMs). Built on Kubernetes, it simplifies the process of setting up and maintaining a virtualized environment. 

The following steps will guide you in setting up Harvester 

Download the Harvester ISO from the website.

Make a bootable USB from the ISO with any of the following tools

• https://etcher.balena.io/
• https://rufus.ie/en/

Once the machine has been booted from USB we will get the following Page

Once booted, follow the steps to complete the installatoon

1. Cluster Creation:
• Select "Create a new Harvester Cluster"
2. Disk Selection:
• Use the right arrow key to navigate and choose a disk for Harvester's system.
• Select a separate disk dedicated to storing virtual machine data.
3. Host Configuration:
• Enter a hostname for your Harvester node.
4. Network Setup:
• Use the right arrow key to select your network interface card (NIC).
• Choose between DHCP or static IP configuration.
• If using Static, provide the necessary network details (IP address, subnet mask, gateway).
• Configure DNS server addresses.
5. VIP Configuration:
• Use the right arrow key to navigate, Choose between DHCP or static IP for the Virtual IP (VIP) address.
• If using Static, enter the desired VIP.
6. Cluster Token:
• Set a cluster token. This is crucial for adding more nodes to your cluster later.
7. Password and SSH:
• Set a strong password for accessing the node (default SSH user is 'rancher').
8. NTP Servers:
• Configure NTP servers (defaults to 0.suse.pool.ntp.org) to ensure time synchronization across all nodes. Use commas to separate multiple server addresses.
9. Optional Configurations:
• HTTP Proxy: If needed, provide the proxy URL.
• SSH Keys: Import SSH keys by providing their HTTP URL (e.g., GitHub public keys).
• Harvester Configuration: If you have a specific configuration file, enter its HTTP URL.
10. Review and Install:
• Review all the settings you've configured.
• Confirm to start the installation process. This might take a few minutes.
11. Access Harvester:
• After the node restarts, the Harvester console will show the management URL and node status.
• Access the web interface using the provided URL (defaults to https://your-virtual-ip).
• Use F12 to switch to the shell if needed, and type exit to return to the console.

Latest Steps can be found @  https://github.com/harvester/harvester

Enabling the MsSQL Extension in cPanel/WHM: A Manual Installation Guide

While cPanel/WHM offers a wide range of PHP extensions out of the box, the MsSQL extension for connecting to Microsoft SQL Server databases requires a bit of manual effort. In this guide, we'll walk you through the step-by-step process of installing and configuring the MsSQL extension on your cPanel server.

Prerequisites:

• Root Access: You'll need root privileges on your server to perform these steps.
• Source Code: Instead of using RPM packages (which can lead to dependency issues), we'll compile the necessary components from source code.

Installing Required Modules

1. unixODBC:

   • Download: Get the source code from the official unixODBC website.
   • Extract: tar -xvf unixODBC-X.X.X.tar.gz (replace X.X.X with the version you downloaded).
   • Configure and Install:

     cd unixODBC-X.X.X
     ./configure --prefix=/usr/local --enable-gui=no
     make
     make install
     

     FreeTDS:
2. • Download: Download FreeTDS version 0.82 (or a compatible older version) from ftp://ftp.freetds.org/pub/freetds/old/0.82/freetds-0.82.tar.gz.
   • Extract: tar -xvf freetds-0.82.tar.gz
   • Configure and Install:

     cd freetds-0.82
     ./configure --with-tdsver=8.0 --with-unixODBC=/usr/local
     make
     make install
     

     Configure FreeTDS:
3. • Edit freetds.conf: Find the freetds.conf file (usually in /usr/local/etc or /etc) and add the following, replacing placeholders:

     [MSHOSTNAME]
     host = your_sql_server_hostname_or_IP
     port = 1433 
     tds version = 8.0
     

Compiling mssql.so

1. Navigate to PHP Extension Directory:

   cd /home/cpeasyapache/src/php-X.X.X/ext/mssql

   (Replace X.X.X with your PHP version.)

2. Prepare and Build:

   phpize
   ./configure
   make
   make install

Activating the Extension

1. Locate php.ini: Find your PHP configuration file (php.ini). Its location can vary depending on your setup.
2. Add Extension: Open php.ini in a text editor and add the following line:

   extension="mssql.so"
   

3. Restart Apache:

   service httpd restart

Verifying Installation

To confirm that the extension is loaded, you have two options:

• Check Modules: Run php -m | grep mssql. If the installation was successful, you'll see "mssql" in the output.
• Create a phpinfo Page: Create a PHP file with the following content:

  <?php phpinfo(); ?>
  Open this file in your browser and search for "mssql." You should see detailed information about the MsSQL extension.

Troubleshooting Tip:

If you encounter an error during the FreeTDS configuration related to unixODBC, try using an older version of FreeTDS (like 0.82), as newer versions might have compatibility issues.

By carefully following these steps, you can manually install and enable the MsSQL extension in your cPanel/WHM environment, allowing your PHP applications to seamlessly interact with Microsoft SQL Server databases.