Sep 13 2015

Apache Reverse Proxy 503 Permission Denied

Published by at 9:49 am under Apache,Linux

Apache configured as a reverse proxy forwards requests to a web backend. But your browser throws an enigmatic 503 error: “Service temporarily unavailable”.

503 Service Temporarily Unavailable on Apache

The first thing I do is looking at the http logs in /var/log/httpd/ssl_error_log, where I am getting some permission issue:
(13)Permission denied: proxy: HTTP: attempt to connect to (*) failed

You may also get this error in the logs:
AH01114: HTTP: failed to make connection to backend

If SELinux i enabled on your system, it is most likely the root cause of your problem. SELinux denies Apache from initiating connections to the outside. You can check temporarily by turning off SELinux in /etc/selinux/config. A reboot is required.

If confirmed, turn it back on to keep a higher security level, and add this rule exception:

$ sudo setsebool -P httpd_can_network_connect 1

This variable allows HTTPD processes and modules to connect to the network. There are other boolean variables adding restrictions to HTTPD. To get a list of them, run getsebool -a | grep httpd.
You will find some interesting variables in that list such as:
– httpd_can_network_connect_db (default off)
– httpd_enable_ftp_server (default off)
– httpd_enable_cgi (default on)

The -P switch makes the change persistant across reboots. You may need to restart Apache:

$ sudo systemctl restart httpd

This error is known and documented on the Apache website.

No responses yet

Trackback URI | Comments RSS

Leave a Reply