Nginx

This page is compiled from my experiences of researching the bare minimum to make stuff work. Since SELinux is made to be secure, this approach might create security vulnerabilities if you don’t know what you are doing. Resources Introduction to SELinux (GitHub blog) Locate the problem In this example. My nginx installation is unable to access a file called test.txt. This is the journal log: Sep 22 20:01:32 hermes.iix.se audit[23928]: AVC avc: denied { read } for pid=23928 comm="nginx" name="test.txt" dev="vda1" ino=271350 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0 The first thing we do is to asking audit whats up. this is usually done by piping the audit log to audit2why. If you don’t have audit, the logs should be in the /var/log/messages instead. ...

server { listen *:80; server_name _; return 301 https://$host$request_uri; }

server { listen *:443; server_name iix.se; ssl on; ssl_certificate /etc/letsencrypt/live/iix.se/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/iix.se/privkey.pem; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1; proxy_read_timeout 90; } }

Spam in error.log: 2017/05/07 16:51:50 [error] 30504#0: *7089 connect() failed (111: Connection refused) while connecting to upstream, client: 169.54.244.93, server: iix.se, request: "GET / HTTP/1.1", upstream: "http://[::1]:8001/", host: "phoenix.iix.se" In your nginx configuration, replace hostnames with ip-addresses