July 9, 2017

Configure mod_proxy on RHEL 7 for JBoss EAP 7

In my previous blog I described how to RPM install JBoss EAP 7 on RHEL 7.

Here I will describe how to configure Apache mod_proxy as a Non-load-balancing Proxy.

First install Apache 2.4 and mod_ssl.

# yum install httpd mod_ssl -y

Then configure mod_proxy as Non-load-balancing Proxy.

vi /etc/httpd/conf.d/ssl.conf
    ...

    # A non-load-balancing proxy
    # https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/configuration_guide/#configure_mod_proxy_apache_http_server
    ProxyPreserveHost On
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

</VirtualHost>

The final step is to fix SELinux. When you restart Apache and try your proxy you will get error in SSL log.

cat /etc/httpd/logs/ssl_error_log 
[Thu Jul 06 08:20:09.211374 2017] [proxy:error] [pid 11338] (13)Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failed
[Thu Jul 06 08:20:09.211423 2017] [proxy:error] [pid 11338] AH00959: ap_proxy_connect_backend disabling worker for (localhost) for 60s
[Thu Jul 06 08:20:09.211432 2017] [proxy_http:error] [pid 11338] [client 192.168.122.1:60964] AH01114: HTTP: failed to make connection to backend: localhost

And also in syslog

less /var/log/audit/audit.log
...
type=AVC msg=audit(1499321632.860:445): avc:  denied  { name_connect } for  pid=11300 comm="httpd" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
...

To fix this add.

setsebool httpd_can_network_connect 1

If this works add SELinux rule permanently.

setsebool -P httpd_can_network_connect 1
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)