Troubleshooting Apache Proxy Connection Issues to Localhost Port (Permission Denied Error)


2 views

When setting up Apache 2.2.15 on CentOS 6 to proxy requests to a servlet engine running on localhost:8983, the configuration fails with permission denied errors, despite working perfectly when accessing the port directly.

Key error messages in the Apache debug logs show:

[debug] proxy_util.c(2444): proxy: HTTP: fam 10 socket created to connect to localhost
[debug] proxy_util.c(2455): (13)Permission denied: proxy: HTTP: attempt to connect to [::1]:8983 (localhost) failed
[debug] proxy_util.c(2444): proxy: HTTP: fam 2 socket created to connect to localhost
[error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:8983 (localhost) failed

The "fam 10" refers to AF_INET6 (IPv6) and "fam 2" refers to AF_INET (IPv4) socket families. The errors indicate SELinux is blocking Apache from making outbound connections.

First check if SELinux is enforcing:

# getenforce
Enforcing

Method 1: Temporarily disable SELinux (not recommended for production)

# setenforce 0

Method 2: Proper SELinux configuration (recommended)

# semanage port -a -t http_port_t -p tcp 8983
# setsebool -P httpd_can_network_connect 1

If SELinux isn't the issue, try binding to specific IP versions:

ProxyPass / http://127.0.0.1:8983/
ProxyPassReverse / http://127.0.0.1:8983/

Or disable IPv6 attempts completely:

HostnameLookups off
EnableMMAP off
EnableSendfile off

After making changes:

# service httpd restart
# curl -I http://localhost/

Check network connectivity from Apache's perspective:

# sudo -u apache curl http://localhost:8983
# sudo -u apache telnet localhost 8983

The key error messages in your Apache logs reveal the core issue:

[error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:8983 (localhost) failed
[debug] proxy_util.c(2444): proxy: HTTP: fam 10 socket created to connect to localhost
[debug] proxy_util.c(2455): (13)Permission denied: proxy: HTTP: attempt to connect to [::1]:8983 (localhost) failed

On CentOS 6, SELinux is likely blocking Apache from making outbound connections. Let's verify and fix:

# Check SELinux status
sestatus

# Check current boolean settings
getsebool -a | grep httpd

# Temporary solution (until reboot)
setsebool -P httpd_can_network_connect 1

# Alternative permanent solution (if above doesn't work)
semanage permissive -a httpd_t

Even though it's localhost, CentOS firewall might interfere:

# Check iptables rules
iptables -L -n -v

# Add exception for port 8983 (if needed)
iptables -I INPUT -p tcp --dport 8983 -j ACCEPT
service iptables save

Your current config can be improved with these additions:

<VirtualHost *:80>
    ServerName yourdomain.com
    
    ProxyRequests Off
    ProxyPreserveHost On
    
    <Proxy *>
        Require all granted
        # For Apache 2.4+ replace Order/Allow with:
        # Require all granted
    </Proxy>
    
    ProxyPass / http://localhost:8983/ timeout=300 retry=0
    ProxyPassReverse / http://localhost:8983/
    
    # Additional error handling
    ProxyErrorOverride On
    ErrorLog /var/log/httpd/proxy_error.log
    LogLevel debug
</VirtualHost>

Verify Apache can reach the backend service:

# As root user
curl -v http://localhost:8983/

# As Apache user
sudo -u apache curl -v http://localhost:8983/

If SELinux modifications aren't preferred, consider these options:

# Option 1: Use 127.0.0.1 instead of localhost
ProxyPass / http://127.0.0.1:8983/

# Option 2: Configure NameVirtualHost
NameVirtualHost *:80

# Option 3: Use mod_proxy_html for content rewriting
ProxyHTMLURLMap http://localhost:8983 /