I am trying to set up an Apache proxy to load balance and offload SSL. To this end I have multiple IPs on the same interface. Unfortunately it seems selinux prevents httpd from binding to the secondary IP addresses.
For example, I have the following IPs on ens192
10.222.79.78 (primary)
10.222.79.79
When I start httpd with selinux in permissive mode, it binds to both IPs on ports 80 and 443 -- just as commanded in the config files.
$ ss -nat|grep LISTEN
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 100 127.0.0.1:25 0.0.0.0:*
LISTEN 0 511 10.222.79.79:443 0.0.0.0:*
LISTEN 0 511 10.222.79.78:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:41499 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 511 10.222.79.79:80 0.0.0.0:*
LISTEN 0 511 10.222.79.78:80 0.0.0.0:*
If I switch selinux to "enforcing" (sudo setenforce 1) and restart httpd, the daemon does not bind to the secondary IP.
$ ss -nat|grep LISTEN
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 100 127.0.0.1:25 0.0.0.0:*
LISTEN 0 511 10.222.79.78:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:41499 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 511 10.222.79.78:80 0.0.0.0:*
I can usually figure out how to get selinux working but have no idea how to fix this other than leave selinux in permissive mode. Nor can I find any guidance using DuckDuckGo. Can this be fixed?
I am using Apache 2.4.37 on Oracle Linux 8.
Well, crap. False alarm. It was not the networking but the context on a file Apache has to read on startup. I changed the context:
chcon system_u:object_r:httpd_sys_content_t:s0 /var/www/proxy.d/ -R
and httpd starts up as expected.
Thanks to Michael Hampton for encouraging me to take another look at the audit log.
