Proxy_pass to a docker container on another server via Nginx results to 502 Bad Gateway-CodePudding

I spawn up a OWASP Juice Shop docker container on a particular server (172.16.100.8) listening on port 3000.

I have an NGINX Reverse Proxy on 172.16.100.26 with the following configuration but it results to a 502 Error.

upstream juice_shop {
        zone http_backend 64k;
        server 172.16.100.8:3000;
}

server {

        listen 80;
        root /usr/share/nginx/html;
        access_log /var/log/nginx/access.log combined;

        location / {
                proxy_pass http://juice_shop/;
 
        }

        error_page  500 502 503 504  /50x.html;
        location = /50x.html {
         root /usr/share/nginx/html;
}
}

Interesting thing is that, when I access the 172.16.100.8:3000 directly, it successfully serves me the website.

I also tried setting up NGINX on 172.16.100.8 itself where the upstream group is pointing to the localhost. And this one is working just fine.

upstream juice_shop {
        zone http_backend 64k;
        server localhost:3000;
}

server {

        listen 80;
        root /usr/share/nginx/html;
        access_log /var/log/nginx/access.log combined;

        location / {
                proxy_pass http://juice_shop;
        }

        error_page  500 502 503 504  /50x.html;
        location = /50x.html {
         root /usr/share/nginx/html;

}
}

So it appears, the problem only occurs when I do proxy_pass to another server. And not manifesting, if the container is spawn up on the same instance where NGINX is installed.

Appreciate the assistance.

CodePudding user response：

Thanks a lot for the guidance. It helped!

I fixed the issue by temporarily disabling the SElinux. My NGINX is running on top of CENTOS 7.

Just to share the error logs in this thread:

[root@nginx1 ~]# tail -f /var/log/nginx/error.log
...
2022/06/28 13:43:52 [crit] 4316#4316: *127 connect() to 172.16.100.8:3000 failed (13: Permission denied) while connecting to upstream, client: 2.2.2.2, server: , request: "GET /favicon.ico HTTP/1.1", upstream: "http://172.16.100.8:3000/favicon.ico", host: "172.16.100.26", referrer: "http://172.16.100.26/"


[root@nginx1 ~]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | tail -3
type=AVC msg=audit(1656436366.765:4672009): avc:  denied  { name_connect } for  pid=4316 comm="nginx" dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1656438232.386:4672026): avc:  denied  { name_connect } for  pid=4316 comm="nginx" dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1656438232.453:4672027): avc:  denied  { name_connect } for  pid=4316 comm="nginx" dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket permissive=0


[root@nginx1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

After temporarily change the SELinux mode with sudo setenforce 0

All's good now!