Httpd returning 503 Service Unavailable with mod_proxy for Tomcat 8

85
votes

I'm trying to integrate Tomcat with Apache. My aim is to redirect all the requests with http://localhost/myapp to http://localhost:8080

I followed this guide: http://tomcat.apache.org/tomcat-8.0-doc/proxy-howto.html

My httpd.conf looks like this:

Include conf.modules.d/*.conf
LoadModule proxy_module  modules/mod_proxy.so

ProxyPass         /myapp  http://localhost:8080 retry=0 timeout=5
ProxyPassReverse  /myapp  http://localhost:8080

My server.xml in apache-tomcat looks like this:

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" proxyPort="80" />

Now when I try the url http://localhost/myapp, it gives 503 Service Unavailable error.

Both Tomcat and Apache are up and running. The URL http://localhost:8080 works fine.

Can there be an issue with file permissions?

For tomcat the user and group are root/root and for httpd, the user and group are apache/apache

Am I missing something or am I doing it wrong?

Httpd version is 2.4.6 and Tomcat's version is 8.0

The httpd error logs:

[proxy:error] [pid 19905] (13)Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failed

[proxy:error] [pid 19905] AH00959: ap_proxy_connect_backend disabling worker for (localhost) for 0s

[proxy_http:error] [pid 19905] [client ::1:51615] AH01114: HTTP: failed to make connection to backend: localhost

Solved!

The answer is here: http://sysadminsjourney.com/content/2010/02/01/apache-modproxy-error-13permission-denied-error-rhel/

4
apachetomcat
Thanks for the hint. I found this sysadminsjourney.com/content/2010/02/01/… which solved the issueuser2354302
Better you remove retry and timeout option and checkKNOWARTH
FWIW, I was getting the 503 error but with a timeout. Turned out that for my ProxyPass* lines I couldn't use my actual servername and instead needed to use either localhost or my IP address, e.g. ProxyPass / http://localhost/ worked but ProxyPass / http://example.com/ didn't.inanutshellus
Resolved: stackoverflow.com/a/58111190/1635700Tejas Tank

4 Answers

138
votes

(Answered by the OP in a question edit. Converted to a community wiki answer. See Question with no answers, but issue solved in the comments (or extended in chat) )

The OP wrote:

The answer is here: http://sysadminsjourney.com/content/2010/02/01/apache-modproxy-error-13permission-denied-error-rhel/

Which is a link to a blog that explains:

SELinux on RHEL/CentOS by default ships so that httpd processes cannot initiate outbound connections, which is just what mod_proxy attempts to do.

If this is the problem, it can be solved by running:

 /usr/sbin/setsebool -P httpd_can_network_connect 1

And for a more definitive source of information, see https://wiki.apache.org/httpd/13PermissionDenied

6
votes

this worked for me:

ProxyRequests     Off
ProxyPreserveHost On
RewriteEngine On

<Proxy http://localhost:8123>
Order deny,allow
Allow from all
</Proxy>

ProxyPass         /node  http://localhost:8123  
ProxyPassReverse  /node  http://localhost:8123
6
votes

Resolve issue Immediate, It's related to internal security

We, SnippetBucket.com working for enterprise linux RedHat, found httpd server don't allow proxy to run, neither localhost or 127.0.0.1, nor any other external domain.

As investigate in server log found

[error] (13)Permission denied: proxy: AJP: attempt to connect to
   10.x.x.x:8069 (virtualhost.virtualdomain.com) failed

Audit log found similar port issue

type=AVC msg=audit(1265039669.305:14): avc:  denied  { name_connect } for  pid=4343 comm="httpd" dest=8069 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

Due to internal default security of linux, this cause, now to fix (temporary)

 /usr/sbin/setsebool httpd_can_network_connect 1

Resolve Permanent Issue

/usr/sbin/setsebool -P httpd_can_network_connect 1
-2
votes

On CentOS Linux release 7.5.1804, we were able to make this work by editing /etc/selinux/config and changing the setting of SELINUX like so:

SELINUX=disabled