nginx use 9000 port Permission denied other port ok
新架构下web服务需要使用反向代理,将不同的请求转发到不同的service,对应不同的端口。
nginx.conf 配置如下:
listen 80 default_server; listen [::]:80 default_server; server_name _; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } include rs.conf; include d.conf; error_page 404 /404.html;
rs.conf 和 d.conf
location /deliver { proxy_set_header Host $host; proxy_pass http://127.0.0.1:9002; } location /click { proxy_set_header Host $host; proxy_pass http://127.0.0.1:9000 ; }
确保 两个proxy_pass 分别可以正常访问,
通过nginx listen的server 访问请求对应的路径,发现只有click 的路径可正常访问,deliver 的服务,
经过多次实验,deliver 无论使用 9001 还是9002 均不能访问,对应nginx提示:
*41 connect() to 127.0.0.1:9002 failed (13: Permission denied) while connecting to upstream, client: 1.2.3.4 ,
server: _, request: "GET /deliver HTTP/1.1", upstream: "http://127.0.0.1:9002/deliver", host: "35.0.0.86"
如果把click服务暂停,把deliver 服务启动时候绑定9000 端口则deliver 服务可正常访问,
因此问题和服务启动端口有关,nginx 无法listen 并且代理转发;
具体原因和使用的google cloud 安装的镜像版本内核为的 selinux 的配置有关;
semanage命令是用来查询与修改SELinux默认目录的安全上下文。SELinux的策略与规则管理相关命令:seinfo命令、sesearch命令、getsebool命令、setsebool命令、semanage命令。
semanage port -l | grep http_port_t
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
As you can see from the output above with SELinux in enforcing mode http is only allowed to bind to the listed ports. The solution is to add the ports you want to bind on to the list
semanage port -a -t http_port_t -p tcp 9002
对selinux 的http 端口增加 9002 ,访问nginx 配置listen 的server +location /deliver 服务终于可以正常访问 。
tag: "nginx port Permission denied other port ok"
9000 service code:
package main import ( "fmt" "log" "net/http" ) func main() { //http.HandleFunc("/deliver", myHandler) http.HandleFunc("/click", clickHandler) log.Fatal(http.ListenAndServe("127.0.0.1:9000", nil)) } func myHandler(w http.ResponseWriter, r *http.Request) { fmt.Fprintln(w, "deliver service") } func clickHandler(w http.ResponseWriter, r *http.Request) { fmt.Fprintln(w, "hello this is click ") }