Enforce SELinux for a reverse proxy

SELinux is set to Enforcing by default in most Linux distributions like Fedora. If you are deploying a production server, don’t disable SELinux.

$ getenforce

Run semanage port -l to see the default ports that apache or nginx can access. If you reverse proxy to one of these ports, then you don’t need to futz around with the security policy.

$ semanage port -l | grep http_port
http_port_t    tcp    80, 81, 443, 488, 8008, 8009, 8443, 9000

You also need to set a boolean that will allow apache or nginx to reverse proxy.

# Allow apache/nginx to reverse proxy
$ setsebool httpd_can_network_relay 1
# Allow apache/nginx to reverse proxy permanently even after reboot
$ setsebool httpd_can_network_relay 1 -P

The main point is that you shouldn’t blindly trust audit2allow -a to dictate your security policy. Read the SELinux manual.