Resolving nginx "13: Permission Denied" Error on RHEL8 with SELinux

Takahiro Iwasa

Aug 28, 2021

2 min read

nginx SELinux

It has been more than 3 years since this post was published.

Introduction

When configuring nginx to route traffic to a non-standard port such as 1080 on an EC2 RHEL8 instance, you may encounter the error 13: Permission denied. This issue often arises due to SELinux restrictions. In this guide, we’ll walk through identifying and resolving this error.

Issue Overview

After modifying the nginx.conf file to include proxy settings, the following error appeared when starting nginx:

systemd[1]: Starting The nginx HTTP and reverse proxy server...
nginx[1626]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx[1626]: nginx: [emerg] bind() to 0.0.0.0:1080 failed (13: Permission denied)
nginx[1626]: nginx: configuration file /etc/nginx/nginx.conf test failed
systemd[1]: nginx.service: Control process exited, code=exited status=1
systemd[1]: nginx.service: Failed with result 'exit-code'.
systemd[1]: Failed to start The nginx HTTP and reverse proxy server.

This error typically occurs when SELinux blocks nginx from binding to non-standard ports.

Configuration Changes in nginx.conf

Here is the relevant modification to the nginx.conf file:

--- nginx.conf.old      2021-08-27 23:04:42.527667800 +0900
+++ nginx.conf  2021-08-28 01:20:38.088408400 +0900
@@ -45,6 +45,12 @@
         include /etc/nginx/default.d/*.conf;

         location / {
+            proxy_set_header Host                   $host;
+            proxy_set_header X-Real-IP              $remote_addr;
+            proxy_set_header X-Forwarded-Host       $host;
+            proxy_set_header X-Forwarded-Server     $host;
+            proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
+            proxy_pass http://xxx.xxx.xxx.xxx:1080;
         }

         error_page 404 /404.html;

Solution

To resolve the issue, you need to allow nginx to use the custom port 1080 by updating SELinux policies. Use the following command:

sudo semanage port -a -t http_port_t -p tcp 1080

Troubleshooting Missing semanage Command

If you encounter the error sudo: semanage: command not found, install the required package with these commands:

sudo dnf provides /usr/sbin/semanage
sudo dnf install policycoreutils-python-utils

Once the installation is complete, retry the semanage command.

Conclusion

The “13: Permission denied” error in nginx is a common challenge when working with SELinux. By properly configuring SELinux policies, you can safely allow nginx to bind to non-standard ports without compromising system security. If you’re not using SELinux, consider whether disabling it is appropriate for your use case, but in most scenarios, adjusting SELinux policies is a better approach.

Happy Coding! 🚀