Why might SELinux issue a Permission Denied error when accessing an upstream Node.js server's default routes, but not static files like image files? [duplicate]

I'm trying to run multiple Nodejs applications on Nginx server running on CentOS 7. I noticed that when I run a Nodejs app on some ports I get an 502 Bad Gateway error in the browser so I checked the error logs:

[notice] 12806#0: signal process started
[crit] 12807#0: *13 connect() to 127.0.0.1:7777 failed (13: Permission denied) while connecting to upstream, client: **.**.99.58, server: myapp.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:7777/", host: "myapp.com"
[crit] 12807#0: *13 connect() to [::1]:7777 failed (13: Permission denied) while connecting to upstream, client: **.**.99.58, server: myapp.com, request: "GET / HTTP/1.1", upstream: "http://[::1]:7777/", host: "myapp.com"

when I change the app to listen to 8008 for example everything is working fine. I checked permissions and if the process is running as root and everything seems ok. I played with the timeouts as well but no result. Can anyone help?


By default SELinux only allows the web server to make outbound connections to a limited set of ports.

# semanage port --list
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

To fix the problem, you simply need to add your own desired port number to the list.

# semanage port --add --type http_port_t --proto tcp 7777

Then you will see the port number added into the list, and your connections should then work.

# semanage port --list
http_port_t                    tcp      7777, 80, 81, 443, 488, 8008, 8009, 8443, 9000