Varnish "FetchError no backend connection" error

I had a similar issue when trying to test Varnish locally with different backends. Using 127.0.0.1:8080 worked fine but changing the port to 8081 gave me a 503, even though that backend worked perfectly for me outside Varnish.

The problem was caused by SELinux not allowing the connection. I found that out by tailing the audit log and provoking the 503 from Varnish:

$ sudo tail -f /var/log/audit/audit.log type=AVC msg=audit(1539253067.438:1379): avc: denied { name_connect } for pid=10154 comm="varnishd" dest=8081 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:object_r:transproxy_port_t:s0 tclass=tcp_socket

To see ports allowed by SELinux from Varnish you can use this command:

$ sudo semanage port -l | grep http_cache_port_t http_cache_port_t tcp 8080, 8118, 8123, 10001-10010

To fix the issue you can either use another port, e.g. 8118 or ask SELinux to allow connections to 8081 from Varnish.

The command to add the port is - the -a flag is to add the port:

semanage port -a -t http_cache_port_t -p tcp 8081

If you get a message telling you that the port is already defined then you need to modify rather than add the port:

ValueError: Port tcp/8081 already defined

The command swaps the -a flag for -m - 'modify':

semanage port -m -t http_cache_port_t -p tcp 8081