📖 ~1 min read
Table of contents
Symptom & Impact
Nginx returns 502 with `permission denied` connecting to upstream.
Environment & Reproduction
SELinux blocks nginx from connecting to non-default ports.
Root Cause Analysis
Boolean `httpd_can_network_connect` is off.
Quick Triage
Tail `/var/log/audit/audit.log` and grep `nginx`.
Step-by-Step Diagnosis
Confirm with `sealert -a /var/log/audit/audit.log`.
Solution – Primary Fix
Enable boolean: `setsebool -P httpd_can_network_connect 1`.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
If upstream uses a custom port, label it appropriately.
Verification & Acceptance Criteria
Reverse proxy returns 200 from upstream.
Rollback Plan
Disable the boolean again if a tighter policy is preferred.
Prevention & Hardening
Use module-specific contexts rather than broad booleans.
Related Errors & Cross-Refs
Linked to httpd context for ports and reverse proxies.
Related tutorial: View the step-by-step tutorial for centos-stream-9.
View all centos-stream-9 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
SELinux httpd boolean reference.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
