Haproxy health check permission denied

Question

I am unable to add a backend server because the health check fails with log message

Health check for server mule/muleapp failed, reason: Layer4 connection problem, info: "General socket error (Permission denied)", check duration: 0ms, status: 0/2 DOWN.

I am however able to telnet into the same IP and host. And adding other backends works. I do not see what permission issue is. My configuration is very simplistic

backend mule
    balance     roundrobin
    server      muleapp x.x.x.x:64006 check

(substitute x with any number). I am running in HTTP mode. It should be noted that connecting to a local TCPMon port also does not work - but then there is not health check log statements.

Answer 1

The problem is SELinux only allowing the web server to make outbound connections to a limited set of ports.

Fixed by doing:

semanage port --add --type http_port_t --proto tcp 8001

after installing semanage with

yum install policycoreutils-python

Reference: https://serverfault.com/questions/654599/weird-interaction-with-systemctl-with-haproxy-on-centos-7

Answer 2

In SELinux you can easily allow haproxy to connect to all remote backend ports:

getsebool haproxy_connect_any   # by default 0
setsebool -P haproxy_connect_any 1

This works immediately without haproxy restart.