I encountered a problem with HAProxy and SELinux. It seemed like the server wasn’t found and I was getting 503. On inspecting SELinux logs I realized certain changes must be made when working on a SELinux environment. I had no issues on other systems except RedHat family OSes.
haproxy_connect_anyis the name of the SELinux boolean variable.-Pspecifies that the change should be persistent across reboots.1is the value being set, which means enabling the permission or behavior associated with thehaproxy_connect_anyboolean.
This configuration was necessary for me when using Certbot with HAProxy on Fedora. I was able to use them separately, and yet I couldn’t have the Certbot server defined in HAProxy on a different port(e.g. port 380) for a more complex configuration.
setsebool -P haproxy_connect_any 1This is necessary because HAProxy requires more permissions.
sesearch -A | grep haproxy_connect_any
allow haproxy_t packet_type:packet recv; [ haproxy_connect_any ]:True
allow haproxy_t packet_type:packet send; [ haproxy_connect_any ]:True
allow haproxy_t port_type:tcp_socket name_bind; [ haproxy_connect_any ]:True
allow haproxy_t port_type:tcp_socket name_connect; [ haproxy_connect_any ]:True
allow haproxy_t port_type:tcp_socket { recv_msg send_msg }; [ haproxy_connect_any ]:True