CONNECTION_REFUSED when accessing WLS via Apache plugin on Linux
You have successfully installed the Apache 2.2 proxy plugin on your WebLogic Server, but you cannot connect to the WLS servers via the proxy. Errors similar to the following are seen in the proxy log file:
Tue Mar 6 20:19:43 2012 <1959713310867732> INFO: New NON-SSL URL
Tue Mar 6 20:19:43 2012 <1959713310867732> Connect returns -1, and error no set to 13, msg 'Permission denied'
Tue Mar 6 20:19:43 2012 <1959713310867732> Error connecting to host 123.123.123.123:7010
Tue Mar 6 20:19:43 2012 <1959713310867732> *******Exception type [CONNECTION_REFUSED] (Error connecting to host 123.123.123.123:7020 errno = 13) raised at line 1723 of ../nsapi/URL.cpp
Tue Mar 6 20:19:43 2012 <1959713310867732> Connect returns -1, and error no set to 13, msg 'Permission denied'
Tue Mar 6 20:19:43 2012 <1959713310867732> Error connecting to host 123.123.123.123:7010
Tue Mar 6 20:19:43 2012 <1959713310867732> *******Exception type [CONNECTION_REFUSED] (Error connecting to host 123.123.123.123:7020 errno = 13) raised at line 1723 of ../nsapi/URL.cpp
Cause
Error 13 (Permission denied) is a low-level OS error. Outbound TCP connections are required for the proxy to work, but Apache was unable to achieve such connections. There are two possible root causes:- There is a firewall between the WLS servers and the proxy host which is filtering connections to the WLS servers. You can test this by running a simple telnet command on the Apache box to any WLS server:
telnet 123.123.123.123 7010Replace 123.123.123.123 and 7010 with the actual IP address and port of your WLS Admin Server.
OR - The SELinux (Security-Enhanced Linux) configuration on your Apache proxy Linux host is blocking outbound connections originating from the httpd (Apache) service. You can check this examining /var/log/audit/audit.log. If SELinux is blocking outbound connections, you will see errors similar to:
/var/log/audit/audit.log:
type=AVC msg=audit(1331086783.546:37579): avc: denied { name_connect } for pid=19597 comm="httpd" dest=7010 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Notice the httpd service, the 7010 destination port (i.e., the WLS port) and the tcp_socket class.
Solution
- If the telnet test above fails, then check the firewall rules to open traffic through the required WLS port.
- If you see SELinux errors as described above, run this on your proxy box as root:
/usr/sbin/setsebool -P httpd_can_network_connect 1
The above will set a permanent policy to grant httpd the permission to establish outbound connections.
0 Comments