Product installation
Summary
This section provides instructions for an on-premises deployment of Unscrambl Qbo.
Qbo can be installed on x86 physical or virtual machines running:
RHEL07/CentOS 7.6 or later.
RHEL08/CentOS 8.0 or later.
Prerequisites
Before installing Qbo, set up an internal database and install external dependencies.
Install and configure the internal database
Qbo uses a relational database to store configuration and runtime data.
It supports MariaDB.
Install MariaDB
A standard setup uses MariaDB and Qbo on the same machine. You can install them on separate machines; however, this option requires extra configuration.
Check the MariaDB Foundation’s website for the current latest stable version.
Note
mariadb-server and MariaDB-server are different packages. Qbo requires the latest MariaDB-server packages from mariadb repo, which requires internet access to download the package.
Use your OS package manager (for example, yum
or dnf
for RedHat) to install the latest stable version of
MariaDB, then configure it using the MariaDB Repository Configuration Tool .
Example installation
To install MariaDB 10.5 on RedHat 7 x86_64:
$ sudo bash
$ cat > /etc/yum.repos.d/MariaDB.repo <<EOF
[mariadb]
name=MariaDB
baseurl=http://yum.mariadb.org/10.5/rhel7-amd64
enabled=1
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
module_hotfixes=1
EOF
$ yum remove mariadb mariadb-server mysql-common
$ yum install -y MariaDB-server MariaDB-client
To install MariaDB-server on RedHat 8 x86_64:
$ sudo bash
$ cat > /etc/yum.repos.d/MariaDB.repo <<EOF
[mariadb]
name=MariaDB
baseurl=http://yum.mariadb.org/10.5/rhel8-amd64
enabled=1
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
module_hotfixes=1
EOF
$ yum remove mariadb mariadb-server mysql-common
$ yum install -y MariaDB-server MariaDB-client
Configure MariaDB
MariaDB is executed as a service on RedHat and its behavior is controlled by a configuration file. This is usually
located in /etc/my.cnf.d/server.cnf
or /etc/mysql/my.cnf
).
Comment out or remove this line in the mysqld
section of the configuration file:
bind-address = 127.0.0.1
This will ensure that other hosts in the cluster can interact with the MariaDB server.
Restart the operating system service to activate the configuration changes.
$ sudo service mariadb restart
Ensure that the MariaDB server is automatically started at boot time by configuring init, systemd, cron, or any other mechanism that you have in place for automating service startup.
Secure MariaDB
Once you’ve installed MariaDB, we recommend that you secure it.
Run the secure installation script:
$ sudo mysql_secure_installation
Configure MariaDB connections
Check that the server is using its default port (3306):
$ netstat -lptn | grep 3306
This will give output:
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 11430/mysqld
If MariaDB and Qbo will be on different hosts, or will use a different port number, perform additional configuration outlined in Using a non-default MariaDB configuration.
Populate MariaDB time zone tables
The MariaDB system database includes several tables to store time zone information. Its installation procedure creates the time zone tables, but does not load them.
To load them manually, run the command below as root
. You’ll need MariaDB’s root
password.
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql
The warnings shown below are common and can be ignored.
This will give output:
Warning: Unable to load `/usr/share/zoneinfo/leap-seconds.list` as time zone. Skipping it.
If time zone information changes, applications that use the old rules become out of date. Reload the time zone rules using the command above.
Refer to MariaDB documentation for more information.
Create MariaDB user for Qbo connection
Qbo needs a username and password to use when connecting to the MariaDB database server. By default, both the
username and password are set to chai
.
To create a MariaDB user called chai
with the password chai
, start MariaDB’s interactive shell using
MariaDB’s root
user:
$ mysql -u root -p
Enter the command below, replacing <username>
and <password>
with a username and password:
MariaDB [(none)]> CREATE USER '<username>'@'%' IDENTIFIED BY '<password>';
For example, in the default setup, both use chai
, so the command will look like:
MariaDB [(none)]> CREATE USER 'chai'@'%' IDENTIFIED BY 'chai';
Give the user account privileges to create the Qbo databases:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON `chai_%` . * TO 'chai'@'%'; MariaDB [(none)]> FLUSH PRIVILEGES;
Close the MariaDB interactive shell by pressing CTRL-D (the Control
and the D
key, together) or entering the
exit
command.
Check that you can log in to MariaDB using the username and password you just configured:
$ mysql -u chai -p
If the new user has been properly configured, you will once again be greeted by the MariaDB interactive shell:
$ mysql -u chai -p
Enter password:
You will see:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 39
...
MariaDB [(none)]>
Use a non-default MariaDB configuration
Edit the Qbo configuration file if:
MariaDB is on a different host to Qbo.
MariaDB is listening on a port other than
3306
.You set up a non-default username or password; anything other than the default
chai
andchai
.
Edit chai/etc/chai.json
using a regular text editor.
Encrypt password
If you’re using a non-default password for the Qbo database server user, first encrypt the new password so it is not stored in clear text in the configuration file. Qbo includes an encryption tool that you can use. Enter:
$ UNSCRAMBL_HOME/bin/password_encryptor -p <new_password>
Update username and password
Find the userName
and userPassword
entries under databaseConfiguration
in the configuration file. The
configuration file is nested. Modify these entries with the encrypted password and the user name you set earlier.
If you use different settings than those you set up in the MariaDB configuration, update MariaDB with the new username and password.
Update host and port
If the MariaDB server isn’t using the same server as Qbo, or it is using a port other than the default 3306, add or
modify the address
entry under databaseConfiguration
in the Qbo configuration file. The address is a tuple
with the following format: hostname:port
. For example, foo.example.com:3306
.
External dependencies
The external software dependencies required by Qbo are specific to the operating system version and the architecture on which it will run.
The installer uses the dependency_checker
utility before installing Qbo to ensure that all the dependencies are
in place. This utility inspects the environment for RedHat provided software (referred to as OS-provided software in
the rest of this documentation).
It also checks for specific Python packages and Node.js npm packages required by Qbo, which are provided as a
virtualenv
environment (for Python) and a node modules directory (for Node.js), pre-packaged and configured to
match the needs of Qbo.
Install operating system software packages using the regular mechanism employed to download and install them,
usually yum
on RedHat.
The output from dependency_checker will be similar to:
$ $UNSCRAMBL_HOME/bin/dependency_checker -l
This will give output:
List of OS package dependencies:
mariadb: 5.5 (not installed)
mariadb-libs: 5.5 (installed)
mariadb-server: 5.5 (installed)
List of Python package dependencies (available in the Qbo virtualenv):
In this example, one external dependency (mariadb
) is not currently installed. Assuming the host is running
RedHat Linux, the person running the installation needs to use yum
to install mariadb
.
Install OpenResty
Qbo is dependent on nginx
, which is released with the OpenResty
platform. Install OpenResty
before
installing Qbo. See https://openresty.org/en/linux-packages.html.
Installing OS packages on a server without internet connection
Often, the server (or cluster) where Qbo is to be installed does not have direct internet connection. You’ll need the operating system installation CD/DVD or an .iso image with the OS installation.
If your installation is RedHat-based, use one of the following alternatives:
if a DVD is available, follow the DVD-based yum repository directions outlined by RedHat to create a locally available yum repository.
if an .iso file is available, follow the .iso file directions to create a locally available yum repository.
When installing external operating system-managed dependencies, as long as the major and minor version numbers match, the dependency is considered satisfied.
SSL certificate
An SSL certificate provides an assurance that the current interaction is between a client and a properly identified server. It also provides the key that the browser and web server will use to encrypt the connection.
When an SSL certificate is installed on a web server, a browser will use the encrypted HTTPS protocol when interacting with the server. It will also display the padlock icon that indicates a secure connection in the address bar. Qbo web service uses an SSL certificate to authenticate and encrypt all interactions between a web client and server. This ensures that no sensitive information flows over between a client and server in clear text form.
Purchase an SSL certificate from a vendor or download one for free from an organization such as Let’s Encrypt.
Commercial SSL certificates are typically verified and accepted by mainstream web browsers such as Google Chrome and Mozilla Firefox.
SSL certificates can also be provided by any entity hosting a Public Key Infrastructure (PKI). These certificates work just like commercial certificates, but they aren’t produced by recognized CAs. Because of this, most browsers will produce a warning or rejection when visiting the web server. If the web server will only be accessed by employees, you can add the certificate to the browser’s list of accepted certificates.
You can use Qbo with either type of certificate, but we strongly recommend that you use a certificate from an officially recognized commercial or non-profit CA.
Install Qbo
If you’ll be making Qbo available to users via HTTPS-secured web access, before installing Qbo:
Configure a DNS entry that will provide a user-friendly URL.
Purchase a commercial SSL certificate for that URL.
It might be helpful to become familiar with the infrastructure used to provide HTTPS access to Qbo by reading the steps outlined in the Configure web proxy section before attempting the installation steps.
Follow the steps below carefully.
Extract the tarball
Install Qbo using the same username that you’ll use to manage it post-installation. We recommend you use the default
username of chai
.
The Qbo installation tarball includes:
The Qbo software platform itself, comprising all the necessary components to run Qbo-supported solutions.
The pre-configured Python
virtualenv
environment, comprising all Python dependencies required by Qbo solutions to run.The pre-configured npm node modules directory, comprising all Node.js dependencies required by Qbo solutions to run.
The external open source software required by Qbo; for example, Node.js, Oracle JVM.
To extract the tarball, run the following command:
$ tar xvfz cloudVm-<version>-<os>.tar.gz
Where:
<version> is the product version, and
<os> is the specific operating system you’re installing it on.
For example, if installing on RedHat 7:
$ tar xvfz cloudVm-7.1.2-rhel07.tar.gz
Extract the software:
$ mkdir -p /opt/unscrambl/cloudVm/rhel07
$ tar xzvf cloudVm-<version>-rhel07.tar.gz -C /opt/unscrambl/cloudVm/rhel07
/opt/unscrambl/cloudVm/rhel07
is the recommended path; however, you can substitute a different path.
If you’re using a different operating system, like RedHat 8, substitute the abbreviation in the tarball and path. For example:
$ tar xvfz cloudVm-<version>-rhel08.tar.gz
Run the installer
Run the installer. For example, if you extracted the tarball to a directory called $UNSCRAMBL_HOME:
Note: Assuming Qbo is installed at location /opt/unscrambl/chai/rhel07
.
$ cd /opt/unscrambl/chai/rhel07/chai/bin
$ ./installer
installer
is an interactive program that will guide you through specific installation and configuration choices.
Unscrambl chAI is a commercial product, subjected to End-User License Agreement terms. A paper-based or digital
copy of these terms must have been signed and agreed by someone authorized to do so in your organization,
prior to carrying out this configuration. A non-customer specific copy of these terms is included for your
reference in this installation package (unscrambl/license/eula.pdf).
Do you confirm that you are authorized to proceed with the configuration based on the terms specified in your
organization's own license agreement with Unscrambl Inc. (y/n)?
Enter the directory that will host the Qbo instance. This is the location in the file system where Qbo will host its services, logs, and the data used by Qbo data management services.
Select a network interface to use for external TCP/IP traffic. Choose the interface that provides connectivity to other hosts in the cluster (if any) and external services that Qbo will need to interface with.
Please select the network interface to use for external TCP/IP traffic (default: 'eth0'):
[0] lo: 127.0.0.1
[1] eth0 10.0.0.123
[2] tun0: 10.8.0.45
Select the number corresponding to the interface you want (default: 1 for interface 'eth0'): 1
The 'eth0' network interface will be used for all external TCP/IP traffic.
Enter the port that Qbo should use for HTTP-based backend services, or leave blank to choose the default port, 8081.
Please enter the HTTP port for the REST server to be used by Unscrambl chAI (if left empty, the HTTP port will
be 8081):
If you will keep Qbo behind an nginx or Apache web proxy, enter y
to allow Qbo insight’s backend services to
bind only to localhost. This is the recommended configuration, as it is more secure.
If you want to enable remote, unencrypted HTTP connections, enter n
to allow Qbo insight’s backend services to
bind to non-local addresses. This is not recommended, as information is transmitted in the clear and is vulnerable
to listeners.
Leave blank to choose the default localhost-only binding.
When using HTTP, do you want to bind only to localhost ([y]es: only a local connection to the REST server will be
possible. This configuration is meant to be used behind a web proxy such as nginx or Apache httpd; / [n]o: remote
HTTP will be possible. This configuration is insecure and STRONGLY discouraged as all interactions between chAI's
client and its backend, including authentication, will go in the clear over network connections) (if left empty,
only a local connection to the REST server will be possible) (y/n)?
Warning
Qbo has access to, handles, and transports potentially sensitive information. It occasionally needs to transfer potentially sensitive information between the web-based interface and the backend. To keep this data safe, we strongly recommend using encryption through the use of HTTPS.
Qbo uses data like:
Authentication information: In certain configurations, Qbo requires a user account. It can be configured to authenticate using external services, such as OpenID and OAuth providers. These authentication connections can include user credentials. Qbo does not store user passwords in the clear.
Metadata and personal information about users and corporate data: Qbo carries out analytics with data that is often private and sensitive, including information from conversations and corporate data sources.
While in certain configurations Qbo may be hosted in an internal network, never facing non-corporate users, it does integrate with other segments of an enterprise computing environment.
We recommend that you take every possible precaution to protect the integrity and confidentiality of the data consumed and produced by this platform.
There are two possible configurations to choose from:
HTTP, available network-wide (STRONGLY DISCOURAGED): this is the simplest form of installing Qbo. However, it is insecure, and potentially sensitive information is transmitted in the clear, flowing from the user’s browser to the server without any encryption. This could include passwords and credentials used for authenticating via external services.
HTTP, available only in the
localhost
interface, proxied by an HTTPS web proxy (STRONGLY RECOMMENDED): HTTPS web proxy servers are designed and hardened to offer remote data connections. This configuration is more secure and minimizes the chances of a sensitive data breach. Interactions between the browser-based user interface and the web proxy in front of Qbo’s backend is HTTPS encrypted. The web proxy runs asroot
and employs a regular local HTTP connection to the Qbo backend. To install and configure a web proxy to act as an HTTPS endpoint, see Configure web proxy.
If everything is correctly configured, a success status message will be printed out:
the Unscrambl chAI environment has been configured successfully...
Configuring web proxy
Web proxy prerequisites
Before installing and configuring the web proxy, set up a DNS CNAME entry to point to Qbo and obtain an SSL certificate for the web proxy.
Qbo consists of a set of backend services, accessible via a web-based user interface and optionally via third-party messaging platforms.
Communication between the web-based user interface and the backend employs REST APIs over HTTP or HTTP via an HTTPS proxy. If you plan to use Qbo with a messaging-based channel, you need to set up a web proxy.
Unscrambl strongly recommends that you use HTTP via an HTTPS proxy, to ensure encryption of any sensitive information transmitted over the network.
This option requires installing Qbo with HTTP support, where the backend is bound only to the local lo
network interface, allowing HTTP access only within the host where the Qbo web server runs.
You can use an Apache or nginx web proxy to provide HTTPS access to Qbo. Both are packaged and available in Linux distributions:
Configure a DNS CNAME Entry to point to Qbo (Optional)
Ideally, the URL used to access Qbo will be in the form https://Unscrambl.example.com/chai
, where:
Unscrambl
designates this locator as an Unscrambl product installation atexample.com
(your internet domain).chai
indicates the name of the product.
Usually, the friendlier Unscrambl
name will map to an internal server hosting the Qbo installation, whose name
will follow an (often less friendly) internal IT convention; for example, chai-cluster003-node001.acme.com
. We
recommend that you configure a DNS alias before installing Qbo.
DNS server record update procedures vary. We recommend that you contact a local IT specialist to carry out the actual DNS registration.
For example, an organization using TinyDNS might add the following entry to its configuration:
Cunscrambl.acme.com:chai-cluster003-node001.acme.com:120
and invoke the tinydns-data
utility to activate
this entry.
Obtain an SSL certificate
SSL certificates come in different forms. You can obtain a certificate for a single host name, for multiple host names, or as a wildcard, accepting any name under a particular domain. All of these ought to work with Qbo. However, a single-host certificate is sufficient and this option is often the most economical as well.
Procedures to obtain a certificate vary both for commercial as well as for self-signed internal certificates. Consult a local IT specialist to understand which alternative best suits your environment.
The rest of this document assumes that you have a commercial certificate available as you configure the web proxy.
A set of files related to the certificate must be available. The example below assumes
that the certificates are kept in a directory called unscrambl.acme.com
:
unscrambl.acme.com/fullchain.pem
: The actual certificate plus any intermediate certificates. See the documentation for the Apache httpd SSLCertificateFile configuration key and the nginx ssl_certificate configuration key.unscrambl.acme.com/privkey.pem
: The certificate private key for the server. See the documentation for the Apache httpd SSLCertificateKeyFile configuration key and the nginx ssl_certificate_key configuration key.
Once you have the certificate and can locate these files, install and configure Apache httpd
or
nginx
.
In the following sections, we assume that you are installing on a RedHat 7 (or CentOS 7) server, where the Qbo web backend will eventually run.
Since the installation and configuration require you to update system-owned resources, you’ll need either sudo
or
root
access to complete the next stage.
Configure Apache httpd
Download and install required OS packages:
$ yum install -y httpd mod_ssl
Enable the httpd
service to ensure that it is started on boot:
$ systemctl enable httpd
Enable proxying by adding a new virtual host entry in httpd
’s main
configuration file, /etc/httpd/conf/httpd.conf
:
<VirtualHost *:443>
# Unscrambl chAI will be accessible at https://unscrambl.example.com/chai
ServerName unscrambl.example.com
# Unscrambl chAI must be configured with HTTP access restricted to localhost binding to port 8081
# Note that the IPv6 address being used, [::1], is the IP address corresponding to the loopback
# interface. Unscrambl chAI's server instance will use the IPv6 protocol stack by default
ProxyPass /chai http://[::1]:8081/chai
ProxyPassReverse /chai http://[::1]:8081/chai
# Unscrambl chAI's web interface requires a WebSocket endpoint called 'directLine' to be exposed
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket
# The port used for the 'directLine' WebSocket endpoint (8081 in this example) must match the port
# specified for the 'chai' endpoint above
RewriteRule ^/(.*)$ ws://[::1]:8081/$1 [P]
ProxyPass /directLine http://[::1]:8081/directLine
ProxyPassReverse /directLine http://[::1]:8081/directLine
ProxyPreserveHost on
ProxyRequests off
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
SSLCertificateFile /etc/httpd/stash/unscrambl.example.com/fullchain.pem
SSLCertificateKeyFile /etc/httpd/stash/unscrambl.example.com/privkey.pem
SSLEngine on
SSLProtocol TLSv1.2
SSLProxyEngine on
<Location "/directLine">
ProxyPass "ws://[::1]:8081/directLine"
</Location>
</VirtualHost>
Note that in the configuration above, we chose to install the certificate-related files under /etc/httpd/stash
.
This is not essential, but does make it simpler for you to apply the correct SE Linux context to these files:
$ restorecon -vr /etc/httpd/stash
Next, start or restart httpd
:
$ systemctl start httpd
If the configuration is correct, you can start Qbo, open a browser and point it to https://unscrambl.example.com/chai
.
To start Qbo, see Managing Qbo Services.
Configure nginx
Download and install the required OS packages:
$ yum install -y nginx
Enable the nginx
service to ensure that it is started on boot:
$ systemctl enable nginx
Enable proxying by adding a new server entry to the
nginx
main configuration file, /etc/nginx/nginx.conf
:
http {
...
server {
listen 443;
server_name unscrambl.example.com;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
ssl on;
ssl_certificate /etc/nginx/stash/unscrambl.acme.com/fullchain.pem;
ssl_certificate_key /etc/nginx/stash/unscrambl.acme.com/privkey.pem;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# Unscrambl chAI will be accessible at https://unscrambl.example.com/chai
location /chai {
# Unscrambl chAI must be configured with HTTP access restricted to localhost binding to port 8081
# Note that the IPv6 address being used, [::1], is the IP address corresponding to the loopback
# interface. Unscrambl chAI's server instance will use the IPv6 protocol stack by default
proxy_pass http://[::1]:8081/chai;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
}
# Unscrambl chAI's web interface requires a WebSocket endpoint called 'directLine' to be exposed
location /directLine {
# The port used for the 'directLine' WebSocket endpoint (8081 in this example) must match the port
# specified for the 'chai' endpoint above
proxy_pass http://[::1]:8081/directLine;
proxy_read_timeout 86400;
proxy_redirect off;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
Note that in the configuration above, we chose to install the certificate-related files under /etc/nginx/stash
.
This is not essential, but does make it simpler for you to apply the correct SE Linux context to these files:
$ restorecon -vr /etc/nginx/stash
Start or restart nginx
:
$ systemctl start nginx
If the configuration is correct, you can start Qbo, open a browser and point it to https://unscrambl.example.com/chai
.
To start Qbo, see Managing Qbo Services.
Test and troubleshoot the web proxy installation
To use the web interface, enter the access URL in the browser window.
Typical problems that occur in a new installation, where either RHEL or CentOS is being used:
Firewall configuration
If the server running the proxy has firewalld
installed, HTTPS access is typically blocked by default. While we
provide some helpful directions below, we strongly recommend that you read the firewalld
documentation so that
you fully understand the impact of these actions.
To check on the current status of firewalld
:
$ firewall-cmd --list-all
This should give output:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client https ssh
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
If https
does not appear in the list of services
(as it does above),
add it, either temporarily:
$ firewall-cmd --zone=public --add-service=https $ firewall-cmd --reload
Or permanently:
$ firewall-cmd --zone=public --permanent --add-service=https
Rerun the status command to check that HTTPS access to the server is now enabled:
$ firewall-cmd --list-all
SE Linux access control
The SE Linux configuration SELinux is a set of kernel modifications and tools that have been added to RedHat and CentOS, providing support for access control security policies. It may affect the web proxy.
If the SELinux access control is not properly configured for the web proxy, there will be two symptoms:
An access from the browser is rejected, often with a “bad gateway” error message.
- The SELinux log file (
ll /var/log/audit/audit.log
) will include a rejection of an operation attempted by the web proxy.
- The SELinux log file (
Note that you’ll need root
access to view the logs or reconfiguring SELinux policies. The example below is
from an nginx
proxy, but httpd
will look similar:
$ grep nginx /var/log/audit/audit.log
This will give output:
type=AVC msg=audit(1490570804.119:555): avc: denied { name_connect } for pid=5725 comm="nginx"
dest=8080
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0
tclass=tcp_socket
Modifying SELinux configuration will have a direct impact on the security of a host as well as on the overall network where that host is located. Unscrambl strongly recommends that the person changing SELinux policies be someone familiar with its configuration. It’s important that your organization understand the potential repercussions of following the procedures below.
Understand this audit entry by running the following command, which also offers possible fixes:
$ ausearch -c nginx | audit2allow -m nginx
module nginx 1.0;
require {
type httpd_t;
type http_cache_port_t;
class tcp_socket name_connect;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# httpd_can_network_connect, httpd_can_network_relay
allow httpd_t http_cache_port_t:tcp_socket name_connect;
Check the current state of these boolean settings - at this point, probably off
:
$ getsebool -a | grep httpd
To allow network connections from the web proxy to the actual server so it can act as a relay:
$ setsebool -P httpd_can_network_relay on
Alternatively, add a new SELinux non-base policy:
$ cd /tmp
$ ausearch -c nginx | audit2allow -M nginx</soan>
$ semodule -i nginx.pp
$ rm nginx.pp
The following sections detail the process of starting/stopping the product, performing one-time setup, and configuring other aspects of the product, including the data source and the data model.