<!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label: - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=bug and verify the issue you're about to submit isn't a duplicate. ---> ### Summary [Self-Managed] When setting up an external Nginx on a SeLinux system, it is necessary to change the security context of the workhorse's sockets in order to allow the external Nginx to access that socket. This action has to be done after every execution of `gitlab-ctl reconfigure`. ### Steps to reproduce - Spin a GitLab instance on a SeLinux (or CentOS) host, - disable embedded Nginx - install and configure an external Nginx (following our docs: [Using a non-bundled web server](https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server)) - restart the external nginx; reconfigure GitLab - Observe a `502: Bad gateway` error when accessing the GitLab UI As per https://stackoverflow.com/a/50052893 This can fixed by applying `chcon -t httpd_var_run_t /var/opt/gitlab/gitlab-workhorse/sockets/socket` (each-time after executing `gitlab-ctl reconfigure` ) That approach was recently confirmed during a customer emergency call (internal link to [ZD ticket](https://gitlab.zendesk.com/agent/tickets/231863)) <!-- Describe how one can reproduce the issue - this is very important. Please use an ordered list. --> ### Example Project <!-- If possible, please create an example project here on GitLab.com that exhibits the problematic behavior, and link to it here in the bug report. If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version. --> ### What is the current *bug* behavior? The Workhorse's socket file is inaccessible for the non-bundled Nginx. ### What is the expected *correct* behavior? The need of running any additional commands after each `gitlab-ctl reconfigure` causes manual overhead and is prone to errors. A GitLab instance should be able to handle even such "edge-configurations" automatically. <!-- Describe what you should see instead. --> ### Relevant logs and/or screenshots In the Nginx logs following message can be seen (while seeing a 500 error when accessing the GitLab UI): ``` <TIMESTAMP> [crit] 15777#15777: *1333 connect() to unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket failed (13: Permission denied) while connecting to upstream, client: <IP-ADDRESS>, server: <SERVER-NAME>, request: $uest: "GET //sito/wp-includes/wlwmanifest.xml HTTP/1.1", upstream: "http://unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket://sito/wp-includes/wlwmanifest.xml", host: "<HOST-NAME" ``` Workhorse doesn't show/report any errors, as the external Nginx never reaches its socket due to the SeLinux restrictions. <!-- Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise. --> ### Output of checks <!-- If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com --> #### Results of GitLab environment info ``` GitLab version: 14.1.3-ee Ruby: 2.7.2pl37 Gem: 3.1.4 Bundler: 2.1.4 Rake: 13.0.3 Redis: 6.0.14 Git: 2.32.0 Sidekiq: 5.2.9 ``` <!-- Input any relevant GitLab environment information if needed. --> <details> <summary>Expand for output related to GitLab environment info</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`) </pre> </details> #### Results of GitLab application Check <!-- Input any relevant GitLab application check information if needed. --> <details> <summary>Expand for output related to the GitLab application check</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true`) (we will only investigate if the tests are passing) </pre> </details> ### Possible fixes <!-- If you can, link to the line of code that might be responsible for the problem. -->