new changes

YakPanel-server/install.sh

@@ -246,31 +246,19 @@ npm run build
 echo ""
 echo "[5/6] Configuring systemd..."
 REDIS_AFTER="redis.target"
-if [ "$PKG" = apt ]; then
-  REDIS_AFTER="redis-server.service"
-fi
-
-cat > "/etc/systemd/system/${SYSTEMD_UNIT}.service" << EOF
-[Unit]
-Description=YakPanel Backend
-After=network.target $REDIS_AFTER
-
-[Service]
-Type=simple
-User=root
-WorkingDirectory=$INSTALL_PATH/backend
-Environment="PATH=$INSTALL_PATH/backend/venv/bin:\$PATH"
-ExecStart=$INSTALL_PATH/backend/venv/bin/uvicorn app.main:app --host 127.0.0.1 --port $BACKEND_PORT
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-systemctl daemon-reload
-systemctl enable "$SYSTEMD_UNIT"
-systemctl restart "$SYSTEMD_UNIT" || systemctl start "$SYSTEMD_UNIT"
+REDIS_WANTS=""
+case "$PKG" in
+  apt)
+    REDIS_AFTER="redis-server.service"
+    REDIS_WANTS="Wants=redis-server.service"
+    ;;
+  dnf|yum)
+    REDIS_AFTER="redis.service"
+    REDIS_WANTS="Wants=redis.service"
+    ;;
+esac
 
+# Redis must be up before Uvicorn; starting it after the panel caused 502 (nginx OK, API down).
 case "$PKG" in
   apt)
     systemctl enable redis-server 2>/dev/null || true
@@ -282,6 +270,45 @@ case "$PKG" in
     ;;
 esac
 
+cat > "/etc/systemd/system/${SYSTEMD_UNIT}.service" << EOF
+[Unit]
+Description=YakPanel Backend
+After=network.target $REDIS_AFTER
+$REDIS_WANTS
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=$INSTALL_PATH/backend
+Environment="PATH=$INSTALL_PATH/backend/venv/bin:\$PATH"
+ExecStart=$INSTALL_PATH/backend/venv/bin/uvicorn app.main:app --host 127.0.0.1 --port $BACKEND_PORT
+Restart=always
+RestartSec=3
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable "$SYSTEMD_UNIT"
+systemctl restart "$SYSTEMD_UNIT" || systemctl start "$SYSTEMD_UNIT"
+
+backend_ok=0
+for _ in {1..40}; do
+  if curl -sfS --max-time 2 "http://127.0.0.1:${BACKEND_PORT}/api/health" >/dev/null 2>&1; then
+    backend_ok=1
+    break
+  fi
+  sleep 0.5
+done
+if [ "$backend_ok" -ne 1 ]; then
+  echo ""
+  echo "WARNING: Backend did not respond on http://127.0.0.1:${BACKEND_PORT}/api/health (login will show 502 via Nginx)."
+  echo "Check: systemctl status $SYSTEMD_UNIT --no-pager"
+  echo "Logs:  journalctl -u $SYSTEMD_UNIT -n 80 --no-pager"
+  echo "If SELinux is Enforcing: setsebool -P httpd_can_network_connect 1"
+fi
+
 write_nginx_site() {
   local target="$1"
   cat > "$target" << NGINXEOF
@@ -300,6 +327,9 @@ server {
         proxy_set_header X-Real-IP \$remote_addr;
         proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto \$scheme;
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
     }
 }
 NGINXEOF
@@ -319,6 +349,13 @@ systemctl start nginx 2>/dev/null || true
 nginx -t
 systemctl reload nginx 2>/dev/null || systemctl restart nginx
 
+# Nginx -> upstream (e.g. 127.0.0.1:$BACKEND_PORT) is blocked by default on EL + SELinux => 502.
+if command -v getenforce >/dev/null 2>&1 && [ "$(getenforce 2>/dev/null)" = "Enforcing" ]; then
+  if command -v setsebool >/dev/null 2>&1; then
+    setsebool -P httpd_can_network_connect 1 2>/dev/null || true
+  fi
+fi
+
 if systemctl is-active --quiet firewalld 2>/dev/null; then
   firewall-cmd --permanent --add-port="${PANEL_PORT}/tcp" >/dev/null 2>&1 || true
   firewall-cmd --reload >/dev/null 2>&1 || true
@@ -337,5 +374,6 @@ echo "  Access: http://YOUR_SERVER_IP:$PANEL_PORT"
 echo "  Login:  admin / admin"
 echo ""
 echo "  Change your password after first login."
-echo "  SELinux: if Nginx returns 403, see README (labels or temporary permissive)."
+echo "  UI works but login shows 502? Backend down or SELinux: systemctl status $SYSTEMD_UNIT; journalctl -u $SYSTEMD_UNIT -n 50"
+echo "  SELinux: installer calls setsebool httpd_can_network_connect if Enforcing; see README for 403 on static files."
 echo "=========================================="