HCSHAW
asked on
Why does my Squid Proxy denies requests for a url that uses Port 81
I am getting error TCP_MISS/503 when access a website that requires a specific port address. Here is the Squid Error:
1364333317.352 104 127.0.0.1 TCP_MISS/503 1545 GET http://www.escpa.org:81/crossdomain.xml - DIRECT/- text/html
Port 81 is opened up. I can resolve the IP address for www.escpa.org so it does not appear to be a DNS issue UNLESS the port number is screwing up the DNS lookup. I suspect this because the "-DIRECT/ " does not have an ip address following it. It appears that if a successful DNS look-up occurs, the IP address is inserted in the message.
But if that is not the case, why can it resolve to the www.escpa.org and retrieve the information, but when port :81 is used to pick up additional files to download, it fails?
The Web page returns a CONNECTION FAILED with a (13) permission denied error.
I have searched high and low for the answer, and all I get is references to permission issues in squid. Is it a setup issue? Is there a ACL that has to be added beyond the one added it as a Safe_list port entry?
Any comments would be greatly appreciated. I have reached the end of my expertise :)
1364333317.352 104 127.0.0.1 TCP_MISS/503 1545 GET http://www.escpa.org:81/crossdomain.xml - DIRECT/- text/html
Port 81 is opened up. I can resolve the IP address for www.escpa.org so it does not appear to be a DNS issue UNLESS the port number is screwing up the DNS lookup. I suspect this because the "-DIRECT/ " does not have an ip address following it. It appears that if a successful DNS look-up occurs, the IP address is inserted in the message.
But if that is not the case, why can it resolve to the www.escpa.org and retrieve the information, but when port :81 is used to pick up additional files to download, it fails?
The Web page returns a CONNECTION FAILED with a (13) permission denied error.
I have searched high and low for the answer, and all I get is references to permission issues in squid. Is it a setup issue? Is there a ACL that has to be added beyond the one added it as a Safe_list port entry?
Any comments would be greatly appreciated. I have reached the end of my expertise :)
ASKER
How do I run the tcpdump command. I tried running it but can't seem to get the syntax right.
Outside of our network, I the site works fine. I am not sure how to bypass squid within the network. Suggestions on this?
Outside of our network, I the site works fine. I am not sure how to bypass squid within the network. Suggestions on this?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
tcpdump- I found a great site that gave examples of the command. However, I never saw traffic on port 81, just 80.
Will the change I made survive a reboot? I went to squid as a precaution and did an apply and save config. I did not restart squid.
Will the change I made survive a reboot? I went to squid as a precaution and did an apply and save config. I did not restart squid.
Can you post what command you used?
Another way to do it a bit easier is if you are authorized to is to install Wireshark.
It will run tcpdump for you and if you know the filter commands you can filter tcpdump.
If you don't you can capture everything and then use Wireshark display filters to control what you see.
Another way to do it a bit easier is if you are authorized to is to install Wireshark.
It will run tcpdump for you and if you know the filter commands you can filter tcpdump.
If you don't you can capture everything and then use Wireshark display filters to control what you see.
ASKER
Never mind. I found the answer to How do I get it stay set after a reboot. it's the "-P" in the command.
http://docs.fedoraproject.org/en-US/Fedora/13/html/Managing_Confined_Services/sect-Managing_Confined_Services-Squid_Caching_Proxy-Configuration_Examples.html
---------------------
the -P option changes the setting to persist across reboots.
---------------------
I now have this working feel confident it will keep working. The setting simply says let squid make the decision on what ports to use, and since I now have an ACL for allow port 81 all is working.
Thanks to all the contributors for giving suggestions and guidance.
http://docs.fedoraproject.org/en-US/Fedora/13/html/Managing_Confined_Services/sect-Managing_Confined_Services-Squid_Caching_Proxy-Configuration_Examples.html
---------------------
the -P option changes the setting to persist across reboots.
---------------------
I now have this working feel confident it will keep working. The setting simply says let squid make the decision on what ports to use, and since I now have an ACL for allow port 81 all is working.
Thanks to all the contributors for giving suggestions and guidance.
ASKER
Thanks for helping to explain the SElinux piece of the puzzle.
"503" is a return code from the remote server I believe, which means should mean that Squid made a HTTP get request to the server named www.escpa.org on port 81 and it returned the HTTP code 503
The 1545 after the 503 is the number of bytes returned by the HTTP request.
Can you run tcpdump on the Squid server to see what it is attempting to do?
Can you go to http://www.escpa.org:81/crossdomain.xml successfully if you bypass Squid?