perfSONAR User Q&A and Other Discussion

["Uhl, George D. (GSFC-423.0)[ARTS]" <>]

It looks like I'm getting a wccp interception that's redirecting me to a
web proxy.  This is an unannounced new free service offered to my
perfSONAR host!  The domain of the URL I'm trying to reach is not in the
whitelist.  I've requested to include eos.nasa.gov in the whitelist.  I'm
betting that my problem will go away after that.

Thanks,
-George

 curl -X GET --dump-header -
"http://archive.eos.nasa.gov:8086/perfSONAR_PS/services/tracerouteCollector
"
HTTP/1.0 403 Forbidden
Server: squid/2.6.STABLE21
Date: Wed, 30 Apr 2014 14:08:30 GMT
Content-Type: text/html
Content-Length: 1206
Expires: Wed, 30 Apr 2014 14:08:30 GMT
X-Squid-Error: ERR_ACCESS_DENIED 0
X-Cache: MISS from eoslpwr01.slopen.ecs.nasa.gov
X-Cache-Lookup: NONE from eoslpwr01.slopen.ecs.nasa.gov:3128
Via: 1.0 eoslpwr01.slopen.ecs.nasa.gov:3128 (squid/2.6.STABLE21)
Proxy-Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;
charset=iso-8859-1">
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
<STYLE 
type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-
serif}PRE{font-family:sans-serif}--></STYLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR noshade size="1px">
<P>
While trying to retrieve the URL:
<A 
HREF="http://archive.eos.nasa.gov:8086/perfSONAR_PS/services/tracerouteColl
ector">http://archive.eos.nasa.gov:8086/perfSONAR_PS/services/tracerouteCol
lector</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Access Denied.
</STRONG>
<P>
Access control configuration prevents your request from
being allowed at this time.  Please contact your service provider if
you feel this is incorrect.
</UL>
<P>Your cache administrator is <A
HREF="mailto:"></A>.


<BR clear="all">
<HR noshade size="1px">
<ADDRESS>
Generated Wed, 30 Apr 2014 14:08:30 GMT by eoslpwr01.slopen.ecs.nasa.gov
(squid/2.6.STABLE21)
</ADDRESS>
</BODY></HTML>
[root@esdis-ps
 ~]# 




On 4/30/14 9:30 AM, "Andrew Lake" 
<>
 wrote:

>Hi George,
>
>You can forcibly generate some traffic to 8086 by running something like
>the following:
>
>curl -X GET --dump-header -
>"http://archive.eos.nasa.gov:8086/perfSONAR_PS/services/tracerouteCollecto
>r"
>
>That's a GET instead of a post but it'd be interesting to see what it
>does. If it reaches the collector you will see something like the
>following:
>
>HTTP/1.1 200 success
>Date: Wed, 30 Apr 2014 13:07:00 GMT
>Server: libwww-perl-daemon/5.827
>User-Agent: perfSONAR-PS/3.2
>Content-Length: 825
>Content-Type: text/xml
>
><SOAP-ENV:Envelope
>xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/";
>                   xmlns:xsd="http://www.w3.org/2001/XMLSchema";
>                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>                  
>xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
>  <SOAP-ENV:Header/>
>  <SOAP-ENV:Body>
><nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/";
>id="message.1967190" type="ErrorResponse"><nmwg:metadata
>id="metadata.16742872"><nmwg:eventType>error.common.transport</nmwg:eventT
>ype></nmwg:metadata><nmwg:data metadataIdRef="metadata.16742872"
>id="data.9803672"><nmwgr:datum
>xmlns:nmwgr="http://ggf.org/ns/nmwg/result/2.0/";>Received message with an
>invalid HTTP request, are you using a web
>browser?</nmwgr:datum></nmwg:data></nmwg:message>  </SOAP-ENV:Body>
></SOAP-ENV:Envelope>
>
>
>On Apr 29, 2014, at 5:06 PM, "Uhl, George D. (GSFC-423.0)[ARTS]"
><>
> wrote:
>
>> Mark,
>> 
>> Thanks for following up.  I was running tcpdump on the traceroute source
>> host so I used tcpdump to look for it attempting to communicate to the
>> remote archive server on port 8086.  I'm not seeing anything related to
>> http or traceroute in audit.log.
>> 
>> Thanks again,
>> -George
>> 
>> On 4/29/14 4:53 PM, "Mark Tinberg" 
>> <>
>>  wrote:
>> 
>>> 
>>> On Apr 29, 2014, at 2:48 PM, Uhl, George D. (GSFC-423.0)[ARTS]
>>> <>
>>>  wrote:
>>> 
>>>> Could this have something to do with selinux being enabled on the
>>>>host?
>>>> I
>>>> did a tcpdump on this host and never saw any traffic sent to the MA
>>>> server
>>>> on port 8086.
>>> 
>>> tcpdump would see the traffic before any packet filtering or selinux
>>> policy could affect it so if you aren¹t seeing it inbound then it¹s not
>>> getting to the machine at all and you can conclude the problem is not
>>>on
>>> the local machine.
>>> 
>>>> BTW, I'm prohibited from disabling selinux on this particular host.
>>> 
>>> As a point of reference, SELinux logs to the audit subsystem and if
>>> auditd is running those logs should end up in /var/log/audit/audit.log
>>> which should be root-only readable.  There are a lot of things which
>>>are
>>> audited by default, look for AVC messages, they should tell you all the
>>> information about what was denied, if anything.  For example, here is
>>> what happens when apache tries to access a users home directory when
>>> httpd_enable_homedirs has not been enabled by setsebool.
>>> 
>>> # grep AVC /var/log/audit/audit.log
>>> type=AVC msg=audit(1398804336.495:232531): avc:  denied  { search } for
>>> pid=9160 comm="httpd" name=³test" dev=dm-0 ino=663252
>>> scontext=unconfined_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
>>> type=AVC msg=audit(1398804336.498:232532): avc:  denied  { getattr }
>>>for
>>> pid=9160 comm="httpd" path="/home/test" dev=dm-0 ino=663252
>>> scontext=unconfined_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
>>> 
>>> 
>>> ‹ 
>>> Mark Tinberg, System Administrator
>>> Division of Information Technology - Network Services
>>> University of Wisconsin - Madison
>>> 
>>> 
>> 
>