perfSONAR User Q&A and Other Discussion

["Uhl, George D. (GSFC-423.0)[ARTS]" <>]

My project network provider is running a webproxy and is using WCCP for
interception but only for ports 80 and 443 outbound.  The service I was
using sent to my archive server on port 8086.  It turns out I had a ENV
variable, http_proxy, set in the .bash_profile configuration file in my
home directory that pointed to the webproxy server on port 3218.  This was
forcing the redirect of the traffic I was sending to port 8086 over to the
proxy.  I soon as I commented it out and restarted the traceroute_master
daemon the traceroute results were sent to the MA.

What's weird is that the other perfSONAR traffic that use URLs for sending
OWAMP (port 8569) and BWCTL (port 8570) were not being redirected.

Thanks,
George



On 4/30/14 1:11 PM, "Uhl, George D. (GSFC-423.0)[ARTS]"
<>
 wrote:

>It looks like I'm getting a wccp interception that's redirecting me to a
>web proxy.  This is an unannounced new free service offered to my
>perfSONAR host!  The domain of the URL I'm trying to reach is not in the
>whitelist.  I've requested to include eos.nasa.gov in the whitelist.  I'm
>betting that my problem will go away after that.
>
>Thanks,
>-George
>
> curl -X GET --dump-header -
>"http://archive.eos.nasa.gov:8086/perfSONAR_PS/services/tracerouteCollecto
>r
>"
>HTTP/1.0 403 Forbidden
>Server: squid/2.6.STABLE21
>Date: Wed, 30 Apr 2014 14:08:30 GMT
>Content-Type: text/html
>Content-Length: 1206
>Expires: Wed, 30 Apr 2014 14:08:30 GMT
>X-Squid-Error: ERR_ACCESS_DENIED 0
>X-Cache: MISS from eoslpwr01.slopen.ecs.nasa.gov
>X-Cache-Lookup: NONE from eoslpwr01.slopen.ecs.nasa.gov:3128
>Via: 1.0 eoslpwr01.slopen.ecs.nasa.gov:3128 (squid/2.6.STABLE21)
>Proxy-Connection: close
>
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
>"http://www.w3.org/TR/html4/loose.dtd";>
><HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;
>charset=iso-8859-1">
><TITLE>ERROR: The requested URL could not be retrieved</TITLE>
><STYLE 
>type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans
>-
>serif}PRE{font-family:sans-serif}--></STYLE>
></HEAD><BODY>
><H1>ERROR</H1>
><H2>The requested URL could not be retrieved</H2>
><HR noshade size="1px">
><P>
>While trying to retrieve the URL:
><A 
>HREF="http://archive.eos.nasa.gov:8086/perfSONAR_PS/services/tracerouteCol
>l
>ector">http://archive.eos.nasa.gov:8086/perfSONAR_PS/services/tracerouteCo
>l
>lector</A>
><P>
>The following error was encountered:
><UL>
><LI>
><STRONG>
>Access Denied.
></STRONG>
><P>
>Access control configuration prevents your request from
>being allowed at this time.  Please contact your service provider if
>you feel this is incorrect.
></UL>
><P>Your cache administrator is <A
>HREF="mailto:"></A>.
>
>
><BR clear="all">
><HR noshade size="1px">
><ADDRESS>
>Generated Wed, 30 Apr 2014 14:08:30 GMT by eoslpwr01.slopen.ecs.nasa.gov
>(squid/2.6.STABLE21)
></ADDRESS>
></BODY></HTML>
>[root@esdis-ps
> ~]#
>
>
>
>
>On 4/30/14 9:30 AM, "Andrew Lake" 
><>
> wrote:
>
>>Hi George,
>>
>>You can forcibly generate some traffic to 8086 by running something like
>>the following:
>>
>>curl -X GET --dump-header -
>>"http://archive.eos.nasa.gov:8086/perfSONAR_PS/services/tracerouteCollect
>>o
>>r"
>>
>>That's a GET instead of a post but it'd be interesting to see what it
>>does. If it reaches the collector you will see something like the
>>following:
>>
>>HTTP/1.1 200 success
>>Date: Wed, 30 Apr 2014 13:07:00 GMT
>>Server: libwww-perl-daemon/5.827
>>User-Agent: perfSONAR-PS/3.2
>>Content-Length: 825
>>Content-Type: text/xml
>>
>><SOAP-ENV:Envelope
>>xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/";
>>                   xmlns:xsd="http://www.w3.org/2001/XMLSchema";
>>                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>>                 
>>xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
>>  <SOAP-ENV:Header/>
>>  <SOAP-ENV:Body>
>><nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/";
>>id="message.1967190" type="ErrorResponse"><nmwg:metadata
>>id="metadata.16742872"><nmwg:eventType>error.common.transport</nmwg:event
>>T
>>ype></nmwg:metadata><nmwg:data metadataIdRef="metadata.16742872"
>>id="data.9803672"><nmwgr:datum
>>xmlns:nmwgr="http://ggf.org/ns/nmwg/result/2.0/";>Received message with an
>>invalid HTTP request, are you using a web
>>browser?</nmwgr:datum></nmwg:data></nmwg:message>  </SOAP-ENV:Body>
>></SOAP-ENV:Envelope>
>>
>>
>>On Apr 29, 2014, at 5:06 PM, "Uhl, George D. (GSFC-423.0)[ARTS]"
>><>
>> wrote:
>>
>>> Mark,
>>> 
>>> Thanks for following up.  I was running tcpdump on the traceroute
>>>source
>>> host so I used tcpdump to look for it attempting to communicate to the
>>> remote archive server on port 8086.  I'm not seeing anything related to
>>> http or traceroute in audit.log.
>>> 
>>> Thanks again,
>>> -George
>>> 
>>> On 4/29/14 4:53 PM, "Mark Tinberg" 
>>> <>
>>>  wrote:
>>> 
>>>> 
>>>> On Apr 29, 2014, at 2:48 PM, Uhl, George D. (GSFC-423.0)[ARTS]
>>>> <>
>>>>  wrote:
>>>> 
>>>>> Could this have something to do with selinux being enabled on the
>>>>>host?
>>>>> I
>>>>> did a tcpdump on this host and never saw any traffic sent to the MA
>>>>> server
>>>>> on port 8086.
>>>> 
>>>> tcpdump would see the traffic before any packet filtering or selinux
>>>> policy could affect it so if you aren¹t seeing it inbound then it¹s
>>>>not
>>>> getting to the machine at all and you can conclude the problem is not
>>>>on
>>>> the local machine.
>>>> 
>>>>> BTW, I'm prohibited from disabling selinux on this particular host.
>>>> 
>>>> As a point of reference, SELinux logs to the audit subsystem and if
>>>> auditd is running those logs should end up in /var/log/audit/audit.log
>>>> which should be root-only readable.  There are a lot of things which
>>>>are
>>>> audited by default, look for AVC messages, they should tell you all
>>>>the
>>>> information about what was denied, if anything.  For example, here is
>>>> what happens when apache tries to access a users home directory when
>>>> httpd_enable_homedirs has not been enabled by setsebool.
>>>> 
>>>> # grep AVC /var/log/audit/audit.log
>>>> type=AVC msg=audit(1398804336.495:232531): avc:  denied  { search }
>>>>for
>>>> pid=9160 comm="httpd" name=³test" dev=dm-0 ino=663252
>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
>>>> type=AVC msg=audit(1398804336.498:232532): avc:  denied  { getattr }
>>>>for
>>>> pid=9160 comm="httpd" path="/home/test" dev=dm-0 ino=663252
>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
>>>> 
>>>> 
>>>> ‹ 
>>>> Mark Tinberg, System Administrator
>>>> Division of Information Technology - Network Services
>>>> University of Wisconsin - Madison
>>>> 
>>>> 
>>> 
>>
>