LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-29-2007, 07:49 AM   #1
timdog28
LQ Newbie
 
Registered: Feb 2007
Posts: 11

Rep: Reputation: 0
Z39.50 protocol


I am trying to access library of congress (US) to retrieve book records for a local database. The LOC site is z3950.loc.gov on port 7090. We have set an ACL in Squid for attempt at enabling, but it's not working. See attached reduced Squid configuraton file (comments removed). We have a client which can access numerous libraries around the world with this tool. However, we are behind a Squid firewall which is disallowing pass through. We have demonstrated access if we are outside the firewall. Any idea how to 'tunnel' through the firewall with this application? Thanks.



# http: Ubuntu/Squid proxy server definitions
#
# WELCOME TO SQUID 2
# ------------------
#
http_port 3128
http_port 80
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache_mem 64 MB
maximum_object_size 50 MB
maximum_object_size_in_memory 32 KB
cache_dir ufs /var/spool/squid 8000 32 256

#Default:
# hosts_file /etc/hosts
#
hosts_file /etc/hosts
request_body_max_size 10 MB

#
# The refresh_pattern lines are checked in the order listed here.
# The first entry which matches is used. If none of the entries
# match the default will be used.
#
# Note, you must uncomment all the default lines if you want
# to change one. The default setting is only active if none is
# used.
#
#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern ^.deb: 262800 100% 525600
refresh_pattern . 0 20% 4320

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl SSL_ports port 873
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl Safe_ports port 7090
acl Safe_ports port 9099
acl purge method PURGE
acl CONNECT method CONNECT
acl BenAndJosephIPs src 192.168.0.1 192.168.0.25 192.168.0.54 62.24.103.4-62.24.103.8 192.168.0.8
# acl KEMUStaff src 192.168.0.1 192.168.0.100 192.168.0.103 192.168.0.11 192.168.0.125 192.168.0.127 192.168.0.13 192.168.0.14 192.168.0.140 192.168.0.153 192.168.0.154 192.168.0.16 192.168.0.17 192.168.0.18 192.168.0.19 192.168.0.205 192.168.0.215 192.168.0.217 192.168.0.22 192.168.0.221 192.168.0.222 192.168.0.223 192.168.0.25 192.168.0.26 192.168.0.29 192.168.0.3 192.168.0.31 192.168.0.5 192.168.0.51 192.168.0.58 192.168.0.69 192.168.0.7 192.168.0.8 192.168.0.93 192.168.0.208 192.168.0.239
#acl d2 src 192.168.0.104 192.168.0.109 192.168.0.170 192.168.0.22 192.168.0.229 192.168.0.237 192.168.0.24
# KEMUs lab Access Client Lists (acl) defined by IP
# acl complab2 src 192.168.0.33-192.168.0.50
# acl complab4 src 192.168.0.231 192.168.0.239 192.168.0.240 192.168.0.68
# acl cybercafe src 192.168.0.241-192.168.0.251
# Specifying certain acls based on dates and times (combine this with other acls to specify
# when those acls can access the Internet - especially useful for labs)
# acl generaltime time S M T W H F A 00:00-24:00
# acl complab1mactime time M T 08:30-13:00
# acl complab2time time W 14:45-18:30
# acl complab4time time MTWHF 14:00-17:00
# acl cybercafetime time S M T W H F A 07:00-19:00
acl snmpkemu snmp_community kemu
acl computerlabA src 192.168.0.12 192.168.0.13 192.168.0.20
# acl TEMPORARYACCESS src 192.168.0.101 192.168.0.102-192.168.0.110 192.168.0.111-192.168.0.125 192.168.0.128-192.168.0.224 192.168.0.137
# 192.168.0.142 192.168.0.143 192.168.0.144 192.168.0.147 192.168.0.148 192.168.0.149 192.168.0.150 192.168.0.151 192.168.0.154 192.168.0.155 # 192.168.0.160 192.168.0.160 192.168.0.161 192.168.0.163 192.168.0.170 192.168.0.172 192.168.0.177 192.168.0.178 192.168.0.179 192.168.0.181 # 192.168.0.182 192.168.0.183 192.168.0.184 192.168.0.185 192.168.0.197 192.168.0.201 192.168.0.202 192.168.0.203 192.168.0.206 192.168.0.207 # 192.168.0.208 192.168.0.209 192.168.0.210 192.168.0.211 192.168.0.212 192.168.0.213 192.168.0.214 192.168.0.215 192.168.0.218 192.168.0.219 # 192.168.0.226 192.168.0.231 192.168.0.232 192.168.0.233 192.168.0.234 192.168.0.239 192.168.0.240 192.168.0.241 192.168.0.247 192.168.0.251 # 192.168.0.252 192.168.0.31-192.168.0.50 192.168.0.46 192.168.0.55 192.168.0.56 192.168.0.57 192.168.0.62 192.168.0.63 192.168.0.65
# 192.168.0.68-192.168.0.82 192.168.0.85 192.168.0.87 192.168.0.88 192.168.0.94 192.168.0.95 192.168.0.96 192.168.0.97 192.168.0.98
# 192.168.0.99 192.168.0.90
#acl StudentsDHCP src 192.168.0.80-192.168.0.254/255.255.255.0
acl safe_port port 3128
acl safe_port port 80
acl STUDENTS src 192.168.1.1-192.168.1.254/255.255.255.0
acl EVERYONE src 192.168.0.1-192.168.0.254/255.255.255.0

acl FTP port 20
acl FTPout port 21
acl FTPport proto ftp
acl SMTPout port 25
acl POP3in port 110
acl snmp snmp_community public
#acl WorldClient myport 1000
#acl worldclient port 1000

no_cache deny QUERY

#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access allow SSL_ports !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.0.0/24 192.168.2.0/24
#http_access allow our_networks
http_access allow localhost

# And finally deny all other access to this proxy
#http_access allow WorldClient
http_access allow BenAndJosephIPs
#http_access allow d2
#http_access deny complab1mac complab1mactime
#http_access allow complab2 complab2time
#http_access allow complab4time
#http_access allow cybercafe cybercafetime
http_access allow KEMUServers
#http_access allow worldclient
#http_access allow KEMUStaff
#http_access deny TEMPORARYACCESS
#http_access allow TEMPORARYACCESS
#http_access allow StudentsDHCP
#http_access allow TEMPORARYACCESS
http_access allow EVERYONE
http_access allow FTP
http_access allow FTPout
http_access allow FTPport
http_access allow SMTPout
http_access allow POP3in
http_access allow snmp
http_access deny all

#Recommended minimum configuration:
#
# Insert your own rules here.
#
#
# and finally allow by default
http_reply_access allow all

#Default:
# icp_access deny all
#
#Allow ICP queries from everyone
icp_access allow all

cache_mgr bkariuki@kemu.ac.ke

# TAG: snmp_port
# Squid can now serve statistics and status information via SNMP.
# By default it listens to port 3401 on the machine. If you don't
# wish to use SNMP, set this to "0".
#
# Note: on Debian/Linux, the default is zero - you need to
# set it to 3401 to enable it.
#
#Default:
snmp_port 3401

# TAG: snmp_access
# Allowing or denying access to the SNMP port.
#
# All access to the agent is denied by default.
# usage:
#
# snmp_access allow|deny [!]aclname ...
#
#Example:
snmp_access allow snmpkemu localhost
snmp_access deny all
#
#Default:
# coredump_dir none
#
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
 
Old 04-01-2007, 10:41 PM   #2
runnerfrog
Member
 
Registered: Jul 2006
Location: Paraná, Argentina
Distribution: Frugalware 0.6 (Terminus) - Kubuntu 7.04 (Feisty Fawn Herd 5)
Posts: 217

Rep: Reputation: 31
Nope. Squid is an http proxy, not a z39.50 proxy. I don't even believe that tunneling non-http flow over an http proxy can be highly recommended here. Many apps can abuse the CONNECT method to get out of the local network instead of supporting SOCKS or other methods for non-HTTP apps; sometimes they give up trying and remove all access rules and antiabuse rules and just go for an "allow all" rule. I don't know if that will happen in this case if you try using squid; fortunately there are better options.
You might be in need of an z39.50 proxy like yaz proxy to reduce load on your server, improve your clients performances through caching and the re-use of already open sessions, protect the back-end by sanitising client requests, and balancing load over multiple back-end servers.
Personally I'll never try that with an http proxy; just to be neat.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Where to turn SSHv1 protocol and SSHv2 protocol on and off Minnie Nguyen Linux - Enterprise 3 07-05-2006 02:12 PM
MEDLINE via z39.50 kosa Linux - Networking 0 01-30-2005 12:58 PM
Unsupported protocol 'Compression Control Protocol' (0x80fd) received RKris Linux - Software 0 08-21-2002 08:24 AM
protocol Eddie9 Linux - General 1 06-06-2002 01:55 AM
Which protocol is better SkYzOpReNiCk Linux - Security 1 11-06-2001 12:51 PM


All times are GMT -5. The time now is 02:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration