Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 03-29-2007, 07:49 AM   #1
LQ Newbie
Registered: Feb 2007
Posts: 11

Rep: Reputation: 0
Z39.50 protocol

I am trying to access library of congress (US) to retrieve book records for a local database. The LOC site is on port 7090. We have set an ACL in Squid for attempt at enabling, but it's not working. See attached reduced Squid configuraton file (comments removed). We have a client which can access numerous libraries around the world with this tool. However, we are behind a Squid firewall which is disallowing pass through. We have demonstrated access if we are outside the firewall. Any idea how to 'tunnel' through the firewall with this application? Thanks.

# http: Ubuntu/Squid proxy server definitions
# ------------------
http_port 3128
http_port 80
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache_mem 64 MB
maximum_object_size 50 MB
maximum_object_size_in_memory 32 KB
cache_dir ufs /var/spool/squid 8000 32 256

# hosts_file /etc/hosts
hosts_file /etc/hosts
request_body_max_size 10 MB

# The refresh_pattern lines are checked in the order listed here.
# The first entry which matches is used. If none of the entries
# match the default will be used.
# Note, you must uncomment all the default lines if you want
# to change one. The default setting is only active if none is
# used.
#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern ^.deb: 262800 100% 525600
refresh_pattern . 0 20% 4320

#Recommended minimum configuration:
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443 563
acl SSL_ports port 873
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl Safe_ports port 7090
acl Safe_ports port 9099
acl purge method PURGE
acl BenAndJosephIPs src
# acl KEMUStaff src
#acl d2 src
# KEMUs lab Access Client Lists (acl) defined by IP
# acl complab2 src
# acl complab4 src
# acl cybercafe src
# Specifying certain acls based on dates and times (combine this with other acls to specify
# when those acls can access the Internet - especially useful for labs)
# acl generaltime time S M T W H F A 00:00-24:00
# acl complab1mactime time M T 08:30-13:00
# acl complab2time time W 14:45-18:30
# acl complab4time time MTWHF 14:00-17:00
# acl cybercafetime time S M T W H F A 07:00-19:00
acl snmpkemu snmp_community kemu
acl computerlabA src
# # # # # #
#acl StudentsDHCP src
acl safe_port port 3128
acl safe_port port 80
acl STUDENTS src
acl EVERYONE src

acl FTP port 20
acl FTPout port 21
acl FTPport proto ftp
acl SMTPout port 25
acl POP3in port 110
acl snmp snmp_community public
#acl WorldClient myport 1000
#acl worldclient port 1000

no_cache deny QUERY

# http_access deny all
#Recommended minimum configuration:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access allow SSL_ports !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src
#http_access allow our_networks
http_access allow localhost

# And finally deny all other access to this proxy
#http_access allow WorldClient
http_access allow BenAndJosephIPs
#http_access allow d2
#http_access deny complab1mac complab1mactime
#http_access allow complab2 complab2time
#http_access allow complab4time
#http_access allow cybercafe cybercafetime
http_access allow KEMUServers
#http_access allow worldclient
#http_access allow KEMUStaff
#http_access deny TEMPORARYACCESS
#http_access allow TEMPORARYACCESS
#http_access allow StudentsDHCP
#http_access allow TEMPORARYACCESS
http_access allow EVERYONE
http_access allow FTP
http_access allow FTPout
http_access allow FTPport
http_access allow SMTPout
http_access allow POP3in
http_access allow snmp
http_access deny all

#Recommended minimum configuration:
# Insert your own rules here.
# and finally allow by default
http_reply_access allow all

# icp_access deny all
#Allow ICP queries from everyone
icp_access allow all


# TAG: snmp_port
# Squid can now serve statistics and status information via SNMP.
# By default it listens to port 3401 on the machine. If you don't
# wish to use SNMP, set this to "0".
# Note: on Debian/Linux, the default is zero - you need to
# set it to 3401 to enable it.
snmp_port 3401

# TAG: snmp_access
# Allowing or denying access to the SNMP port.
# All access to the agent is denied by default.
# usage:
# snmp_access allow|deny [!]aclname ...
snmp_access allow snmpkemu localhost
snmp_access deny all
# coredump_dir none
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
Old 04-01-2007, 10:41 PM   #2
Registered: Jul 2006
Location: Paraná, Argentina
Distribution: Frugalware 0.6 (Terminus) - Kubuntu 7.04 (Feisty Fawn Herd 5)
Posts: 217

Rep: Reputation: 31
Nope. Squid is an http proxy, not a z39.50 proxy. I don't even believe that tunneling non-http flow over an http proxy can be highly recommended here. Many apps can abuse the CONNECT method to get out of the local network instead of supporting SOCKS or other methods for non-HTTP apps; sometimes they give up trying and remove all access rules and antiabuse rules and just go for an "allow all" rule. I don't know if that will happen in this case if you try using squid; fortunately there are better options.
You might be in need of an z39.50 proxy like yaz proxy to reduce load on your server, improve your clients performances through caching and the re-use of already open sessions, protect the back-end by sanitising client requests, and balancing load over multiple back-end servers.
Personally I'll never try that with an http proxy; just to be neat.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Where to turn SSHv1 protocol and SSHv2 protocol on and off Minnie Nguyen Linux - Enterprise 3 07-05-2006 02:12 PM
MEDLINE via z39.50 kosa Linux - Networking 0 01-30-2005 12:58 PM
Unsupported protocol 'Compression Control Protocol' (0x80fd) received RKris Linux - Software 0 08-21-2002 08:24 AM
protocol Eddie9 Linux - General 1 06-06-2002 01:55 AM
Which protocol is better SkYzOpReNiCk Linux - Security 1 11-06-2001 12:51 PM

All times are GMT -5. The time now is 06:34 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration