Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: dwalton on March 30, 2015, 04:48:05 PM
-
I was hoping I could get some help.
Our business relies on checking prices against Office Depot. Staples and Quill. Since about 2 weeks ago we are not able to access any of those websites from inside our SME Server. If I by pass the sme and connect directly to my verizon modem I am able to access those sites. We have not made any changes to our server and I have tried the following.
1. Existing SME Server 7.5.1 (yes I know its now the most current)
2. A back up of the existing server
3. Clear OS 6.0
All of these giving the same results.
Any help or suggestiions are appreciated.
-
Sorry I meant to post the error
Request Timeout
The server timed out while waiting for the browser's request.
Reference #2.aea40517.1427724393.0
-
you should:
- give us much more details (server only? server and gateway? http proxy server enabled?)
- upgrade asap to SME 8 or, better, SME 9
- remember that you are our eyes, so please take some time to describe how should your system work and to check log files (server-manager, you have a panel to do so)
-
Server Mode servergateway
Proxy Settings
Status Enabled
Port to filter 8080
Proxy access method pam
Block Port 3128
-
take a look at squid's log
-
dwalton
What are the specific URLs that you say you cannot access anymore ?
If you tell us what they are, then we can try accessing them from behind sme server.
Although you say you made no changes, are you downloading squid rules from time to time, maybe an update there is now causing the sites to be listed & blocked.
Please show us the exact error in squid log when (time) you try to access one of those blocked sites.
Have you tried disabling the proxy filtering on port 8080 & allow proxy access via standard port 3128 ?
Doing this will prove whether the basic sme server setup is the problem, or not !
-
The sites are officedepot.com, and staples.com
If I bypass the SME server and connect directly to the providers router I am able to access both sites without issues.
I have not updated anything on this server for at last a year.
Mon Mar 30 15:36:09 2015 15665 127.0.0.1 TCP_MISS/200 3828 CONNECT 10.0.1.1:443 dwalton DIRECT/10.0.1.1 -
Mon Mar 30 15:36:18 2015 29217 127.0.0.1 TCP_MISS/200 75097 CONNECT 10.0.1.1:443 dwalton DIRECT/10.0.1.1 -
Mon Mar 30 15:36:27 2015 21249 127.0.0.1 TCP_MISS/408 482 GET http://www.staples.com/ dwalton DIRECT/172.233.15.41 text/html
Mon Mar 30 15:36:45 2015 118 127.0.0.1 TCP_MISS/200 854 POST http://clients1.google.com/ocsp marketing DIRECT/63.96.4.58 application/ocsp-response
Mon Mar 30 15:36:46 2015 78 127.0.0.1 TCP_MISS/200 854 POST http://clients1.google.com/ocsp marketing DIRECT/63.96.4.55 application/ocsp-response
Mon Mar 30 15:36:46 2015 1007 127.0.0.1 TCP_DENIED/407 1742 POST http://t001.aa.avast.com/receive - NONE/- text/html
Mon Mar 30 15:36:46 2015 20015 127.0.0.1 TCP_MISS/408 482 GET http://www.staples.com/ dwalton DIRECT/172.233.15.41 text/html
Mon Mar 30 15:36:54 2015 18651 127.0.0.1 TCP_MISS/200 396 POST http://su.ff.avast.com/R/A1IKIGJmZGRlODYzOTRiNzQ5MmRiMDRmNjY1YjEzNmRiOGNiEgQAMQcUGKwBIgH-KgQIAxAAKgkIBBCQ_-6QxikyDAgEEJD_7pDGKRiACjjWj4BI dwalton DIRECT/77.234.42.62 application/octet-stream
Mon Mar 30 15:36:58 2015 0 127.0.0.1 TCP_DENIED/407 2093 POST http://su.ff.avast.com/R/A1oKIGFiMzEyNTdkZTczMDRkMjU4MjdlNGNmNDQ2ODA0YjJjEgQAJAMVGJABIgH_OKeRiFBCILXW8pur-CZkCXbkwSo17UD0fSA2OWlOuKqF6lllJ21OSICClAg= - NONE/- text/html
Have you tried disabling the proxy filtering on port 8080 & allow proxy access via standard port 3128 ?
Doing this will prove whether the basic sme server setup is the problem, or not !
Yes I tried that and same issue.
-
dwalton
Have you tried disabling the proxy filtering on port 8080 & allow proxy access via standard port 3128 ?
Doing this will prove whether the basic sme server setup is the problem, or not !
Yes I tried that and same issue.
Did you do a post upgrade & a reboot on the server to allow that setting change to take effect ?
ie refer to the Dansguardian wiki article re how to reset to default behaviour using port 3128
http://wiki.contribs.org/Dansguardian#Configuring_your_system_to_force_Dansguardian_usage_.26_prevent_bypassing
config setprop squid TransparentPort 3128
config setprop squid Transparent yes
config delprop dansguardian portblocking
signal-event post-upgrade; signal-event reboot
-
While this is no solution, It may be not unexpected that a system that is using a now dead release and "I have not updated anything on this server for at last a year." is having issues, the only realistic solution may end up being to upgrade and restore from backup.
-
Terry
You are correct. This is why I ran Clear OS most current version to see if it was the SME or Clear or both.
Keep in mind I can access any other site!
-
dwalton
You are correct. This is why I ran Clear OS most current version to see if it was the SME or Clear or both.
Keep in mind I can access any other site!
There have been many posts over the years re DNS not resolving correctly to certain specific websites, but are OK for all others.
There are many possible reasons including ISP's DNS servers not updating/resolving correctly etc or even the root servers that sme server accesses.
I would also ask, do you have a specific DNS server setup in your sme server, look in server manager panel to see, if you are unsure ?
We need to isolate whether it is an sme or an external issue.
To narrow down the suspects, please answer my earlier questions.
ie
Did you do a post upgrade & a reboot on the server to allow that setting change to take effect ?
ie refer to the Dansguardian wiki article re how to reset to default behaviour using port 3128
http://wiki.contribs.org/Dansguardian#Configuring_your_system_to_force_Dansguardian_usage_.26_prevent_bypassing
config setprop squid TransparentPort 3128
config setprop squid Transparent yes
config delprop dansguardian portblocking
signal-event post-upgrade; signal-event reboot
To say it again, you really should upgrade ASAP to sme8, as there may be issues using the old & insecure sme 7.5.1
You can upgrade using a CD/DVD, make sure to do a full backup first.
-
dwalton
There have been many posts over the years re DNS not resolving correctly to certain specific websites, but are OK for all others.
There are many possible reasons including ISP's DNS servers not updating/resolving correctly etc or even the root servers that sme server accesses.
I would also ask, do you have a specific DNS server setup in your sme server, look in server manager panel to see, if you are unsure ?
We need to isolate whether it is an sme or an external issue.
+1 Janet
I am not smart enough to think of anything else, but the ref to avast in the logs elicits a bit of curiosity..
-
dwalton
TerryF wrote:
.....the ref to avast in the logs elicits a bit of curiosity..
Yes I agree.
dwalton, what does avast mean to you, are you using that antivirus system or some external AV proxy ???
-
My guess is that avast (installed on the lan side clients) is trying to update, so IMHO it's not involved in the issue
-
My guess is that avast (installed on the lan side clients) is trying to update, so IMHO it's not involved in the issue
Then that would also indicate that avasts website is also not reachable, so far from just two sites, does the server have access at all to the internet, easy to check from the console.
-
i read "denied" so it's not unreachable, just denied (proxyed)
-
dwalton
Did you do a post upgrade & a reboot on the server to allow that setting change to take effect ?
ie refer to the Dansguardian wiki article re how to reset to default behaviour using port 3128
http://wiki.contribs.org/Dansguardian#Configuring_your_system_to_force_Dansguardian_usage_.26_prevent_bypassing
config setprop squid TransparentPort 3128
config setprop squid Transparent yes
config delprop dansguardian portblocking
signal-event post-upgrade; signal-event reboot
Ok I ran the commands in putty. I have set my proxy to 3128. Still same issue.
Notice Office Depot and Staples giving a 408 error
Tue Mar 31 13:14:01 2015 33837 10.0.1.10 TCP_MISS/200 690024 CONNECT 10.0.1.1:443 dwalton DIRECT/10.0.1.1 -
Tue Mar 31 13:14:14 2015 20120 10.0.1.10 TCP_MISS/408 482 GET http://www.staples.com/ dwalton DIRECT/172.226.50.223 text/html
Tue Mar 31 13:14:50 2015 23628 10.0.1.10 TCP_MISS/200 460715 CONNECT 10.0.1.1:443 dwalton DIRECT/10.0.1.1 -
Tue Mar 31 13:14:53 2015 60591 10.0.1.10 TCP_MISS/200 4755 CONNECT tiles.services.mozilla.com:443 dwalton DIRECT/54.69.103.231 -
Tue Mar 31 13:15:15 2015 20058 10.0.1.10 TCP_MISS/408 482 GET http://www.officedepot.com/ dwalton DIRECT/172.233.33.19 text/html
I have not upgraded to SME 8.0 because I am using dungog-tmda and there is no support after 7.5.1. On that note since I tried running Clear OS 6.0 . and having the exact same issue.
However I can ping both websites and I do get a reply from both
-
dwalton
Yes I agree.
dwalton, what does avast mean to you, are you using that antivirus system or some external AV proxy ???
Yes I am suing AVG avast.I set the avast.com to the allowed list and this cleared up on the logs.
-
Thank you for everyone who is trying to resolve my issue.
1. Let me re-iterate. I can set it to transparent proxy and still cannot access those 2 websites form wither SME or Clear OS
2. I can access anything else out there. HP, Canon, Dell, Google, Espn, CNN etc...
3. If I bypass the SME or the Clear OS servers and plug in directly to the router provided by my ISP I have no problem reaching the 2 sites (Thinking I was blacklisted, but I am not)
4. Does anyone else have a problem accessing those 2 sites behind the proxy?
-
dwalton
I can access both those sites using Firefox OK, from behind a sme 8.1 server using ADSL2+ in Australia.
I can access them OK from another location via mobile.
Your tests are suggestive that sme server is not involved in this problem
ie another completely different OS has the same issue, so it is likely an external issue or a configuration issue.
You also said you made no changes to your sme server when the problem occurred, so something external happened.
Have you googled 408 errors, the answers are suggestive the problem is timimg issues with the website, but timing issues could happen anywhere in the route.
Also you did not answer one of my earlier questions
ie
"I would also ask, do you have a specific DNS server setup in your sme server, look in server manager panel to see, if you are unsure ?"
Look in server manager, configuration, Domains, Modify Corporate DNS settings.
There should be (in most situations) no DNS servers shown there, as sme server is capable of resolving requests itself.
If there are DNS server(s) shown, then maybe those are having problems with resolving staples & depot sites in question.
In either case, as you say you have success when connecting directly to your ISP via the router, then you could try setting the same ISP's DNS servers here, & see what happens then.
Check your router or ISP site for details of their DNS servers.
As I said earlier, & which has been reported many times here over the years, DNS servers can have problems even with just one specific website, for a variety of reasons ie stale info etc.
What is your location & who is your ISP, perhaps others who use the same ISP or are in your location can test those problematic sites.
You could also try setting up a sme8.1 server & leave all settings at defaults except the basic settings you need to make to attach to your network.
-
you can re-iterate as many times you want, but:
- you are using an old and unsupported version
- you have the same issue using a brad new distro
- you just keep asking for how to solve the issue
anyway, HTTP Error 408 means Request timeout.. my guess is that if there's a proxy in the middle, something is wrong on remote side..
and that's is demostrated by the fact that changing squid version things don't change, but removing/bypassing proxy, everything works again.
-
dwalton
Yes I am suing AVG avast.I set the avast.com to the allowed list and this cleared up on the logs.
Exactly which "allowed list" are you referring to.
-
dwalton
I have not upgraded to SME 8.0 because I am using dungog-tmda and there is no support after 7.5.1.
You have an insecue server with known vulnerabilities !
Why are you concerned about spam when your server is at risk of easily being hacked ?
You should upgrade immediately to at least sme8.1 or better still make the switch to sme9.
You do not need tmda & it is not supported anymore, better implementations of spam filtering techniques exist in sme8 & 9, so rely on those.
If you really want, enable greylisting & you probably will not receive a single piece of spam.
-
if you upgrade to SME 8/9, you have the always_direct directive in squid and you'd solve your problem with a custom fragment
it's up to you..
moreover, since 7.5.1 is unsupported, your question is OT in this forum
-
dwalton
I can access both those sites using Firefox OK, from behind a sme 8.1 server using ADSL2+ in Australia.
I can access them OK from another location via mobile.
Your tests are suggestive that sme server is not involved in this problem
ie another completely different OS has the same issue, so it is likely an external issue or a configuration issue.
You also said you made no changes to your sme server when the problem occurred, so something external happened.
Have you googled 408 errors, the answers are suggestive the problem is timimg issues with the website, but timing issues could happen anywhere in the route.
Also you did not answer one of my earlier questions
ie
"I would also ask, do you have a specific DNS server setup in your sme server, look in server manager panel to see, if you are unsure ?"
Look in server manager, configuration, Domains, Modify Corporate DNS settings.
There should be (in most situations) no DNS servers shown there, as sme server is capable of resolving requests itself.
If there are DNS server(s) shown, then maybe those are having problems with resolving staples & depot sites in question.
In either case, as you say you have success when connecting directly to your ISP via the router, then you could try setting the same ISP's DNS servers here, & see what happens then.
Check your router or ISP site for details of their DNS servers.
As I said earlier, & which has been reported many times here over the years, DNS servers can have problems even with just one specific website, for a variety of reasons ie stale info etc.
What is your location & who is your ISP, perhaps others who use the same ISP or are in your location can test those problematic sites.
You could also try setting up a sme8.1 server & leave all settings at defaults except the basic settings you need to make to attach to your network.
I have nothing in my DNS set up. It is blank
I am using Verizon Fios and I am located in Dallas TX.
I have no problem installing the newest freshest version but I am not sure that will solve this issue.
-
not out of the box, but, I repeat, you can customize it "in the SME way" and solve it
-
dwalton
I have nothing in my DNS set up. It is blank
OK fine, so that means you do not have a specific DNS server configured in sme server setups, that might have been causing a problem.
Then I suggest as an experiment, that you enter your ISPs DNS server address, the same one that is used by your router in standalone mode,
then check access to those sites.
Edit:
A quick Google search found numerous issues using Verizon FiOS DNS server eg causing slow response times.
Sounds similar to your issues, so maybe you need to specify Googles DNS servers or some other Public DNS service eg google is
8.8.8.8
see one search result example here, but please search for yourself as there are plenty of other problems users are reporting
eg search on Verizon FIOS DNS servers
https://www.getharvest.com/help/i-use-verizon-fios-and-am-having-trouble-connecting-to-harvest
-
dwalton
OK fine, so that means you do not have a specific DNS server configured in sme server setups, that might have been causing a problem.
Then I suggest as an experiment, that you enter your ISPs DNS server address, the same one that is used by your router in standalone mode,
then check access to those sites.
Edit:
A quick Google search found numerous issues using Verizon FiOS DNS server eg causing slow response times.
Sounds similar to your issues, so maybe you need to specify Googles DNS servers or some other Public DNS service eg google is
8.8.8.8
see one search result example here, but please search for yourself as there are plenty of other problems users are reporting
eg search on Verizon FIOS DNS servers
https://www.getharvest.com/help/i-use-verizon-fios-and-am-having-trouble-connecting-to-harvest
Janet,
I want to thank you and everyone here. You have been very diligent in helping me with this issue. I followed your suggestions and behold you nailed it.
I changed the DNS as you suggested first trying googles public dns 8.8.8.8 and 8.8.4.4 and I was able to get to staples.com. Wow I was thrilled. I then tried office depot but still had the dreaded "request timeout". SO i tried a different public primary and secondary DNS and so far so good.
Of course I will test across the network tomorrow during work hours... I am not sure how I will address this with my ISP provider. They will claim its not there issue, because I can get to it just fine if i remove the sme server.
I can't thank you enough for your help and not giving up on my issue.
Respectfully
DLW