On Mon, 23 Nov 2009, Ken Irwin wrote:
> Hi Joe,
> That's really helpful, thanks.
> Actually finding out what the error message is nice:
> HTTP Error : 500 Can't connect to www.npr.org:80 (connect: Permission denied)
> I've tried this with a few websites and always get the same error, which
> tells me that the problem is on my server side. Any idea what I can
> change so I don't get a permission-denied rejection? I'm not even sure
> what system I should be looking at.
I'm not even sure what could be causing the permission denied.
Normally, I get that response when the port's not open, or there's a
firewall, and I can't think of a time when it'd work from the command
line, but not from a CGI.
(well, okay, one, but it's a really odd case, that wouldn't happen for
most people -- if you edit the web pages from a different machine than
actually serves the pages, they might have the IP of the server blocked
from being able to go outbound as a security privilege. Most security
folks wouldn't even think about this, but I used to work with a former
Wittenberg IT person when I worked on Fark, and Mike came up with some
*very* interesting solutions to things, and one of 'em was adding special
IP pools so our ISP's customers were served special messages by being
routed through an invisible proxy that'd serve alternate pages, such as
informing them that they were late in paying their bills)
They could also be screwing with DNS, but I can think of a reason anyone
would do it, and again it'd be per-machine, not per-user.
Anyway, try running this from both command line and via a CGI, and see if
their output matches:
print "Content-type: text/plain\n\n";
print `uname -a`,"\n\n", `ifconfig -a`;
If you have to connecct using one name to make modifications, but a
different name for the webserver, that could be a sign, as well.
> I tried Vishwam's suggestion of granting 777 permissions to both the
> file and the directory and I get the same response.
Um ... you should _never_ need 777. (occassionally 1777, but I can't
think of a time when 0777 is a good idea.)
777 = executable, readable and writable by _everyone_.
755 = only writable to you.
(1777 has the 'sticky' bit set, which allows the /tmp directory to be
written to, but you can't go deleting other people's files like you could
if it were 0777).
> Is there some Apache setting someplace that says "hey, don't you go making web calls while I'm in charge"?
> (This is a Fedora server running Apache, btw).
It might be possible under suExec, but I'm not that familiar with it, as I
used CGIwrap when I dealt with locking down multi-user systems. (and to
the best of my knowledge, it's not possible with CGIwrap).
And if all of this fails, you might want to consider asking on either:
(just ask on one; odds are, you'll ask on one, and they'll decide that
it's more appropriate on the other one.)