On Mon, 23 Nov 2009, Ken Irwin wrote:

Hi Joe,

That's really helpful, thanks.
Actually finding out what the error message is nice:

HTTP Error : 500 Can't connect to www.npr.org:80 (connect: Permission denied)

I've tried this with a few websites and always get the same error, which tells me that the problem is on my server side. Any idea what I can change so I don't get a permission-denied rejection? I'm not even sure what system I should be looking at.

I'm not even sure what could be causing the permission denied.
Normally, I get that response when the port's not open, or there's a firewall, and I can't think of a time when it'd work from the command line, but not from a CGI.

(well, okay, one, but it's a really odd case, that wouldn't happen for most people -- if you edit the web pages from a different machine than actually serves the pages, they might have the IP of the server blocked from being able to go outbound as a security privilege. Most security folks wouldn't even think about this, but I used to work with a former Wittenberg IT person when I worked on Fark, and Mike came up with some *very* interesting solutions to things, and one of 'em was adding special IP pools so our ISP's customers were served special messages by being routed through an invisible proxy that'd serve alternate pages, such as informing them that they were late in paying their bills)

They could also be screwing with DNS, but I can think of a reason anyone would do it, and again it'd be per-machine, not per-user.

Anyway, try running this from both command line and via a CGI, and see if their output matches:

        #!/bin/perl --
        print "Content-type: text/plain\n\n";
        print `uname -a`,"\n\n", `ifconfig -a`;

If you have to connecct using one name to make modifications, but a different name for the webserver, that could be a sign, as well.

I tried Vishwam's suggestion of granting 777 permissions to both the file and the directory and I get the same response.

Um ... you should _never_ need 777. (occassionally 1777, but I can't think of a time when 0777 is a good idea.)

777 = executable, readable and writable by _everyone_.
755 = only writable to you.

(1777 has the 'sticky' bit set, which allows the /tmp directory to be written to, but you can't go deleting other people's files like you could if it were 0777).

Is there some Apache setting someplace that says "hey, don't you go making web calls 
while I'm in charge"?
(This is a Fedora server running Apache, btw).

It might be possible under suExec, but I'm not that familiar with it, as I used CGIwrap when I dealt with locking down multi-user systems. (and to the best of my knowledge, it's not possible with CGIwrap).


And if all of this fails, you might want to consider asking on either:


(just ask on one; odds are, you'll ask on one, and they'll decide that it's more appropriate on the other one.)


Reply via email to