Re: ftp via parent not possible ? from Martin Ibert on 1998-11-26 (squid-users)

From: Martin Ibert <mib@dont-contact.us>
Date: Thu, 26 Nov 1998 17:07:33 +0100

Michael P. Wagner wrote:
>
> Hi,
>
> I can't get squid 2 to resolve ftp-requests via a parent cache.
> ICP messages are sent and answered corretly (aka log).
>
> Does a parent cache only work for http ?

Yes and no. What you want to do (and what should actually work
quite well) is that the inner Squid does not translate the HTTP
request for an ftp:// URL to FTP itself, but forwards it (as an
HTTP request) to the outer Squid, which then converts into an
FTP request (i. e., talks the FTP protocol to an external FTP
server) and sends the result back as an HTTP result to the
inner Squid, who passes the result on to the original client.

It is very important to notice that although an ftp:// URL is
concerned, the client speaks HTTP to the inner Squid, who then speaks
HTTP to the outer Squid, who then speaks FTP to the FTP server.

So if you can get your inner Squid to forward all requests to
the outer Squid, it should work for ftp:// URLs as well as for
http:// URLs.

> The setup is as follows:
> [browser] - [inner firewall with squid]-demilitarized zone-[outer
> firewall with squid]-internet
> which is not to unusual I think.

I don't know how usual it is, but I would recommend such a setup.
If your "firewalls" are really screening routers, then putting
such a complex piece of software as Squid onto them is not such
a clever idea. Even less so it if the same complex piece of soft-
ware runs on both screening routers. Just imagine someone found
a way to compromise systems running Squid (buffer overflow in the
code - anything goes). I really don't want to insult the people
who develop this wonderful software, but it happens to just about
anyone sooner or later. If I can compromise both your screening
routers by attacking the Squids running on them, I can alter the
screening rules and get all data on your internal network for free.

[This is of course off-topic in this list. Take it offline if you
wish to discuss it.]

-- 
-----------------------------------------------------------------
Dipl.-Inform. Martin Ibert - phone: +49-30-245-56582, fax: -56577
BB-DATA Systemhaus GmbH, Brunnenstraße 111, 13355 Berlin, Germany
------------------ http://www.asdis.de/ -- mailto:mib@asdis.de --

Received on Thu Nov 26 1998 - 09:19:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:22 MST