Re: [squid-users] Squid 2.5-STABLE3 and FTP response codes

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 16 Nov 2003 18:55:44 +0100 (CET)

On Sun, 16 Nov 2003, David F. Severski wrote:

> When going to a FTP site that does not accept anonymous FTP connections
> (ftp://nac-client.na-corp.com/), my commercial (HTTP/1.1) proxies respond
> with '401 Authentication Required' after the initial anonymous login fails.
> Squid, however, responds with 403 Forbidden.

Yes.

> The 401 is the desired response as Netscape and Mozilla helpfully pop up
> a prompt for the user credentials for the FTP site in response to a 401.
> Receiving the 403 back stops this from occurring and results in an error
> message to the end user.

There is several technical difficulties of doing this at the protocol
level. The most apparent is that the user will not be able to reach the
anonymoust-ftp section of the FTP server after logging in without first
quitting his browser.

> Is there a way to cause Squid to generate the desired 401 code in
> response to an initial anonymous FTP login failing? Having users rewrite
> the URL to the familiar ftp://user:pass@site/ syntax is not a very
> palatable option.

With some coding this is fully possible. Thinking here... changing the
code to challenge for authentication on failed login is not hard, but it
needs to be investigated if this can be done in a manner not breaking
anonymous access.

> not reveal any hits for this particular behavior. For that matter, I am
> unable to easily locate an RFC spec for just how FTP-over-HTTP is
> supposed to work, so perhaps this is a nebulous area all-together.

FTP-over-HTTP is specified by cross-reading two RFCs

a) The URL specification on the meaning of ftp:// URLs (where ftp://host/
is clearly defined as anonymous FTP only)

b) The HTTP RFCs on how the proxy is allowed to act to the client. The
procol used by the client when requesting ftp:// URLs via a proxy is HTTP,
not FTP. The proxy then acts sort of like a virtual web server to the
client, providing access to the ftp:// objects named by the client.

Unfortunately this leaves a great deal of the fine details unspecified,
such as if it is allowed to use HTTP authentication if the credentials
provided in the URL is not sufficient etc. For convenience most proxies
does this in one way or another, but the only standard method is
ftp://user:password@host/

Regards
Henrik
Received on Sun Nov 16 2003 - 10:55:56 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:20 MST