Re: [squid-users] Sqiud and a native FTP-proxy parent? from Michael Gale on 2004-07-06 (squid-users)

From: Michael Gale <michael.gale@dont-contact.us>
Date: Tue, 6 Jul 2004 15:45:34 -0600

Hello,

Squid supports HFTP which is FTP tunneled over HTTP so no it is not native FTP. If you want to use a AV scanner I
suggest the following method.

In squid disable FTP support:
(from my squid conf)
##### Protocol restrictions
acl goodhttp proto HTTP
acl goodftp proto FTP
acl goodhttps proto CONNECT
http_access deny !goodhttp httpstand_ports
http_access deny !goodftp ftpstand_ports <---- Comment out this line to disable FTP
http_access deny !goodhttps SSL_ports

This will make it so only HTTP is available through squid. Then on the squid box setup and run frox
(http://frox.sourceforge.net/) with frox you can configure it to pass files off to a virus scanner. You can run it
transparently and use iptables to redirect user ftp connect request to it or the user can setup the FTP proxy settings
in the client.

Michael.

On Tue, 6 Jul 2004 23:21:12 +0200
Pierre Spielmann <mlists@pierre-spielmann.de> wrote:

> Hello everyone,
>
> I am configuring a squid in the following environment:
>
> Browser --> SQUID --> AV-filter proxy HTTP/FTP --> application level
> Firewall
>
> I know that SQUID is not an FTP proxy, but it intercepts/interprets FTP
> over HTTP which is used in this environment.
>
> My problem is, that the AV-filter is not doing FTP over HTTP but native
> FTP proxying.
>
> I use the parent directive for the HTTP but I can not find any
> information how to get Squid to use native FTP with the AV-filter.
>
> As far as I understood, Squid will only speak FTP over HTTP but never
> native FTP with any parent or sibling proxy. Squid will only speak
> native FTP when he is contacting the final FTP server.
> Do I miss something? Am I right?
>
> This means, that the only way to realize the communication would be to
> create an always_direct rule for the ftp and NAT it to the FTP-proxy.
> But this will only work if the FTP-proxy can act as transparent
> proxy....
>
> Has someone a better idea or a hint how to realize this setup?
>
> Thanks in advance
> Pierre
>
>
>
>

-- 
Michael Gale
Network Administrator
Utilitran Corporation

Received on Tue Jul 06 2004 - 15:43:42 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:01 MDT