[squid-users] Problems with Squid and non-anonymous FTP

From: Michael W. Lucas <mwlucas@dont-contact.us>
Date: Mon, 21 Aug 2006 14:11:03 -0400

Hi folks,

I'm having some interesting issues with Squid and non-anonymous FTP.
In an effort to resolve them I've started a second Squid instance with
a stripped-down configuration, just in case any of the fancy stuff we
have is blocking it.

We cannot access non-anonymous FTP sites. Config, logs, and error
messages follow.

Any help or suggestions would be most appreciated.

Thanks,
==ml

Here's the config:

--
cache_access_log /var/log/testsquid/access.log
cache_log /var/log/testsquid/cache.log
cache_store_log /var/log/testsquid/store.log
coredump_dir /var/cache/squid
pid_filename /var/log/testsquid/squid.pid
#stuff from the default
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320
acl all src 0.0.0.0/0.0.0.0
#our local network
acl our_networks src 10.0.0.0/8 127.0.0.0/8
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443 563	# https, snews
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#test clients
http_access allow our_networks 
#acl FTP proto FTP
#always_direct allow FTP
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /usr/local/squid/var/cache
This should look really, really familiar to anyone who has looked at
the default config.
When we browse to an anonymous FTP site, things work fine.  Trouble
appears when we access a non-anonymous FTP site.  If I use a URL of the form:
ftp://mwlwork@bwb.blackhelicopters.org
(This is a test account I've set up outside our corporate network.)
When I enter this URL is IE, I get the message:
ERROR:  Cache Access Denied
While trying to retrieve the URL:  ftp://mwlwork@bwb.blackhelicopters.org
The following error was encountered
Cache Access Denied
Sorry, you are not currently allowed to request:
ftp://mwlwork@bwb.blackhelicopters.org/
from this cache until you have authenticated yourself.
In Firefox,  I get an error that looks more useful:
An FTP authentication failure occured while trying to retrieve the URL:  ftp://mwlwork@bwb.blackhelicopters.org
Squid sent the following FTP command:
PASS <yourpass>
and then received this reply:
Login incorrect
The cache log includes:
2006/08/21 13:32:55| Rebuilding storage in /var/log/testsquid/cache (CLEAN)
2006/08/21 13:32:55| Using Least Load store dir selection
2006/08/21 13:32:55| Set Current Directory to /usr/local/squid/var/cache
2006/08/21 13:32:55| Loaded Icons.
2006/08/21 13:32:55| Accepting HTTP connections at 0.0.0.0, port 3128, FD 16.
2006/08/21 13:32:55| Accepting ICP messages at 0.0.0.0, port 3130, FD 17.
2006/08/21 13:32:55| Accepting SNMP messages on port 3401, FD 18.
2006/08/21 13:32:55| WCCP Disabled.
2006/08/21 13:32:55| Ready to serve requests.
2006/08/21 13:32:55| Done reading /var/log/testsquid/cache swaplog (1157 entries)
2006/08/21 13:32:55| Finished rebuilding storage from disk.
2006/08/21 13:32:55|      1157 Entries scanned
2006/08/21 13:32:55|         0 Invalid entries.
2006/08/21 13:32:55|         0 With invalid flags.
2006/08/21 13:32:55|      1157 Objects loaded.
2006/08/21 13:32:55|         0 Objects expired.
2006/08/21 13:32:55|         0 Objects cancelled.
2006/08/21 13:32:55|         0 Duplicate URLs purged.
2006/08/21 13:32:55|         0 Swapfile clashes avoided.
2006/08/21 13:32:55|   Took 0.3 seconds (4243.9 objects/sec).
2006/08/21 13:32:55| Beginning Validation Procedure
2006/08/21 13:32:55|   Completed Validation Procedure
2006/08/21 13:32:55|   Validated 1157 Entries
2006/08/21 13:32:55|   store_swap_size = 9424k
2006/08/21 13:32:56| storeLateRelease: released 0 objects
2006/08/21 13:35:10| Reconfiguring Squid Cache (version 2.5.STABLE13)...
2006/08/21 13:35:10| FD 16 Closing HTTP connection
2006/08/21 13:35:10| FD 17 Closing ICP connection
2006/08/21 13:35:10| FD 18 Closing SNMP socket
2006/08/21 13:35:10| Cache dir '/var/log/testsquid/cache' size remains unchanged at 4096000 KB
2006/08/21 13:35:10| helperOpenServers: Starting 5 'dnsserver' processes
2006/08/21 13:35:12| Accepting HTTP connections at 0.0.0.0, port 3128, FD 7.
2006/08/21 13:35:12| Accepting ICP messages at 0.0.0.0, port 3130, FD 15.
2006/08/21 13:35:12| Accepting SNMP messages on port 3401, FD 16.
2006/08/21 13:35:12| WCCP Disabled.
2006/08/21 13:35:12| Loaded Icons.
2006/08/21 13:35:12| eventCleanup
2006/08/21 13:35:12| Ready to serve requests.
access.log includes these entries for this request (plus a sample to
show that we are talking to the Net):
1156181666.709    106 10.184.184.193 TCP_REFRESH_HIT/200 358 GET http://i.a.cnn.net/cnn/.element/img/1.5/main/sect.gray.gradient_334.gif - DIRECT/64.236.42.21 image/gif
1156181666.722    108 10.184.184.193 TCP_REFRESH_HIT/200 337 GET http://i.a.cnn.net/cnn/.element/img/1.1/misc/cl/cl_bar.gif - DIRECT/64.236.42.22 image/gif
1156181666.726    110 10.184.184.193 TCP_REFRESH_HIT/200 326 GET http://i.a.cnn.net/cnn/.element/img/1.5/main/cnn_vert.dash.gif - DIRECT/64.236.42.30 image/gif
1156181666.729     44 10.184.184.193 TCP_REFRESH_HIT/200 1039 GET http://i.a.cnn.net/cnn/.element/img/1.3/main/tv/time_tab.gif - DIRECT/64.236.42.38 image/gif
1156181666.836    106 10.184.184.193 TCP_REFRESH_HIT/200 1407 GET http://www.cnn.com/favicon.ico - DIRECT/64.236.16.20 image/x-icon
1156181666.877     41 10.184.184.193 TCP_HIT/200 1407 GET http://www.cnn.com/favicon.ico - NONE/- image/x-icon
1156181672.956    244 10.184.184.193 TCP_MISS/401 1706 GET ftp://mwlwork@bwb.blackhelicopters.org/ - DIRECT/198.22.63.43 text/html
1156181675.284    962 10.184.184.193 TCP_MISS/401 1455 GET ftp://mwlwork@bwb.blackhelicopters.org/ - DIRECT/198.22.63.43 text/html
1156181690.780     25 10.184.184.193 TCP_MISS/401 1706 GET ftp://mwlwork@bwb.blackhelicopters.org/ - DIRECT/198.22.63.43 text/html
1156181718.106    118 10.184.184.193 TCP_MISS/401 1706 GET ftp://mwlwork@bwb.blackhelicopters.org/ - DIRECT/198.22.63.43 text/html
-- 
Michael W. Lucas	mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org
		http://www.BlackHelicopters.org/~mwlucas/
	    Latest book: PGP & GPG -- http://www.pgpandgpg.com
"The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur
Received on Mon Aug 21 2006 - 12:11:07 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Sep 01 2006 - 12:00:02 MDT