Re: [squid-users] FTP Access thru Squid 2.7 from Amos Jeffries on 2010-04-28 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 29 Apr 2010 04:26:38 +1200

Milan wrote:
> Good Morning, could you take a look at my config and advise?
>
> On Tue, Apr 27, 2010 at 19:49, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On Tue, 27 Apr 2010 10:44:12 -0400, Milan <compguy030471_at_gmail.com> wrote:
>>> I have a Squid 2.7 build on Windows 2003 and I am trying to allow ftp
>>> access thru the proxy.
>>>
>>> I have added the lines below as suggested:
>>>
>>> acl ftp proto FTP
>>> http_access allow ftp
>>>
>>>
>>> No avail. I can access if i type ftp://username:password@url-path
>>>
>>> Is their any way to configure to access by ftp://ftp.destination.com?
>> The default config allows web browsers to open FTP URLs.
>>
>> The config you tried is only needed if you would otherwise be blocking
>> access.
>> It should work provided that you place it in the right part of squid.conf.
>>
>> Order is important.
>>
>> Amos
>>

You have fallen into the same trap some others did.

Note: Squid reads from the top down and does whatever action the first
matching line states:

http_access allow manager localhost
... okay.

http_access allow HEAD
http_access allow ftp

... HEAD requests and FTP protocol URLs allowed without any mention of
limits on source client or destination server.
For HEAD requests this is particularly nasty since the whole spam
email via fake HTTP can be trivially transmitted that way.

http_access allow WindowsUpdate
... free widows updates for the world. nice.

  http_access allow bypass_auth
  http_access allow bypass_auth-external
  http_access allow Approved_Domains
  http_access allow goto_meeting
  http_access allow Java
  http_access allow Approved_IP
  http_access allow InetAllow

... I could say similar things about several of the other allow lines.
But I think you get the picture.

  http_access deny manager
  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access deny !our_networks

... these deny lines are the basic security settings for Squid.

What use do you think they are when the next thing done is "deny all"?

They need to be at or very near the top of the list to be their intended
use for FAST efficient cropping away of unwanted requests.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1

Received on Wed Apr 28 2010 - 16:26:47 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 28 2010 - 12:00:31 MDT