Re: [squid-users] Squid and FTP from Colin Coe on 2012-04-05 (squid-users)

From: Colin Coe <colin.coe_at_gmail.com>
Date: Thu, 5 Apr 2012 15:25:01 +0800

On Wed, Apr 4, 2012 at 7:40 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 4/04/2012 6:01 p.m., Eliezer Croitoru wrote:
>>
>> On 04/04/2012 08:12, Colin Coe wrote:
>>>
>>> Hi all
>>>
>>> I'm trying to get our squid proxy server to allow clients to do
>>> outbound FTP. The problem is that our corporate proxy uses tcp/8200
>>> for http/https traffic and port 221 for FTP traffic.
>>>
>>> Tailing the squid logs I see that squid is attempting to send all FTP
>>> requests direct instead of going through the corporate proxy.
>>>
>>> Any ideas how I'd configure squid to use the corp proxy for FTP
>>> instead of going direct?
>>>
>>> Thanks
>>>
>>> CC
>>>
>> if you have parent proxy you should use the never_direct acl.
>>
>>
>>
>> acl ftp_ports port 21
>
>
> Make that "20 21" (note the space between)
>
>
> Amos

Hi all

I've made changes based on these suggestions but it still doesn't
work. My squid.conf looks like:

---
cache_peer 172.22.0.7 parent 8200 0 default no-query no-netdb-exchange
proxy-only no-digest no-delay name=other
cache_peer 172.22.0.7 parent 221 0 default no-query no-netdb-exchange
proxy-only no-digest no-delay  name=ftp
cache_dir ufs /var/cache/squid 4900 16 256
http_port 3128
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged) machines
acl ftp_ports port 21 20
acl SSL_ports port 443 21 20
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
cache_peer_access ftp allow ftp_ports
cache_peer_access ftp deny all
never_direct allow ftp_ports
cache_peer_access other deny ftp_ports
acl Prod dst 172.22.106.0/23
acl Prod dst 172.22.176.0/23
acl Dev dst 172.22.102.0/23
acl BOM dstdomain .bom.gov.au
cache deny BOM
always_direct allow Dev
always_direct allow Prod
never_direct allow all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
http_access deny all
---
On the proxy server, when I do a 'tcpdump host client and port 3128' I
get nothing more than
---
15:22:19.515518 IP 172.22.106.23.48052 > 172.22.106.10.3128: Flags
[S], seq 2995762959, win 5840, options [mss 1460,sackOK,TS val
1681190449 ecr 0,nop,wscale 7], length 0
15:22:19.515567 IP 172.22.106.10.3128 > 172.22.106.23.48052: Flags
[S.], seq 1966725410, ack 2995762960, win 14480, options [mss
1460,sackOK,TS val 699366121 ecr 1681190449], length 0
15:22:19.515740 IP 172.22.106.23.48052 > 172.22.106.10.3128: Flags
[.], ack 1, win 5840, options [nop,nop,TS val 1681190449 ecr
699366121], length 0
15:23:49.606087 IP 172.22.106.23.48052 > 172.22.106.10.3128: Flags
[F.], seq 1, ack 1, win 5840, options [nop,nop,TS val 1681280540 ecr
699366121], length 0
15:23:49.606163 IP 172.22.106.10.3128 > 172.22.106.23.48052: Flags
[.], ack 2, win 14480, options [nop,nop,TS val 699456212 ecr
1681280540], length 0
15:23:49.606337 IP 172.22.106.10.3128 > 172.22.106.23.48052: Flags
[F.], seq 1, ack 2, win 14480, options [nop,nop,TS val 699456212 ecr
1681280540], length 0
15:23:49.606465 IP 172.22.106.23.48052 > 172.22.106.10.3128: Flags
[.], ack 2, win 5840, options [nop,nop,TS val 1681280540 ecr
699456212], length 0
---
Nothing goes into the access.log file from this connection either.
Any ideas?
CC
-- 
RHCE#805007969328369

Received on Thu Apr 05 2012 - 07:25:10 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 05 2012 - 12:00:02 MDT