Oops, and send to list.
On Thu, Apr 5, 2012 at 4:26 PM, Eliezer Croitoru <eliezer_at_ngtech.co.il> wrote:
> On 05/04/2012 10:25, Colin Coe wrote:
>>
>> On Wed, Apr 4, 2012 at 7:40 PM, Amos Jeffries<squid3_at_treenet.co.nz>
>> wrote:
>>>
>>> On 4/04/2012 6:01 p.m., Eliezer Croitoru wrote:
>>>>
>>>>
>>>> On 04/04/2012 08:12, Colin Coe wrote:
>>>>>
>>>>>
>>>>> Hi all
>>>>>
>>>>> I'm trying to get our squid proxy server to allow clients to do
>>>>> outbound FTP. The problem is that our corporate proxy uses tcp/8200
>>>>> for http/https traffic and port 221 for FTP traffic.
>>>>>
>>>>> Tailing the squid logs I see that squid is attempting to send all FTP
>>>>> requests direct instead of going through the corporate proxy.
>>>>>
>>>>> Any ideas how I'd configure squid to use the corp proxy for FTP
>>>>> instead of going direct?
>>>>>
>>>>> Thanks
>>>>>
>>>>> CC
>>>>>
>>>> if you have parent proxy you should use the never_direct acl.
>>>>
>>>>
>>>>
>>>> acl ftp_ports port 21
>>>
>>>
>>>
>>> Make that "20 21" (note the space between)
>>>
>>>
>>> Amos
>>
>>
>> Hi all
>>
>> I've made changes based on these suggestions but it still doesn't
>> work. My squid.conf looks like:
>> ---
>> cache_peer 172.22.0.7 parent 8200 0 default no-query no-netdb-exchange
>> proxy-only no-digest no-delay name=other
>> cache_peer 172.22.0.7 parent 221 0 default no-query no-netdb-exchange
>> proxy-only no-digest no-delay name=ftp
>>
>> cache_dir ufs /var/cache/squid 4900 16 256
>>
>> http_port 3128
>>
>> hierarchy_stoplist cgi-bin ?
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32 ::1
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>
>> acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
>> acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
>> acl localnet src fc00::/7 # RFC 4193 local private network range
>> acl localnet src fe80::/10 # RFC 4291 link-local (directly
>> plugged) machines
>>
>> acl ftp_ports port 21 20
>>
>> acl SSL_ports port 443 21 20
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> cache_peer_access ftp allow ftp_ports
>> cache_peer_access ftp deny all
>> never_direct allow ftp_ports
>> cache_peer_access other deny ftp_ports
>>
>> acl Prod dst 172.22.106.0/23
>> acl Prod dst 172.22.176.0/23
>> acl Dev dst 172.22.102.0/23
>>
>> acl BOM dstdomain .bom.gov.au
>> cache deny BOM
>>
>> always_direct allow Dev
>> always_direct allow Prod
>> never_direct allow all
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost
>> http_access allow localnet
>> http_access deny all
>> ---
>>
>> On the proxy server, when I do a 'tcpdump host client and port 3128' I
>> get nothing more than
>> ---
>> 15:22:19.515518 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags
>> [S], seq 2995762959, win 5840, options [mss 1460,sackOK,TS val
>> 1681190449 ecr 0,nop,wscale 7], length 0
>> 15:22:19.515567 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags
>> [S.], seq 1966725410, ack 2995762960, win 14480, options [mss
>> 1460,sackOK,TS val 699366121 ecr 1681190449], length 0
>> 15:22:19.515740 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags
>> [.], ack 1, win 5840, options [nop,nop,TS val 1681190449 ecr
>> 699366121], length 0
>> 15:23:49.606087 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags
>> [F.], seq 1, ack 1, win 5840, options [nop,nop,TS val 1681280540 ecr
>> 699366121], length 0
>> 15:23:49.606163 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags
>> [.], ack 2, win 14480, options [nop,nop,TS val 699456212 ecr
>> 1681280540], length 0
>> 15:23:49.606337 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags
>> [F.], seq 1, ack 2, win 14480, options [nop,nop,TS val 699456212 ecr
>> 1681280540], length 0
>> 15:23:49.606465 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags
>> [.], ack 2, win 5840, options [nop,nop,TS val 1681280540 ecr
>> 699456212], length 0
>> ---
>>
>> Nothing goes into the access.log file from this connection either.
>>
> so what is your problem now?
> that nothing goes into the access log?
> let's go two steps back.
> i didnt make sure but you do have:
>
>
> acl Prod dst 172.22.106.0/23
> acl Prod dst 172.22.176.0/23
> acl Dev dst 172.22.102.0/23
>
> always_direct allow Dev
> always_direct allow Prod
>
> and if you dont get anything in the access log it probably means that the
> clients are not connecting to the server.
> how you are directing the ftp clients to squid proxy server?
> you do know that squid is not intercepting ftp protocol by itself?
> there was some kind of ftp interception tool as far as i remember.
>
> so just a sec state your goals again and what you have done so far.
>
> Regards,
> Eliezer
>>
>> Any ideas?
>>
>> CC
>>
>
>
> --
> Eliezer Croitoru
> https://www1.ngtech.co.il
> IT consulting for Nonprofit organizations
> eliezer <at> ngtech.co.il
Apologies for being unclear.
I have two separate but similar environments, prod and dev. Both have
squid proxies, both use the same upstream corporate proxy. I've done
the config so I can just get it working on and then copy/paste the
config to the other squid server.
The clients are a mix of Windows (XP, 7, server 2008R2) and Linux
(RHEL 4/5/6). Most clients just need access to external web sites
(http/https), but some also need to some external FTP sites.
The corporate proxy (bluecost) web proxies on 8200 and FTP proxies on 221.
The goal: client web and FTP requests get correctly serviced.
The web proxying is working fine, it's just the FTP proxying that is
not working.
I know the clients are connecting to the squid server from the tcpdump
posted in my previous email.
Hope thats a bit clearer
CC
-- RHCE#805007969328369 -- RHCE#805007969328369Received on Thu Apr 05 2012 - 09:14:29 MDT
This archive was generated by hypermail 2.2.0 : Thu Apr 05 2012 - 12:00:02 MDT