Re: [squid-users] Send FileZilla FTP traffic through ICAP server

On 04/25/2013 10:41 AM, Dave Burkholder wrote:

>>> If you must use FileZilla,

> The FTP client software, FileZilla / Cyberduck / etc, isn't the
> issue. The issue is sending traffic to an ICAP server.

Not exactly. If you use an FTP client that uses HTTP requests with
ftp:// URLs (instead of CONNECT tunnels) when talking to an HTTP proxy,
then you can use stock Squid to filter FTP traffic using ICAP. FileZilla
is not such an FTP client, but there are other FTP clients that do what
you need (e.g., popular web browsers).

Please note that I am not saying that FileZilla is doing something wrong
or that you should use other FTP clients. I am just trying to explain
how things work so that you can make informed decisions.

>>> Our FTP gateway project adds that functionality to Squid.

> You said it's not yet ready for production use. Does the May 2013 ETA
> mean ETA of beta-quality code or ETA of production-ready code?

The quality of the code at the end of May depends, in part, on whether
it will be tested in production by that time. It may be production ready
in customer environments because customers tend to test first, but that
may not happen for many reasons outside our control.

Just like with any other complex feature, it is unlikely to be
production-ready in all environments until more folks start using it and
somebody fixes the bugs they report. YMMV. And please note that a wiki
estimate is not a guarantee of some sort.

HTH,

Alex.

> -----Original Message-----
> From: Alex Rousskov [mailto:rousskov_at_measurement-factory.com]
> Sent: Thursday, April 25, 2013 10:17 AM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Send FileZilla FTP traffic through ICAP server
>
>
> On 04/25/2013 08:08 AM, Alex Rousskov wrote:
>
>> Dave, it looks like FileZilla did not receive FTP server Hello from
>> Squid. I suggest that you take packet captures before and after Squid,
>> to see whether Squid itself has received FTP server Hello from the FTP
>> server. If Squid connected to the FTP server but received nothing,
>> then the problem is on the FTP server side. Otherwise, the problem may
>> be with Squid.
>
>
> I forgot to mention that even if you succeed with making CONNECT work, it will not help you with ICAP inspections because Squid will only send CONNECT request to your ICAP server and not the FTP traffic that happens inside the HTTP CONNECT tunnel.
>
> If you must use FileZilla, and FileZilla does not support sending HTTP requests with ftp://urls to HTTP proxies (instead of using CONNECT tunnels with raw FTP inside), then you must use an FTP proxy that supports ICAP, not an HTTP proxy.
>
> Our FTP gateway project adds that functionality to Squid. It is not ready for production use, but simple FTP transactions are supported and code is available: http://wiki.squid-cache.org/Features/FtpGateway
>
>
> HTH,
>
> Alex.
>
Received on Thu Apr 25 2013 - 17:19:37 MDT