[squid-users] squid ftp-proxy

Alex Rousskov rousskov at measurement-factory.com
Mon Apr 11 04:35:52 UTC 2016 

On 04/08/2016 10:37 PM, Amos Jeffries wrote:
> On 5/04/2016 9:08 p.m., Axel.Eberhardt at t-systems.com wrote:
>> I try to enable the Native ftp proxying.
>> The documentation I have found is:
>> http://wiki.squid-cache.org/Features/FtpRelay
>>
>> But there is no example for this. Also in the Mail Archives I was not able to find a hint.
>>
>> I have configured the ftp proxy with parameter:
>> 	ftp_port 21


> AFAIK that port is intended either for use as above when the Squid IP
> address or hostname is given to the client FTP tool as the FTP server
> IP/host.

IIRC, the Squid address is given as the FTP proxy address. Some popular
FTP clients support that kind of proxying even though the original FTP
does not have such a concept. How this is done from FTP commands point
of view is mentioned further below.


> Or when intercepting port 21 traffic - with the 'intercept' option on
> the port config line.

Yes.


> It is still a new / experimental and rarely used feature so YMMV.

Agreed, provided that "rarely" means "by few Squid admins" here. AFAIK,
v3.5 implementation is used on some busy production servers. There are
many corner cases it does not handle well yet, but it is "working OK" in
those environments. YMMV.



>> Version:
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> squid -v
>> Squid Cache: Version 3.5.15
>> Service Name: squid
>> configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--verbose' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_user

> ip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--enable-ecap' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtu
 n
e
> =generic -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>
>> Now my problem.
>>
>> I am able to connect via ftp client to the squid.
>> Also the login will be correct:	
>> 	example:  anonymous at ftp.informatik.rwth-aachen.de


Correct from client, Squid, or FTP origin server point of view?


>> But after a command which use a data channel the connection fails:
>> 	421 Service not available, remote server has closed connection
>>
>>
>> I try a tcpdump but I cannot find a failure. 
>> The only different between a native ftp session and a connection over the squid is a missing TCP ACK after the last ftp data package. 

Does Squid know where to connect? If you are not intercepting, then
(IIRC) the FTP origin server address comes from your FTP login, which
should use two "@" characters. If you are not intimate with FTP in
general or FTP proxying specifically, then it might be easier to first
get this to work with a client that supports a concept of FTP proxy so
that you can compare apples to apples.

If nothing works, consider attached full TCP captures of user-Squid
_and_ Squid-origin connections.


HTH,

Alex.

More information about the squid-users mailing list