[squid-users] FTP proxy chain with native ftp

Alex Rousskov rousskov at measurement-factory.com
Tue Dec 12 17:13:52 UTC 2017 

On 12/12/2017 09:56 AM, Amos Jeffries wrote:
> On 13/12/17 04:51, Sticher, Jascha wrote:
>> Is there a way (yet) to tell my first squid instance
>> to use another squid as a forward proxy with native FTP?


> The FTP traffic arriving at Squids ftp_port is converted from a stream
> of FTP messages to a stream of HTTP messages for handling.

> AFAIK those resulting HTTP messages can be routed through a cache_peer
> same as any other HTTP traffic. 

I hope such routing is not possible today, but I do not know for sure.
AFAIK, no peer would be able to convert those wrapper HTTP messages back
into FTP. I hope the wrapper messages are always routed to FTP Client
code inside Squid using pinned Squid-FTP-server connections or something
like that.


> BUT at very least the peer needs to also
> have the same "native FTP" implementation to successfully convert them
> from HTTP back to FTP native messages on the outgoing server connections
> at the other side of the cache hierarchy.

* The "native FTP" Server implementation inside Squid does not convert
HTTP wrapper messages into FTP native messages. It converts FTP commands
into HTTP wrapper messages.

* The native FTP Client implementation inside Squid does the opposite
conversion, but it partners with the FTP Server implementation inside
Squid, not the HTTP Server implementation inside Squid.

* If wrapper HTTP messages reach a Squid peer, they will be handled by
the HTTP Server implementation inside peer Squid.

Thus, one cannot use another Squid to unwrap HTTP wrapper messages sent
by the child Squid, even if the routing code allows for those wrapper
messages to escape a Squid instance. The pieces required for everything
to work together are missing.


> Do allow the front-end Squid to
> re-FTP the traffic to the appropriate server then intercept it
> independently into the backend with its own ftp_port accepting the
> "native FTP" coming out of the frontend.

Good idea! Interception should work indeed. The "child" Squid will not
know what is going on, but both Squids will receive and send native FTP
traffic.


CHeers,

Alex.

More information about the squid-users mailing list