[squid-users] Proxy hierarchy and FTP access
Sticher, Jascha
jascha.sticher at tds.fujitsu.com
Wed Feb 28 10:06:51 UTC 2018
Hi,
> I'm setting up a new infrastructure for my web proxy and I'm having a
> problem with FTP access to the internet; I'm running Squid 3.5 on Debian 9
> machines by the way.
>
> I used to have a single Squid machine talking freely to the internet from
> inside the LAN, with clients connecting on port 3128 for HTTP request and 21
> for FTP using FileZilla with "FTP proxy" options enabled.
> The relevant part of my Squid configuration is the following, and everything
> worked like a charm:
>
> ftp_port 21
> acl FTP proto FTP
> acl siti_ftp dstdomain "/etc/squid/ftp_sites"
> http_access allow FTP ftp_sites
>
> Then for security purposes I've set up a second Squid machine, in our DMZ,
> to act as a cache parent for the LAN machine, but now FTP only works
> through
> a browser; I've tried enabling the ftp_port directive on the parent machine,
> disabling it in the LAN one and a bunch of other stuff but nothing seems to
> be working.
This is exactly my setup right there and I came with the same question to this mailing list.
Sadly, the is no support for an explicit FTP-forwarding proxy at the moment and no development to implement this as far as I know.
> For reference, the parent grants access to the chil proxy thanks to this
> setting:
> acl child_proxy src 10.9.10.X/32
> http_access allow child_proxy
This is for HTTP-Pakets only. When using FTP via the browser you are actually using ftp over http, which uses the 3128 port on your client-side proxy.
When using a FTP client with a FTP proxy you are connecting via native FTP, which does not use the cache_peer settings (as those only support HTTP messages) I'm guessing
you use to access the parent proxy.
See http://squid-web-proxy-cache.1019090.n4.nabble.com/FTP-proxy-chain-with-native-ftp-td4684366.html for the suggested workarounds from my thread.
Kind regards,
Jascha
>
Erleben Sie Industrie 4.0 konkret – auf der HANNOVER MESSE.
Vom 23. bis 27. April 2018.
www.fujitsu.com/de/microsite/hmi/register/index.html?utm_source=Email&utm_medium=Signature%20EMail&utm_campaign=HANNOVER%20MESSE%20DE&utm_term=&utm_content=Ticket-anfordern
-----Ursprüngliche Nachricht-----
> Von: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Im
> Auftrag von Grey
> Gesendet: Mittwoch, 28. Februar 2018 09:31
> An: squid-users at lists.squid-cache.org
> Betreff: [squid-users] Proxy hierarchy and FTP access
>
> Hi guys,
>
>
> At this point, I'd like to know if what I'm trying to do is possible at all,
> beacuse I'm starting to think there's something major I've totally
> overlooked.
> Thanks a lot to anyone willing to help :)
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-
> Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list