[squid-users] FTP inspection configuration

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 16 03:33:55 UTC 2019 

On 16/01/19 3:10 pm, eugene.elyashev wrote:
> Hello,
> I'm trying to configure squid 3.5.6 as an FTP proxy for native FTP uploads
> to be inspected by an ICAP service.

Please try an upgrade, there have been a lot of fixes in the 3+ years
since that release. Current production/stable release is v4.5.

For the FTP issues 3.5.28 would be enough of an upgrade. But ...

Since you are also using SSL-Bump you should be tracking the latest
Squid releases and upgrading frequently. TLS is a highly volatile
environment - almost every Squid release since v3.2 has had additions to
cope with that.


> 
> Currently FileZilla fails to connect via proxy and also telnet on port 21
> fails..
> 
> What is missing in the config and how to configure FileZilla connection?
> 

Your ICAP service is only processing PUT and POST transactions. IIRC, at
least some of the FTP native messaging occurs as GET.

...
> 
> http_port 3128 ssl-bump
> cert=/usr/local/squid-3.5.6/ssl_cert/squid356_https.pem
> key=/usr/local/squid-3.5.6/ssl_cert/squid356_https.pem
> always_direct allow all

The above is not necessary in v3.2+, it was only useful as a hack
workaround for a bug in a single v3.1.x point release.


> ssl_bump server-first all

This bumping mode is deprecated due to lack of ability to cope with
modern TLS extensions and behaviour (ie. TLS SNI). Use the v3.5+ actions
instead
 <https://wiki.squid-cache.org/Features/SslPeekAndSplice>


> sslproxy_flags DONT_VERIFY_PEER

Please do not do this, ever. It only prevents *you* from seeing problems
(eg to debug them), they still exist and affect the traffic.
 Remove the above line and then actually fix any problems that are then
visible.


> ftp_port 21
> 
> coredump_dir /usr/local/squid-3.5.6/var/cache/squid
> 
> refresh_pattern ^ftp:		1440	20%	10080
> refresh_pattern ^gopher:	1440	0%	1440
> refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
> refresh_pattern .		0	20%	4320
> 
> 
> acl vontu_reqmod_http_upload method POST PUT
> icap_service vontu_reqmod reqmod_precache 0 icap://<icap_server:1344>/reqmod
> adaptation_service_set class_vontu_reqmod vontu_reqmod
> adaptation_access class_vontu_reqmod allow vontu_reqmod_http_upload
> 

The ACL above restricting the ICAP service to only seeing PUT and POT
requests is probably the cause of your problem.

Another possibility is one of the ICAP bugs which have been fixed in
later v3.5 releases.


Amos

More information about the squid-users mailing list