[squid-users] Proxy hierarchy and FTP access

Sticher, Jascha jascha.sticher at tds.fujitsu.com
Wed Feb 28 12:32:32 UTC 2018


Hi,

> I'm sorry Jascha but the suggestions you got in your thead went kind of over
> my head, can I ask you if and how you "do allow the front-end Squid to
> re-FTP the traffic to the appropriate server then intercept it independently
> into the backend with its own ftp_port accepting the "native FTP" coming out
> of the frontend"?

Please see https://wiki.squid-cache.org/SquidFaq/InterceptionProxy for an overview of the interception proxy concept.

Basically, you need to route the FTP-Traffic from your client-side proxy to the DMZ-proxy. I'm not sure on how well this will work with FTP, because of its dual-connection nature.
According to the squid FAQ it is not supported, but there are several FTP-helpers which could make this work. I haven't tried that solution either,
because we can't change our design that way without breaking production traffic. Googling

> If that's a "technically possible only" suggestion, I guess my only
> alternative is to let my FileZilla client connect directly to my DMZ Squid
> machine and do the ACL stuff there, right?

We are currently using the "frox" FTP proxy on our client-side proxy server. This software does support an FTP-Upstream proxy, but has not been maintained for a few years now.
It is not available in the official Debian repositories (since Wheezy, IIRC). If you don't want to use this, you need to allow your users to the DMZ proxy.

On the other hand, FileZilla does support an HTTP proxy (you need to allow CONNECT for the FTP target ports though).


Kind regards,

Jascha


Erleben Sie Industrie 4.0 konkret – auf der HANNOVER MESSE.
Vom 23. bis 27. April 2018.
www.fujitsu.com/de/microsite/hmi/register/index.html?utm_source=Email&utm_medium=Signature%20EMail&utm_campaign=HANNOVER%20MESSE%20DE&utm_term=&utm_content=Ticket-anfordern



More information about the squid-users mailing list