[squid-users] FTP proxy
Alex Rousskov
rousskov at measurement-factory.com
Sun Dec 6 19:41:31 UTC 2020
On 12/6/20 10:26 AM, Andrea Venturoli wrote:
> I see this feature was introduced in 3.5 as an experimental one; at 4.13
> is it still so or is it considered stable and dependable?
AFAIK, FTP proxy is successfully used in some production environments,
but I bet that most Squid deployments do not use this feature. YMMV.
> Is there a way to restrict the port range of the additional connections
> (e.g. to 40000-50000)?
I do not know what connections you are talking about (there are at least
four connections when it comes to a typical proxied FTP transaction).
* If you are talking about source ports used by from-Squid TCP
connections, then those are usually handled by your OS ephemeral ports
setting (e.g., sysctl net.ipv4.ip_local_port_range).
* If you are talking about blocking FTP PORT/EPRT commands based on the
ports requested by FTP clients, then, in theory, one should be able to
block such requests using http_access ACLs targeting
fake/internal/wrapping HTTP requests that represent the corresponding
raw FTP command. However, I have not tested whether that works in
practice, and I suspect that Squid does _not_ supply enough details for
the http_access ACLs to work in this use case.
Please note that, AFAICT, Squid code talking to FTP servers does not
support PORT/EPRT commands, so Squid converts each received FTP
PORT/EPRT command into a PASV command (wrapped in an HTTP request for
Squid traversal). In that wrapping HTTP request, the FTP-Command header
field value will be set to PASV, not PORT or EPRT.
HTH,
Alex.
More information about the squid-users
mailing list