[squid-users] server-side FTP support
Alex Rousskov
rousskov at measurement-factory.com
Fri Jul 25 21:25:53 UTC 2025
On 2025-07-25 08:43, Matus UHLAR - fantomas wrote:
> I see that squid has FTP support for some time:
>
> # TAG: ftp_port ...
> But I can't see any options related to PASV and PORT session setup.
>
> From what I saw in sources (with my limited knowledge of C++) it seems
> that squid tries to pass
Squid FTP server (i.e. the functionality behind ftp_port) tries to
support both passive and active data transfers. FTP client decides what
mode to use by sending either FTP PORT or FTP PASV command.
> Can I cofnigure/limit these ports somehow?
>
> e.g. disabling PORT/EPRT and limiting PASV to ports e.g. 32736-32767
I hope that the answer to your question is "yes", but I have not checked
any details or tested the current implementation; IIRC,
* You can deny PORT/EPRT commands using http_access rules. See
squid.conf.documented paragraph that is quoted at the end of this email.
In cache.log, you can see HTTP-like messages (that your http_access
rules will need to match) using debug_options set to "ALL,2" or "ALL,1
9,2". Look for "FTP Client REQUEST" phrases.
* You can control PASV port range using your OS settings for ephemeral
port ranges (e.g., net.ipv4.ip_local_port_range and friends on Linux).
HTH,
Alex.
> Native FTP commands accepted at ftp_port are internally converted or
> wrapped into HTTP-like messages. The same happens to Native FTP
> responses received from FTP origin servers. Those HTTP-like messages
> are shoveled through regular access control and adaptation layers
> between the FTP client and the FTP origin server. This allows Squid to
> examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
> mechanisms when shoveling wrapped FTP messages. For example,
> http_access and adaptation_access directives are used.
More information about the squid-users
mailing list