Hi folks,
I'm having some interesting issues with Squid and non-anonymous FTP.
In an effort to resolve them I've started a second Squid instance with
a stripped-down configuration, just in case any of the fancy stuff we
have is blocking it.
We cannot access non-anonymous FTP sites. Config, logs, and error
messages follow.
Any help or suggestions would be most appreciated.
Thanks,
==ml
Here's the config:
-- cache_access_log /var/log/testsquid/access.log cache_log /var/log/testsquid/cache.log cache_store_log /var/log/testsquid/store.log coredump_dir /var/cache/squid pid_filename /var/log/testsquid/squid.pid #stuff from the default hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY #auth_param basic children 5 #auth_param basic realm Squid proxy-caching web server #auth_param basic credentialsttl 2 hours #auth_param basic casesensitive off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 #our local network acl our_networks src 10.0.0.0/8 127.0.0.0/8 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #test clients http_access allow our_networks #acl FTP proto FTP #always_direct allow FTP http_access deny all http_reply_access allow all icp_access allow all coredump_dir /usr/local/squid/var/cache This should look really, really familiar to anyone who has looked at the default config. When we browse to an anonymous FTP site, things work fine. Trouble appears when we access a non-anonymous FTP site. If I use a URL of the form: ftp://mwlwork@bwb.blackhelicopters.org (This is a test account I've set up outside our corporate network.) When I enter this URL is IE, I get the message: ERROR: Cache Access Denied While trying to retrieve the URL: ftp://mwlwork@bwb.blackhelicopters.org The following error was encountered Cache Access Denied Sorry, you are not currently allowed to request: ftp://mwlwork@bwb.blackhelicopters.org/ from this cache until you have authenticated yourself. In Firefox, I get an error that looks more useful: An FTP authentication failure occured while trying to retrieve the URL: ftp://mwlwork@bwb.blackhelicopters.org Squid sent the following FTP command: PASS <yourpass> and then received this reply: Login incorrect The cache log includes: 2006/08/21 13:32:55| Rebuilding storage in /var/log/testsquid/cache (CLEAN) 2006/08/21 13:32:55| Using Least Load store dir selection 2006/08/21 13:32:55| Set Current Directory to /usr/local/squid/var/cache 2006/08/21 13:32:55| Loaded Icons. 2006/08/21 13:32:55| Accepting HTTP connections at 0.0.0.0, port 3128, FD 16. 2006/08/21 13:32:55| Accepting ICP messages at 0.0.0.0, port 3130, FD 17. 2006/08/21 13:32:55| Accepting SNMP messages on port 3401, FD 18. 2006/08/21 13:32:55| WCCP Disabled. 2006/08/21 13:32:55| Ready to serve requests. 2006/08/21 13:32:55| Done reading /var/log/testsquid/cache swaplog (1157 entries) 2006/08/21 13:32:55| Finished rebuilding storage from disk. 2006/08/21 13:32:55| 1157 Entries scanned 2006/08/21 13:32:55| 0 Invalid entries. 2006/08/21 13:32:55| 0 With invalid flags. 2006/08/21 13:32:55| 1157 Objects loaded. 2006/08/21 13:32:55| 0 Objects expired. 2006/08/21 13:32:55| 0 Objects cancelled. 2006/08/21 13:32:55| 0 Duplicate URLs purged. 2006/08/21 13:32:55| 0 Swapfile clashes avoided. 2006/08/21 13:32:55| Took 0.3 seconds (4243.9 objects/sec). 2006/08/21 13:32:55| Beginning Validation Procedure 2006/08/21 13:32:55| Completed Validation Procedure 2006/08/21 13:32:55| Validated 1157 Entries 2006/08/21 13:32:55| store_swap_size = 9424k 2006/08/21 13:32:56| storeLateRelease: released 0 objects 2006/08/21 13:35:10| Reconfiguring Squid Cache (version 2.5.STABLE13)... 2006/08/21 13:35:10| FD 16 Closing HTTP connection 2006/08/21 13:35:10| FD 17 Closing ICP connection 2006/08/21 13:35:10| FD 18 Closing SNMP socket 2006/08/21 13:35:10| Cache dir '/var/log/testsquid/cache' size remains unchanged at 4096000 KB 2006/08/21 13:35:10| helperOpenServers: Starting 5 'dnsserver' processes 2006/08/21 13:35:12| Accepting HTTP connections at 0.0.0.0, port 3128, FD 7. 2006/08/21 13:35:12| Accepting ICP messages at 0.0.0.0, port 3130, FD 15. 2006/08/21 13:35:12| Accepting SNMP messages on port 3401, FD 16. 2006/08/21 13:35:12| WCCP Disabled. 2006/08/21 13:35:12| Loaded Icons. 2006/08/21 13:35:12| eventCleanup 2006/08/21 13:35:12| Ready to serve requests. access.log includes these entries for this request (plus a sample to show that we are talking to the Net): 1156181666.709 106 10.184.184.193 TCP_REFRESH_HIT/200 358 GET http://i.a.cnn.net/cnn/.element/img/1.5/main/sect.gray.gradient_334.gif - DIRECT/64.236.42.21 image/gif 1156181666.722 108 10.184.184.193 TCP_REFRESH_HIT/200 337 GET http://i.a.cnn.net/cnn/.element/img/1.1/misc/cl/cl_bar.gif - DIRECT/64.236.42.22 image/gif 1156181666.726 110 10.184.184.193 TCP_REFRESH_HIT/200 326 GET http://i.a.cnn.net/cnn/.element/img/1.5/main/cnn_vert.dash.gif - DIRECT/64.236.42.30 image/gif 1156181666.729 44 10.184.184.193 TCP_REFRESH_HIT/200 1039 GET http://i.a.cnn.net/cnn/.element/img/1.3/main/tv/time_tab.gif - DIRECT/64.236.42.38 image/gif 1156181666.836 106 10.184.184.193 TCP_REFRESH_HIT/200 1407 GET http://www.cnn.com/favicon.ico - DIRECT/64.236.16.20 image/x-icon 1156181666.877 41 10.184.184.193 TCP_HIT/200 1407 GET http://www.cnn.com/favicon.ico - NONE/- image/x-icon 1156181672.956 244 10.184.184.193 TCP_MISS/401 1706 GET ftp://mwlwork@bwb.blackhelicopters.org/ - DIRECT/198.22.63.43 text/html 1156181675.284 962 10.184.184.193 TCP_MISS/401 1455 GET ftp://mwlwork@bwb.blackhelicopters.org/ - DIRECT/198.22.63.43 text/html 1156181690.780 25 10.184.184.193 TCP_MISS/401 1706 GET ftp://mwlwork@bwb.blackhelicopters.org/ - DIRECT/198.22.63.43 text/html 1156181718.106 118 10.184.184.193 TCP_MISS/401 1706 GET ftp://mwlwork@bwb.blackhelicopters.org/ - DIRECT/198.22.63.43 text/html -- Michael W. Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP & GPG -- http://www.pgpandgpg.com "The cloak of anonymity protects me from the nuisance of caring." -Non SequiturReceived on Mon Aug 21 2006 - 12:11:07 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Sep 01 2006 - 12:00:02 MDT