Re: [squid-users] TCP_MISS/000 FTP

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 04 Mar 2010 00:16:23 +1300

Dawie Pretorius wrote:
> Hello
>
> Getting this error "1267609425.628 270 172.16.8.105 TCP_MISS/000 0 GET ftp://XX.XX.XX.XX/ - DIRECT/XX.XX.XX.XX - and a black page on my web browser on when accessing this ftp site.
>
> When using no proxy FTP site ask for authentication?
>

Squid older than 3.1 were somewhat restricted in their use of auth with
FTP. They would not pass back the headers to trigger HTTP auth properly
and required the user/pass to be in the URL.

Your config shows signs of being in an older Squid, so the fix will be
either using 3.1 or adding the credentials to the FTP URLs.

> Here is my squid.conf:
>
> http_port 0.0.0.0:51313
> cache_peer ZATBIMPROXY02 sibling 3128 0 default login=PASS
> persistent_connection_after_error on
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

Drop that QUERY stuff to improve your dynamic objects caching. A large
portion seem to be cacheable now.

> cache_mem 50 MB
> maximum_object_size 20 MB
> access_log /var/log/squid/access.log squid
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log

Not useful for much beyond debugging:
   cache_store_log none

> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440

Missing right here:
   refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

> refresh_pattern . 0 20% 4320
> half_closed_clients off
> acl manager proto cache_object
> acl localnet src XX.XX.XX.XX/12
> acl localhost src 127.0.0.1/255.255.255.255

acl localhost src 127.0.0.1

> acl to_localhost dst 127.0.0.0/8

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

<snip>
> http_access deny CONNECT !SSL_ports
> acl cape_town src XX.XX.XX.XX/255.255.254.0

acl cape_town src XX.XX.XX.XX/23

> http_access allow cape_town
> acl our_networks src XX.XX.XX.XX/255.255.254.0 XX.XX.XX.XX/255.255.254.0 XX.XX.XX.XX/255.255.255.0

acl our_networks src XX.XX.XX.XX/23 XX.XX.XX.XX/23 XX.XX.XX.XX/24

> http_access allow our_networks
> http_access allow localhost
> http_reply_access allow all
> icp_access allow all
> cache_mgr hbops_at_healthbridge.co.za
> visible_hostname ZATBIMPROXY01
> deny_info ERR_ACCESS_DENIED blacklist
> deny_info ERR_ACCESS_DENIED denyfiletypes

ACCESS_DENIED is the default page sent on "http_access deny". There is
no need to specify it explicitly like that.

>
> This FTP does ask for authentication and you cannot login anonymously. Is this something that I have in my squid.conf or does not have in my squid.conf?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
   Current Beta Squid 3.1.0.17
Received on Wed Mar 03 2010 - 11:16:31 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 04 2010 - 12:00:06 MST