On Wed, Apr 4, 2012 at 7:40 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 4/04/2012 6:01 p.m., Eliezer Croitoru wrote:
>>
>> On 04/04/2012 08:12, Colin Coe wrote:
>>>
>>> Hi all
>>>
>>> I'm trying to get our squid proxy server to allow clients to do
>>> outbound FTP. The problem is that our corporate proxy uses tcp/8200
>>> for http/https traffic and port 221 for FTP traffic.
>>>
>>> Tailing the squid logs I see that squid is attempting to send all FTP
>>> requests direct instead of going through the corporate proxy.
>>>
>>> Any ideas how I'd configure squid to use the corp proxy for FTP
>>> instead of going direct?
>>>
>>> Thanks
>>>
>>> CC
>>>
>> if you have parent proxy you should use the never_direct acl.
>>
>>
>>
>> acl ftp_ports port 21
>
>
> Make that "20 21" (note the space between)
>
>
> Amos
Hi all
I've made changes based on these suggestions but it still doesn't
work. My squid.conf looks like:
--- cache_peer 172.22.0.7 parent 8200 0 default no-query no-netdb-exchange proxy-only no-digest no-delay name=other cache_peer 172.22.0.7 parent 221 0 default no-query no-netdb-exchange proxy-only no-digest no-delay name=ftp cache_dir ufs /var/cache/squid 4900 16 256 http_port 3128 hierarchy_stoplist cgi-bin ? refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl ftp_ports port 21 20 acl SSL_ports port 443 21 20 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT cache_peer_access ftp allow ftp_ports cache_peer_access ftp deny all never_direct allow ftp_ports cache_peer_access other deny ftp_ports acl Prod dst 172.22.106.0/23 acl Prod dst 172.22.176.0/23 acl Dev dst 172.22.102.0/23 acl BOM dstdomain .bom.gov.au cache deny BOM always_direct allow Dev always_direct allow Prod never_direct allow all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow localnet http_access deny all --- On the proxy server, when I do a 'tcpdump host client and port 3128' I get nothing more than --- 15:22:19.515518 IP 172.22.106.23.48052 > 172.22.106.10.3128: Flags [S], seq 2995762959, win 5840, options [mss 1460,sackOK,TS val 1681190449 ecr 0,nop,wscale 7], length 0 15:22:19.515567 IP 172.22.106.10.3128 > 172.22.106.23.48052: Flags [S.], seq 1966725410, ack 2995762960, win 14480, options [mss 1460,sackOK,TS val 699366121 ecr 1681190449], length 0 15:22:19.515740 IP 172.22.106.23.48052 > 172.22.106.10.3128: Flags [.], ack 1, win 5840, options [nop,nop,TS val 1681190449 ecr 699366121], length 0 15:23:49.606087 IP 172.22.106.23.48052 > 172.22.106.10.3128: Flags [F.], seq 1, ack 1, win 5840, options [nop,nop,TS val 1681280540 ecr 699366121], length 0 15:23:49.606163 IP 172.22.106.10.3128 > 172.22.106.23.48052: Flags [.], ack 2, win 14480, options [nop,nop,TS val 699456212 ecr 1681280540], length 0 15:23:49.606337 IP 172.22.106.10.3128 > 172.22.106.23.48052: Flags [F.], seq 1, ack 2, win 14480, options [nop,nop,TS val 699456212 ecr 1681280540], length 0 15:23:49.606465 IP 172.22.106.23.48052 > 172.22.106.10.3128: Flags [.], ack 2, win 5840, options [nop,nop,TS val 1681280540 ecr 699456212], length 0 --- Nothing goes into the access.log file from this connection either. Any ideas? CC -- RHCE#805007969328369Received on Thu Apr 05 2012 - 07:25:10 MDT
This archive was generated by hypermail 2.2.0 : Thu Apr 05 2012 - 12:00:02 MDT