On 05/04/2012 12:14, Colin Coe wrote:
> Oops, and send to list.
>
> On Thu, Apr 5, 2012 at 4:26 PM, Eliezer Croitoru<eliezer_at_ngtech.co.il> wrote:
>> On 05/04/2012 10:25, Colin Coe wrote:
>>>
>>> On Wed, Apr 4, 2012 at 7:40 PM, Amos Jeffries<squid3_at_treenet.co.nz>
>>> wrote:
>>>>
>>>> On 4/04/2012 6:01 p.m., Eliezer Croitoru wrote:
>>>>>
>>>>>
>>>>> On 04/04/2012 08:12, Colin Coe wrote:
>>>>>>
>>>>>>
>>>>>> Hi all
>>>>>>
>>>>>> I'm trying to get our squid proxy server to allow clients to do
>>>>>> outbound FTP. The problem is that our corporate proxy uses tcp/8200
>>>>>> for http/https traffic and port 221 for FTP traffic.
>>>>>>
>>>>>> Tailing the squid logs I see that squid is attempting to send all FTP
>>>>>> requests direct instead of going through the corporate proxy.
>>>>>>
>>>>>> Any ideas how I'd configure squid to use the corp proxy for FTP
>>>>>> instead of going direct?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> CC
>>>>>>
>>>>> if you have parent proxy you should use the never_direct acl.
>>>>>
>>>>>
>>>>>
>>>>> acl ftp_ports port 21
>>>>
>>>>
>>>>
>>>> Make that "20 21" (note the space between)
>>>>
>>>>
>>>> Amos
>>>
>>>
>>> Hi all
>>>
>>> I've made changes based on these suggestions but it still doesn't
>>> work. My squid.conf looks like:
>>> ---
>>> cache_peer 172.22.0.7 parent 8200 0 default no-query no-netdb-exchange
>>> proxy-only no-digest no-delay name=other
>>> cache_peer 172.22.0.7 parent 221 0 default no-query no-netdb-exchange
>>> proxy-only no-digest no-delay name=ftp
>>>
>>> cache_dir ufs /var/cache/squid 4900 16 256
>>>
>>> http_port 3128
>>>
>>> hierarchy_stoplist cgi-bin ?
>>>
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>>
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/32 ::1
>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>>
>>> acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
>>> acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
>>> acl localnet src fc00::/7 # RFC 4193 local private network range
>>> acl localnet src fe80::/10 # RFC 4291 link-local (directly
>>> plugged) machines
>>>
>>> acl ftp_ports port 21 20
>>>
>>> acl SSL_ports port 443 21 20
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>>
>>> cache_peer_access ftp allow ftp_ports
>>> cache_peer_access ftp deny all
>>> never_direct allow ftp_ports
>>> cache_peer_access other deny ftp_ports
>>>
>>> acl Prod dst 172.22.106.0/23
>>> acl Prod dst 172.22.176.0/23
>>> acl Dev dst 172.22.102.0/23
>>>
>>> acl BOM dstdomain .bom.gov.au
>>> cache deny BOM
>>>
>>> always_direct allow Dev
>>> always_direct allow Prod
>>> never_direct allow all
>>>
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localhost
>>> http_access allow localnet
>>> http_access deny all
>>> ---
>>>
>>> On the proxy server, when I do a 'tcpdump host client and port 3128' I
>>> get nothing more than
>>> ---
>>> 15:22:19.515518 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags
>>> [S], seq 2995762959, win 5840, options [mss 1460,sackOK,TS val
>>> 1681190449 ecr 0,nop,wscale 7], length 0
>>> 15:22:19.515567 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags
>>> [S.], seq 1966725410, ack 2995762960, win 14480, options [mss
>>> 1460,sackOK,TS val 699366121 ecr 1681190449], length 0
>>> 15:22:19.515740 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags
>>> [.], ack 1, win 5840, options [nop,nop,TS val 1681190449 ecr
>>> 699366121], length 0
>>> 15:23:49.606087 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags
>>> [F.], seq 1, ack 1, win 5840, options [nop,nop,TS val 1681280540 ecr
>>> 699366121], length 0
>>> 15:23:49.606163 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags
>>> [.], ack 2, win 14480, options [nop,nop,TS val 699456212 ecr
>>> 1681280540], length 0
>>> 15:23:49.606337 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags
>>> [F.], seq 1, ack 2, win 14480, options [nop,nop,TS val 699456212 ecr
>>> 1681280540], length 0
>>> 15:23:49.606465 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags
>>> [.], ack 2, win 5840, options [nop,nop,TS val 1681280540 ecr
>>> 699456212], length 0
>>> ---
>>>
>>> Nothing goes into the access.log file from this connection either.
>>>
>> so what is your problem now?
>> that nothing goes into the access log?
>> let's go two steps back.
>> i didnt make sure but you do have:
>>
>>
>> acl Prod dst 172.22.106.0/23
>> acl Prod dst 172.22.176.0/23
>> acl Dev dst 172.22.102.0/23
>>
>> always_direct allow Dev
>> always_direct allow Prod
>>
>> and if you dont get anything in the access log it probably means that the
>> clients are not connecting to the server.
>> how you are directing the ftp clients to squid proxy server?
>> you do know that squid is not intercepting ftp protocol by itself?
>> there was some kind of ftp interception tool as far as i remember.
>>
>> so just a sec state your goals again and what you have done so far.
>>
>> Regards,
>> Eliezer
>>>
>>> Any ideas?
>>>
>>> CC
>>>
>>
>>
>> --
>> Eliezer Croitoru
>> https://www1.ngtech.co.il
>> IT consulting for Nonprofit organizations
>> eliezer<at> ngtech.co.il
>
> Apologies for being unclear.
>
> I have two separate but similar environments, prod and dev. Both have
> squid proxies, both use the same upstream corporate proxy. I've done
> the config so I can just get it working on and then copy/paste the
> config to the other squid server.
>
> The clients are a mix of Windows (XP, 7, server 2008R2) and Linux
> (RHEL 4/5/6). Most clients just need access to external web sites
> (http/https), but some also need to some external FTP sites.
>
> The corporate proxy (bluecost) web proxies on 8200 and FTP proxies on 221.
>
> The goal: client web and FTP requests get correctly serviced.
>
> The web proxying is working fine, it's just the FTP proxying that is
> not working.
>
> I know the clients are connecting to the squid server from the tcpdump
> posted in my previous email.
>
> Hope thats a bit clearer
yes indeed much clearer.
my question is: how do you know that the clients are using the proxy
server for ftp traffic?
it's a must to enforce them in a way (WPAD for example) to use the proxy
or else you are doing nothing.
the acl i have mentioned if i'm not wrong are saying that all the prod
and dev dst's will have direct access.
i dont remember what rule always wins, the always direct or the never
direct...
so this is one bump.
but as for you taking a client and connecting to an ftp server using the
squid.
is it working?
just try to get something like that:
1333622935.422 3902 192.168.10.100 TCP_MISS/200 3325 GET
ftp://ftp.freebsd.org/pub - HIER_DIRECT/204.152.184.73 text/html
if in any case you are not getting that change the parent-proxy stuff
off and try again.
then i hope you understand my logic..
Regards,
Eliezer
>
> CC
>
> --
> RHCE#805007969328369
>
>
-- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.ilReceived on Thu Apr 05 2012 - 10:51:08 MDT
This archive was generated by hypermail 2.2.0 : Thu Apr 05 2012 - 12:00:02 MDT