On Thu, Apr 5, 2012 at 6:50 PM, Eliezer Croitoru <eliezer_at_ngtech.co.il> wrote:
> On 05/04/2012 12:14, Colin Coe wrote:
>>
>> Oops, and send to list.
>>
>> On Thu, Apr 5, 2012 at 4:26 PM, Eliezer Croitoru<eliezer_at_ngtech.co.il>
>> wrote:
>>>
>>> On 05/04/2012 10:25, Colin Coe wrote:
>>>>
>>>>
>>>> On Wed, Apr 4, 2012 at 7:40 PM, Amos Jeffries<squid3_at_treenet.co.nz>
>>>> wrote:
>>>>>
>>>>>
>>>>> On 4/04/2012 6:01 p.m., Eliezer Croitoru wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 04/04/2012 08:12, Colin Coe wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Hi all
>>>>>>>
>>>>>>> I'm trying to get our squid proxy server to allow clients to do
>>>>>>> outbound FTP. The problem is that our corporate proxy uses tcp/8200
>>>>>>> for http/https traffic and port 221 for FTP traffic.
>>>>>>>
>>>>>>> Tailing the squid logs I see that squid is attempting to send all FTP
>>>>>>> requests direct instead of going through the corporate proxy.
>>>>>>>
>>>>>>> Any ideas how I'd configure squid to use the corp proxy for FTP
>>>>>>> instead of going direct?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> CC
>>>>>>>
>>>>>> if you have parent proxy you should use the never_direct acl.
>>>>>>
>>>>>>
>>>>>>
>>>>>> acl ftp_ports port 21
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Make that "20 21" (note the space between)
>>>>>
>>>>>
>>>>> Amos
>>>>
>>>>
>>>>
>>>> Hi all
>>>>
>>>> I've made changes based on these suggestions but it still doesn't
>>>> work. My squid.conf looks like:
>>>> ---
>>>> cache_peer 172.22.0.7 parent 8200 0 default no-query no-netdb-exchange
>>>> proxy-only no-digest no-delay name=other
>>>> cache_peer 172.22.0.7 parent 221 0 default no-query no-netdb-exchange
>>>> proxy-only no-digest no-delay name=ftp
>>>>
>>>> cache_dir ufs /var/cache/squid 4900 16 256
>>>>
>>>> http_port 3128
>>>>
>>>> hierarchy_stoplist cgi-bin ?
>>>>
>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>>> refresh_pattern . 0 20% 4320
>>>>
>>>> acl manager proto cache_object
>>>> acl localhost src 127.0.0.1/32 ::1
>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>>>
>>>> acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
>>>> acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network
>>>> acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
>>>> acl localnet src fc00::/7 # RFC 4193 local private network range
>>>> acl localnet src fe80::/10 # RFC 4291 link-local (directly
>>>> plugged) machines
>>>>
>>>> acl ftp_ports port 21 20
>>>>
>>>> acl SSL_ports port 443 21 20
>>>> acl Safe_ports port 80 # http
>>>> acl Safe_ports port 21 # ftp
>>>> acl Safe_ports port 443 # https
>>>> acl Safe_ports port 70 # gopher
>>>> acl Safe_ports port 210 # wais
>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>> acl Safe_ports port 280 # http-mgmt
>>>> acl Safe_ports port 488 # gss-http
>>>> acl Safe_ports port 591 # filemaker
>>>> acl Safe_ports port 777 # multiling http
>>>> acl CONNECT method CONNECT
>>>>
>>>> cache_peer_access ftp allow ftp_ports
>>>> cache_peer_access ftp deny all
>>>> never_direct allow ftp_ports
>>>> cache_peer_access other deny ftp_ports
>>>>
>>>> acl Prod dst 172.22.106.0/23
>>>> acl Prod dst 172.22.176.0/23
>>>> acl Dev dst 172.22.102.0/23
>>>>
>>>> acl BOM dstdomain .bom.gov.au
>>>> cache deny BOM
>>>>
>>>> always_direct allow Dev
>>>> always_direct allow Prod
>>>> never_direct allow all
>>>>
>>>> http_access allow manager localhost
>>>> http_access deny manager
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>> http_access allow localhost
>>>> http_access allow localnet
>>>> http_access deny all
>>>> ---
>>>>
>>>> On the proxy server, when I do a 'tcpdump host client and port 3128' I
>>>> get nothing more than
>>>> ---
>>>> 15:22:19.515518 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags
>>>> [S], seq 2995762959, win 5840, options [mss 1460,sackOK,TS val
>>>> 1681190449 ecr 0,nop,wscale 7], length 0
>>>> 15:22:19.515567 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags
>>>> [S.], seq 1966725410, ack 2995762960, win 14480, options [mss
>>>> 1460,sackOK,TS val 699366121 ecr 1681190449], length 0
>>>> 15:22:19.515740 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags
>>>> [.], ack 1, win 5840, options [nop,nop,TS val 1681190449 ecr
>>>> 699366121], length 0
>>>> 15:23:49.606087 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags
>>>> [F.], seq 1, ack 1, win 5840, options [nop,nop,TS val 1681280540 ecr
>>>> 699366121], length 0
>>>> 15:23:49.606163 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags
>>>> [.], ack 2, win 14480, options [nop,nop,TS val 699456212 ecr
>>>> 1681280540], length 0
>>>> 15:23:49.606337 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags
>>>> [F.], seq 1, ack 2, win 14480, options [nop,nop,TS val 699456212 ecr
>>>> 1681280540], length 0
>>>> 15:23:49.606465 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags
>>>> [.], ack 2, win 5840, options [nop,nop,TS val 1681280540 ecr
>>>> 699456212], length 0
>>>> ---
>>>>
>>>> Nothing goes into the access.log file from this connection either.
>>>>
>>> so what is your problem now?
>>> that nothing goes into the access log?
>>> let's go two steps back.
>>> i didnt make sure but you do have:
>>>
>>>
>>> acl Prod dst 172.22.106.0/23
>>> acl Prod dst 172.22.176.0/23
>>> acl Dev dst 172.22.102.0/23
>>>
>>> always_direct allow Dev
>>> always_direct allow Prod
>>>
>>> and if you dont get anything in the access log it probably means that the
>>> clients are not connecting to the server.
>>> how you are directing the ftp clients to squid proxy server?
>>> you do know that squid is not intercepting ftp protocol by itself?
>>> there was some kind of ftp interception tool as far as i remember.
>>>
>>> so just a sec state your goals again and what you have done so far.
>>>
>>> Regards,
>>> Eliezer
>>>>
>>>>
>>>> Any ideas?
>>>>
>>>> CC
>>>>
>>>
>>>
>>> --
>>> Eliezer Croitoru
>>> https://www1.ngtech.co.il
>>> IT consulting for Nonprofit organizations
>>> eliezer<at> ngtech.co.il
>>
>>
>> Apologies for being unclear.
>>
>> I have two separate but similar environments, prod and dev. Both have
>> squid proxies, both use the same upstream corporate proxy. I've done
>> the config so I can just get it working on and then copy/paste the
>> config to the other squid server.
>>
>> The clients are a mix of Windows (XP, 7, server 2008R2) and Linux
>> (RHEL 4/5/6). Most clients just need access to external web sites
>> (http/https), but some also need to some external FTP sites.
>>
>> The corporate proxy (bluecost) web proxies on 8200 and FTP proxies on 221.
>>
>> The goal: client web and FTP requests get correctly serviced.
>>
>> The web proxying is working fine, it's just the FTP proxying that is
>> not working.
>>
>> I know the clients are connecting to the squid server from the tcpdump
>> posted in my previous email.
>>
>> Hope thats a bit clearer
>
> yes indeed much clearer.
> my question is: how do you know that the clients are using the proxy server
> for ftp traffic?
> it's a must to enforce them in a way (WPAD for example) to use the proxy or
> else you are doing nothing.
> the acl i have mentioned if i'm not wrong are saying that all the prod and
> dev dst's will have direct access.
> i dont remember what rule always wins, the always direct or the never
> direct...
> so this is one bump.
> but as for you taking a client and connecting to an ftp server using the
> squid.
> is it working?
> just try to get something like that:
> 1333622935.422 3902 192.168.10.100 TCP_MISS/200 3325 GET
> ftp://ftp.freebsd.org/pub - HIER_DIRECT/204.152.184.73 text/html
>
> if in any case you are not getting that change the parent-proxy stuff off
> and try again.
> then i hope you understand my logic..
>
>
> Regards,
> Eliezer
>
>
>>
>> CC
>>
>> --
>> RHCE#805007969328369
>>
>>
>
>
> --
> Eliezer Croitoru
> https://www1.ngtech.co.il
> IT consulting for Nonprofit organizations
> eliezer <at> ngtech.co.il
OK, I did
export ftp_proxy=http://benpxy1p:3128
wget ftp://ftp2.bom.gov.au/anon/gen/fwo
--2012-04-05 19:43:38-- ftp://ftp2.bom.gov.au/anon/gen/fwo
Resolving benpxy1p... 172.22.106.10
Connecting to benpxy1p|172.22.106.10|:3128... connected.
Proxy request sent, awaiting response... ^C
An entry appeared in access.log only after I hit ^C.
Changing ftp_proxy to ftp://benpxy1p:3128 did not change anything.
CC
-- RHCE#805007969328369Received on Thu Apr 05 2012 - 11:51:44 MDT
This archive was generated by hypermail 2.2.0 : Thu Apr 05 2012 - 12:00:02 MDT