Re: [squid-users] Re: FTP through squid

From: Hugo Deprez <hugo.deprez_at_gmail.com>
Date: Tue, 8 May 2012 15:18:53 +0200

Hello,

thank you for the information.

If I sepcify the following parameter in my configuration file it :
ftp_epsv OFF

FTP with firefox is working.

I think users will needs to use Filezilla or something equivalent, so
what kind of Solution Do I Have ?

My main goal is to setup a squid in order to specify bandwith limitation.

By the way, does delay_parameters are apply to Safe_ports ?
For information I use the following ACL :
delay_access 1 allow all

Regards,

Hugo

On 7 May 2012 02:25, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 07.05.2012 05:49, Hugo Deprez wrote:
>>
>> I did check this parameter and I don't have it.
>
>
> http://www.squid-cache.org/Doc/config/ftp_passive/
>
> All currently supported Squid have it. Do not confuse the option being
> absent from the squid.conf file for being not supported. Listing all the
> directives takes many pages of text, which is not nice to wade through so
> most directives are now omitted from the config when at default values.
>
>
>>
>> I don't really know how squid deal with ftp trafic, as in passive
>> mode, the port is selected by the server.
>
>
> And when passed a ftp:// URL (ie from Firefox) Squid connects to it as
> requested by the server. Or tries to anyway. Sometimes things go wrong and
> it should fall back to trying all possible modes until one works.
>
> This is where the ftp_passive directive comes in, forcing the passive modes
> on/off. You can leave ftp_passive ON and turn ftp_epsv OFF to get the old
> IPv4-only passive mode. The default in 3.1 is to try the newer EPSV passive
> mode first. ftp_passive OFF skips straight to trying the EPRT then PORT
> modes.
>
> There is also an ftp_eprt ON/OFF directive for new EPRT active mode.
>
>
> (this all needs to be documented properly.)
>
>
>>
>> On 6 May 2012 19:10, Jose-Marcio Martins da Cruz wrote:
>>>
>>>
>>> I don't know if this is related...
>>>
>>> I had some problems like this one, using filezilla, but I don't remember
>>> which was the log message.
>>>
>>> I had, from old configuration files, the directive :
>>>
>>>   ftp_passive off
>>>
>>> and this was the reason. I just commented it out and the proxy works now
>>> as
>>> a charm.
>>>
>>> Hugo Deprez wrote:
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I just installed squid3 from wheezy repository :
>>>>
>>>> ii  squid3                              3.1.19-1+b1
>>>> Full featured Web Proxy cache (HTTP proxy)
>>>> ii  squid3-common                       3.1.19-1
>>>> Full featured Web Proxy cache (HTTP proxy) - common files
>>>>
>>>> I try with FF12 still the same issue :
>>>>
>>>> ******* - - [06/May/2012:18:47:17 +0200] "GET ftp://ftp.free.fr/
>>>> HTTP/1.0" 504 4118 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0)
>>>> Gecko/20100101 Firefox/12.0" TCP_MISS:DIRECT
>>>>
>>>> I tried with filezilla, I get the following error :
>>>>
>>>>
>>>> ***** - - [06/May/2012:18:44:56 +0200] "CONNECT ftp.free.fr:21
>>>> HTTP/1.0" 200 266 "-" "FileZilla" TCP_MISS:DIRECT
>>>> ***** - - [06/May/2012:18:44:57 +0200] "CONNECT 212.27.60.27:6846
>>>> HTTP/1.0" 403 3561 "-" "FileZilla" TCP_DENIED:NONE
>>>>
>>>> seems that the client is using passive mode, as it try to connect to
>>>> the FTP server to the port 6846.
>>>> How to deal with that ?
>>>> What is the difference between firefox and filezilla from FTP's
>>>> protocol point of view ?
>
>
> Firefox is just passing an ftp:// URL to Squid and asking for squid to GET
> it and send the reply via HTTP protocol. All the FTP double-channel protocol
> bits are handled internally by Squid.
>
> Filezilla is trying to use native FTP protocol, but tunneling it as binary
> CONNECT tunnels through the proxy. Active mode FTP where Filezilla opens the
> port and server connects inbound does not work at all. But in passive mode
> where the server presents a IP:port, Filezilla can open a second data
> CONNECT channel and fetch through it. As shown by your logs.
>  ** for this to work you require SSL_ports to contain 21 and 1025-65535 same
> as Safe_ports does normally. This wide range of ports is VERY insecure,
> which is why most networks do not permit it.
>
> Amos
Received on Tue May 08 2012 - 13:19:01 MDT

This archive was generated by hypermail 2.2.0 : Wed May 09 2012 - 12:00:02 MDT