Search squid archive

Re: Re: FTP through squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07.05.2012 05:49, Hugo Deprez wrote:
I did check this parameter and I don't have it.

http://www.squid-cache.org/Doc/config/ftp_passive/

All currently supported Squid have it. Do not confuse the option being absent from the squid.conf file for being not supported. Listing all the directives takes many pages of text, which is not nice to wade through so most directives are now omitted from the config when at default values.


I don't really know how squid deal with ftp trafic, as in passive
mode, the port is selected by the server.

And when passed a ftp:// URL (ie from Firefox) Squid connects to it as requested by the server. Or tries to anyway. Sometimes things go wrong and it should fall back to trying all possible modes until one works.

This is where the ftp_passive directive comes in, forcing the passive modes on/off. You can leave ftp_passive ON and turn ftp_epsv OFF to get the old IPv4-only passive mode. The default in 3.1 is to try the newer EPSV passive mode first. ftp_passive OFF skips straight to trying the EPRT then PORT modes.

There is also an ftp_eprt ON/OFF directive for new EPRT active mode.


(this all needs to be documented properly.)


On 6 May 2012 19:10, Jose-Marcio Martins da Cruz wrote:

I don't know if this is related...

I had some problems like this one, using filezilla, but I don't remember
which was the log message.

I had, from old configuration files, the directive :

  ftp_passive off

and this was the reason. I just commented it out and the proxy works now as
a charm.

Hugo Deprez wrote:

Hello,

I just installed squid3 from wheezy repository :

ii  squid3                              3.1.19-1+b1
Full featured Web Proxy cache (HTTP proxy)
ii  squid3-common                       3.1.19-1
Full featured Web Proxy cache (HTTP proxy) - common files

I try with FF12 still the same issue :

******* - - [06/May/2012:18:47:17 +0200] "GET ftp://ftp.free.fr/
HTTP/1.0" 504 4118 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0)
Gecko/20100101 Firefox/12.0" TCP_MISS:DIRECT

I tried with filezilla, I get the following error :


***** - - [06/May/2012:18:44:56 +0200] "CONNECT ftp.free.fr:21
HTTP/1.0" 200 266 "-" "FileZilla" TCP_MISS:DIRECT
***** - - [06/May/2012:18:44:57 +0200] "CONNECT 212.27.60.27:6846
HTTP/1.0" 403 3561 "-" "FileZilla" TCP_DENIED:NONE

seems that the client is using passive mode, as it try to connect to
the FTP server to the port 6846.
How to deal with that ?
What is the difference between firefox and filezilla from FTP's
protocol point of view ?

Firefox is just passing an ftp:// URL to Squid and asking for squid to GET it and send the reply via HTTP protocol. All the FTP double-channel protocol bits are handled internally by Squid.

Filezilla is trying to use native FTP protocol, but tunneling it as binary CONNECT tunnels through the proxy. Active mode FTP where Filezilla opens the port and server connects inbound does not work at all. But in passive mode where the server presents a IP:port, Filezilla can open a second data CONNECT channel and fetch through it. As shown by your logs. ** for this to work you require SSL_ports to contain 21 and 1025-65535 same as Safe_ports does normally. This wide range of ports is VERY insecure, which is why most networks do not permit it.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux