Search squid archive

Re: FTP Access thru Squid 2.7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Milan wrote:

Good Morning, could you take a look at my config and advise?

On Tue, Apr 27, 2010 at 19:49, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:

On Tue, 27 Apr 2010 10:44:12 -0400, Milan <compguy030471@xxxxxxxxx> wrote:

I have a Squid 2.7 build on Windows 2003 and I am trying to allow ftp
access thru the proxy.

I have added the lines below as suggested:

acl ftp proto FTP
http_access allow ftp


No avail. I can access if i type ftp://username:password@url-path

Is their any way to configure to access by ftp://ftp.destination.com?

The default config allows web browsers to open FTP URLs.

The config you tried is only needed if you would otherwise be blocking
access.
It should work provided that you place it in the right part of squid.conf.

Order is important.

Amos



You have fallen into the same trap some others did.
Note: Squid reads from the top down and does whatever action the first matching line states: 


 http_access allow manager localhost
... okay.

 http_access allow HEAD
 http_access allow ftp
... HEAD requests and FTP protocol URLs allowed without any mention of limits on source client or destination server. For HEAD requests this is particularly nasty since the whole spam email via fake HTTP can be trivially transmitted that way. 


 http_access allow WindowsUpdate
... free widows updates for the world. nice.

 http_access allow bypass_auth
 http_access allow bypass_auth-external
 http_access allow Approved_Domains
 http_access allow goto_meeting
 http_access allow Java
 http_access allow Approved_IP
 http_access allow InetAllow
... I could say similar things about several of the other allow lines. But I think you get the picture. 


 http_access deny manager
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access deny !our_networks

... these deny lines are the basic security settings for Squid.

What use do you think they are when the next thing done is "deny all"?
They need to be at or very near the top of the list to be their intended use for FAST efficient cropping away of unwanted requests. 


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.1
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux