Oops, and send to list. On Thu, Apr 5, 2012 at 4:26 PM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote: > On 05/04/2012 10:25, Colin Coe wrote: >> >> On Wed, Apr 4, 2012 at 7:40 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> >> wrote: >>> >>> On 4/04/2012 6:01 p.m., Eliezer Croitoru wrote: >>>> >>>> >>>> On 04/04/2012 08:12, Colin Coe wrote: >>>>> >>>>> >>>>> Hi all >>>>> >>>>> I'm trying to get our squid proxy server to allow clients to do >>>>> outbound FTP. The problem is that our corporate proxy uses tcp/8200 >>>>> for http/https traffic and port 221 for FTP traffic. >>>>> >>>>> Tailing the squid logs I see that squid is attempting to send all FTP >>>>> requests direct instead of going through the corporate proxy. >>>>> >>>>> Any ideas how I'd configure squid to use the corp proxy for FTP >>>>> instead of going direct? >>>>> >>>>> Thanks >>>>> >>>>> CC >>>>> >>>> if you have parent proxy you should use the never_direct acl. >>>> >>>> >>>> >>>> acl ftp_ports port 21 >>> >>> >>> >>> Make that "20 21" (note the space between) >>> >>> >>> Amos >> >> >> Hi all >> >> I've made changes based on these suggestions but it still doesn't >> work. My squid.conf looks like: >> --- >> cache_peer 172.22.0.7 parent 8200 0 default no-query no-netdb-exchange >> proxy-only no-digest no-delay name=other >> cache_peer 172.22.0.7 parent 221 0 default no-query no-netdb-exchange >> proxy-only no-digest no-delay name=ftp >> >> cache_dir ufs /var/cache/squid 4900 16 256 >> >> http_port 3128 >> >> hierarchy_stoplist cgi-bin ? >> >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern . 0 20% 4320 >> >> acl manager proto cache_object >> acl localhost src 127.0.0.1/32 ::1 >> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 >> >> acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network >> acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network >> acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network >> acl localnet src fc00::/7 # RFC 4193 local private network range >> acl localnet src fe80::/10 # RFC 4291 link-local (directly >> plugged) machines >> >> acl ftp_ports port 21 20 >> >> acl SSL_ports port 443 21 20 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> >> cache_peer_access ftp allow ftp_ports >> cache_peer_access ftp deny all >> never_direct allow ftp_ports >> cache_peer_access other deny ftp_ports >> >> acl Prod dst 172.22.106.0/23 >> acl Prod dst 172.22.176.0/23 >> acl Dev dst 172.22.102.0/23 >> >> acl BOM dstdomain .bom.gov.au >> cache deny BOM >> >> always_direct allow Dev >> always_direct allow Prod >> never_direct allow all >> >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost >> http_access allow localnet >> http_access deny all >> --- >> >> On the proxy server, when I do a 'tcpdump host client and port 3128' I >> get nothing more than >> --- >> 15:22:19.515518 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags >> [S], seq 2995762959, win 5840, options [mss 1460,sackOK,TS val >> 1681190449 ecr 0,nop,wscale 7], length 0 >> 15:22:19.515567 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags >> [S.], seq 1966725410, ack 2995762960, win 14480, options [mss >> 1460,sackOK,TS val 699366121 ecr 1681190449], length 0 >> 15:22:19.515740 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags >> [.], ack 1, win 5840, options [nop,nop,TS val 1681190449 ecr >> 699366121], length 0 >> 15:23:49.606087 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags >> [F.], seq 1, ack 1, win 5840, options [nop,nop,TS val 1681280540 ecr >> 699366121], length 0 >> 15:23:49.606163 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags >> [.], ack 2, win 14480, options [nop,nop,TS val 699456212 ecr >> 1681280540], length 0 >> 15:23:49.606337 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags >> [F.], seq 1, ack 2, win 14480, options [nop,nop,TS val 699456212 ecr >> 1681280540], length 0 >> 15:23:49.606465 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags >> [.], ack 2, win 5840, options [nop,nop,TS val 1681280540 ecr >> 699456212], length 0 >> --- >> >> Nothing goes into the access.log file from this connection either. >> > so what is your problem now? > that nothing goes into the access log? > let's go two steps back. > i didnt make sure but you do have: > > > acl Prod dst 172.22.106.0/23 > acl Prod dst 172.22.176.0/23 > acl Dev dst 172.22.102.0/23 > > always_direct allow Dev > always_direct allow Prod > > and if you dont get anything in the access log it probably means that the > clients are not connecting to the server. > how you are directing the ftp clients to squid proxy server? > you do know that squid is not intercepting ftp protocol by itself? > there was some kind of ftp interception tool as far as i remember. > > so just a sec state your goals again and what you have done so far. > > Regards, > Eliezer >> >> Any ideas? >> >> CC >> > > > -- > Eliezer Croitoru > https://www1.ngtech.co.il > IT consulting for Nonprofit organizations > eliezer <at> ngtech.co.il Apologies for being unclear. I have two separate but similar environments, prod and dev. Both have squid proxies, both use the same upstream corporate proxy. I've done the config so I can just get it working on and then copy/paste the config to the other squid server. The clients are a mix of Windows (XP, 7, server 2008R2) and Linux (RHEL 4/5/6). Most clients just need access to external web sites (http/https), but some also need to some external FTP sites. The corporate proxy (bluecost) web proxies on 8200 and FTP proxies on 221. The goal: client web and FTP requests get correctly serviced. The web proxying is working fine, it's just the FTP proxying that is not working. I know the clients are connecting to the squid server from the tcpdump posted in my previous email. Hope thats a bit clearer CC -- RHCE#805007969328369 -- RHCE#805007969328369
