On Thu, Apr 5, 2012 at 6:50 PM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote: > On 05/04/2012 12:14, Colin Coe wrote: >> >> Oops, and send to list. >> >> On Thu, Apr 5, 2012 at 4:26 PM, Eliezer Croitoru<eliezer@xxxxxxxxxxxx> >> wrote: >>> >>> On 05/04/2012 10:25, Colin Coe wrote: >>>> >>>> >>>> On Wed, Apr 4, 2012 at 7:40 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> >>>> wrote: >>>>> >>>>> >>>>> On 4/04/2012 6:01 p.m., Eliezer Croitoru wrote: >>>>>> >>>>>> >>>>>> >>>>>> On 04/04/2012 08:12, Colin Coe wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi all >>>>>>> >>>>>>> I'm trying to get our squid proxy server to allow clients to do >>>>>>> outbound FTP. The problem is that our corporate proxy uses tcp/8200 >>>>>>> for http/https traffic and port 221 for FTP traffic. >>>>>>> >>>>>>> Tailing the squid logs I see that squid is attempting to send all FTP >>>>>>> requests direct instead of going through the corporate proxy. >>>>>>> >>>>>>> Any ideas how I'd configure squid to use the corp proxy for FTP >>>>>>> instead of going direct? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> CC >>>>>>> >>>>>> if you have parent proxy you should use the never_direct acl. >>>>>> >>>>>> >>>>>> >>>>>> acl ftp_ports port 21 >>>>> >>>>> >>>>> >>>>> >>>>> Make that "20 21" (note the space between) >>>>> >>>>> >>>>> Amos >>>> >>>> >>>> >>>> Hi all >>>> >>>> I've made changes based on these suggestions but it still doesn't >>>> work. My squid.conf looks like: >>>> --- >>>> cache_peer 172.22.0.7 parent 8200 0 default no-query no-netdb-exchange >>>> proxy-only no-digest no-delay name=other >>>> cache_peer 172.22.0.7 parent 221 0 default no-query no-netdb-exchange >>>> proxy-only no-digest no-delay name=ftp >>>> >>>> cache_dir ufs /var/cache/squid 4900 16 256 >>>> >>>> http_port 3128 >>>> >>>> hierarchy_stoplist cgi-bin ? >>>> >>>> refresh_pattern ^ftp: 1440 20% 10080 >>>> refresh_pattern ^gopher: 1440 0% 1440 >>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >>>> refresh_pattern . 0 20% 4320 >>>> >>>> acl manager proto cache_object >>>> acl localhost src 127.0.0.1/32 ::1 >>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 >>>> >>>> acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network >>>> acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network >>>> acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network >>>> acl localnet src fc00::/7 # RFC 4193 local private network range >>>> acl localnet src fe80::/10 # RFC 4291 link-local (directly >>>> plugged) machines >>>> >>>> acl ftp_ports port 21 20 >>>> >>>> acl SSL_ports port 443 21 20 >>>> acl Safe_ports port 80 # http >>>> acl Safe_ports port 21 # ftp >>>> acl Safe_ports port 443 # https >>>> acl Safe_ports port 70 # gopher >>>> acl Safe_ports port 210 # wais >>>> acl Safe_ports port 1025-65535 # unregistered ports >>>> acl Safe_ports port 280 # http-mgmt >>>> acl Safe_ports port 488 # gss-http >>>> acl Safe_ports port 591 # filemaker >>>> acl Safe_ports port 777 # multiling http >>>> acl CONNECT method CONNECT >>>> >>>> cache_peer_access ftp allow ftp_ports >>>> cache_peer_access ftp deny all >>>> never_direct allow ftp_ports >>>> cache_peer_access other deny ftp_ports >>>> >>>> acl Prod dst 172.22.106.0/23 >>>> acl Prod dst 172.22.176.0/23 >>>> acl Dev dst 172.22.102.0/23 >>>> >>>> acl BOM dstdomain .bom.gov.au >>>> cache deny BOM >>>> >>>> always_direct allow Dev >>>> always_direct allow Prod >>>> never_direct allow all >>>> >>>> http_access allow manager localhost >>>> http_access deny manager >>>> http_access deny !Safe_ports >>>> http_access deny CONNECT !SSL_ports >>>> http_access allow localhost >>>> http_access allow localnet >>>> http_access deny all >>>> --- >>>> >>>> On the proxy server, when I do a 'tcpdump host client and port 3128' I >>>> get nothing more than >>>> --- >>>> 15:22:19.515518 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags >>>> [S], seq 2995762959, win 5840, options [mss 1460,sackOK,TS val >>>> 1681190449 ecr 0,nop,wscale 7], length 0 >>>> 15:22:19.515567 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags >>>> [S.], seq 1966725410, ack 2995762960, win 14480, options [mss >>>> 1460,sackOK,TS val 699366121 ecr 1681190449], length 0 >>>> 15:22:19.515740 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags >>>> [.], ack 1, win 5840, options [nop,nop,TS val 1681190449 ecr >>>> 699366121], length 0 >>>> 15:23:49.606087 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags >>>> [F.], seq 1, ack 1, win 5840, options [nop,nop,TS val 1681280540 ecr >>>> 699366121], length 0 >>>> 15:23:49.606163 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags >>>> [.], ack 2, win 14480, options [nop,nop,TS val 699456212 ecr >>>> 1681280540], length 0 >>>> 15:23:49.606337 IP 172.22.106.10.3128> 172.22.106.23.48052: Flags >>>> [F.], seq 1, ack 2, win 14480, options [nop,nop,TS val 699456212 ecr >>>> 1681280540], length 0 >>>> 15:23:49.606465 IP 172.22.106.23.48052> 172.22.106.10.3128: Flags >>>> [.], ack 2, win 5840, options [nop,nop,TS val 1681280540 ecr >>>> 699456212], length 0 >>>> --- >>>> >>>> Nothing goes into the access.log file from this connection either. >>>> >>> so what is your problem now? >>> that nothing goes into the access log? >>> let's go two steps back. >>> i didnt make sure but you do have: >>> >>> >>> acl Prod dst 172.22.106.0/23 >>> acl Prod dst 172.22.176.0/23 >>> acl Dev dst 172.22.102.0/23 >>> >>> always_direct allow Dev >>> always_direct allow Prod >>> >>> and if you dont get anything in the access log it probably means that the >>> clients are not connecting to the server. >>> how you are directing the ftp clients to squid proxy server? >>> you do know that squid is not intercepting ftp protocol by itself? >>> there was some kind of ftp interception tool as far as i remember. >>> >>> so just a sec state your goals again and what you have done so far. >>> >>> Regards, >>> Eliezer >>>> >>>> >>>> Any ideas? >>>> >>>> CC >>>> >>> >>> >>> -- >>> Eliezer Croitoru >>> https://www1.ngtech.co.il >>> IT consulting for Nonprofit organizations >>> eliezer<at> ngtech.co.il >> >> >> Apologies for being unclear. >> >> I have two separate but similar environments, prod and dev. Both have >> squid proxies, both use the same upstream corporate proxy. I've done >> the config so I can just get it working on and then copy/paste the >> config to the other squid server. >> >> The clients are a mix of Windows (XP, 7, server 2008R2) and Linux >> (RHEL 4/5/6). Most clients just need access to external web sites >> (http/https), but some also need to some external FTP sites. >> >> The corporate proxy (bluecost) web proxies on 8200 and FTP proxies on 221. >> >> The goal: client web and FTP requests get correctly serviced. >> >> The web proxying is working fine, it's just the FTP proxying that is >> not working. >> >> I know the clients are connecting to the squid server from the tcpdump >> posted in my previous email. >> >> Hope thats a bit clearer > > yes indeed much clearer. > my question is: how do you know that the clients are using the proxy server > for ftp traffic? > it's a must to enforce them in a way (WPAD for example) to use the proxy or > else you are doing nothing. > the acl i have mentioned if i'm not wrong are saying that all the prod and > dev dst's will have direct access. > i dont remember what rule always wins, the always direct or the never > direct... > so this is one bump. > but as for you taking a client and connecting to an ftp server using the > squid. > is it working? > just try to get something like that: > 1333622935.422 3902 192.168.10.100 TCP_MISS/200 3325 GET > ftp://ftp.freebsd.org/pub - HIER_DIRECT/204.152.184.73 text/html > > if in any case you are not getting that change the parent-proxy stuff off > and try again. > then i hope you understand my logic.. > > > Regards, > Eliezer > > >> >> CC >> >> -- >> RHCE#805007969328369 >> >> > > > -- > Eliezer Croitoru > https://www1.ngtech.co.il > IT consulting for Nonprofit organizations > eliezer <at> ngtech.co.il OK, I did export ftp_proxy=http://benpxy1p:3128 wget ftp://ftp2.bom.gov.au/anon/gen/fwo --2012-04-05 19:43:38-- ftp://ftp2.bom.gov.au/anon/gen/fwo Resolving benpxy1p... 172.22.106.10 Connecting to benpxy1p|172.22.106.10|:3128... connected. Proxy request sent, awaiting response... ^C An entry appeared in access.log only after I hit ^C. Changing ftp_proxy to ftp://benpxy1p:3128 did not change anything. CC -- RHCE#805007969328369
