On 04/08/2016 10:37 PM, Amos Jeffries wrote: > On 5/04/2016 9:08 p.m., Axel.Eberhardt@xxxxxxxxxxxxx wrote: >> I try to enable the Native ftp proxying. >> The documentation I have found is: >> http://wiki.squid-cache.org/Features/FtpRelay >> >> But there is no example for this. Also in the Mail Archives I was not able to find a hint. >> >> I have configured the ftp proxy with parameter: >> ftp_port 21 > AFAIK that port is intended either for use as above when the Squid IP > address or hostname is given to the client FTP tool as the FTP server > IP/host. IIRC, the Squid address is given as the FTP proxy address. Some popular FTP clients support that kind of proxying even though the original FTP does not have such a concept. How this is done from FTP commands point of view is mentioned further below. > Or when intercepting port 21 traffic - with the 'intercept' option on > the port config line. Yes. > It is still a new / experimental and rarely used feature so YMMV. Agreed, provided that "rarely" means "by few Squid admins" here. AFAIK, v3.5 implementation is used on some busy production servers. There are many corner cases it does not handle well yet, but it is "working OK" in those environments. YMMV. >> Version: >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> squid -v >> Squid Cache: Version 3.5.15 >> Service Name: squid >> configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--verbose' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_user > ip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--enable-ecap' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtu n e > =generic -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> >> Now my problem. >> >> I am able to connect via ftp client to the squid. >> Also the login will be correct: >> example: anonymous@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx Correct from client, Squid, or FTP origin server point of view? >> But after a command which use a data channel the connection fails: >> 421 Service not available, remote server has closed connection >> >> >> I try a tcpdump but I cannot find a failure. >> The only different between a native ftp session and a connection over the squid is a missing TCP ACK after the last ftp data package. Does Squid know where to connect? If you are not intercepting, then (IIRC) the FTP origin server address comes from your FTP login, which should use two "@" characters. If you are not intimate with FTP in general or FTP proxying specifically, then it might be easier to first get this to work with a client that supports a concept of FTP proxy so that you can compare apples to apples. If nothing works, consider attached full TCP captures of user-Squid _and_ Squid-origin connections. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
