Hello, Thanks for your interest. As resquested, here is my FTP related configuration : acl FTP proto FTP http_access allow FTP always_direct allow FTP ftp_port 21 accel defaultsite=<real_server_ftp> protocol=FTP ------- On Squid itself ------ ftp> open 127.0.0.1 Connected to 127.0.0.1 (127.0.0.1). 220 Service ready Name (127.0.0.1:<local_user>): <ftp_user> ---> USER <ftp_user> 331 Please specify the password. Password: ---> PASS XXXX 230 Login successful. ---> SYST 215 UNIX Type: L8 Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd ---> PWD 257 "/" ftp> ls ---> PASV 227 Entering Passive Mode (127,0,0,1,158,0). ---> LIST 150 Here comes the directory listing. [...] 226 Transfer complete ------- From anywhere (including Squid itself ------ ftp> open <dns name of the squid machine> Connected to <dns name of the squid machine> (54.xx.xx.xx). 220 Service ready Name (<dns name of the squid machine>:<local_user>): <ftp_user> ---> USER <ftp_user> 331 Please specify the password. Password: ---> PASS XXXX 230 Login successful. ---> SYST 215 UNIX Type: L8 Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd ---> PWD 257 "/" ftp> cd scripts ---> CWD scripts 250 Directory successfully changed. ftp> ls ---> PASV 227 Entering Passive Mode (172,31,xx,xx,213,249). WAN_IP---[FW]-------localIP1-[SQUID]-localIP2------------localIP3-[FTP_Server] I was expecting something like "227 Entering Passive Mode (54,xx,xx,xx,213,249)." with public ip. What I want is a response like (WAN_IP,port), but what I obtain is (localIP1,port) instead. Squid does not respond with the FTP server address, so I presume that Squid is understanding enough FTP protocol to modify response and put his own ip address instead of the real FTP server's. So I'm wondering if it exists a way to force squid to respond with a fixed IP address instead of his own local address. -----Message d'origine----- De : squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] De la part de Garri Djavadyan Envoyé : vendredi 21 octobre 2016 07:15 À : squid-users@xxxxxxxxxxxxxxxxxxxxx Objet : Re: FTP : Squid sending private IP in PASV response On Thu, 2016-10-20 at 14:07 +0000, Gael Ancelin wrote: > Hello, > > I have searched in maillist archives but have not seen so far someone > with the same problem. > > My Squid's objective is to foward FTP & HTTP requests to a distant > server. > > Squid is running on CentOS 7.2. > uname -r : 3.10.0-327.28.3.el7.x86_64 > squid -v : Version 3.5.20 > > > I don't have the choice to use anything but Squid, and I can't use > firewalling rules for forwarding directly ports. > > > WAN_1stPublic_IP ----------------------------[FIREWALL_1] --- > --[FTP_SERVER] > > WAN_2ndPublic_IP ---[FIREWALL_2]--[SQUID]-----[VPN]-----[FTP_SERVER] > > > Here's my problem : > When I'm connecting in FTP on the 2nd Public IP, everything is ok, but > when I want to switch to passive mode, Squid is sending his own > private ip instead of the 2nd public IP. So the connexion timed out. > > > ftp> open <WAN 2ndPublic IP> > Connected to <WAN 2ndPublic IP> (<WAN 2ndPublic IP>). > 220 Service ready > Name (<WAN 2ndPublic IP>:<user>): <login> > ---> USER <login> > 331 Please specify the password. > Password: > ---> PASS XXXX > 230 Login successful. > ---> SYST > 215 UNIX Type: L8 > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> pwd > ---> PWD > 257 "/" > ftp> ls > ---> PASV > 227 Entering Passive Mode (<SQUID Private IP>,<port>). > ftp: connect: Connexion terminée par expiration du délai d'attente > > > Is there a way to "force" Squid to resend his public IP ? > I'm thinking of something like "pasv_address" option in vsftpd, but > for squid. > > Gaël Ancelin Hi, Can you provide the configuration options related to FTP? I can't reproduce the problem using following method: # diff etc/squid.conf.default etc/squid.conf 73a74,75 > > ftp_port 21 --- $ ftp 127.0.0.1 Connected to 127.0.0.1. 220 Service ready Name (127.0.0.1:user): anonymous@xxxxxxxxxxxxxxxx 530 Must login first 530 Must login first SSL not available 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> passive Passive mode on. ftp> ls 227 Entering Passive Mode (127,0,0,1,229,181). 150 Here comes the directory listing. drwxr-xr-x 19 ftp ftp 4096 Oct 21 05:00 altlinux ... drwxr-xr-x 11 ftp ftp 4096 Oct 21 03:16 ubuntu-releases 226 Transfer complete --- The example showed that Squid returned the IP address of the interface facing the client, not the IP address of my interface facing the origin. Garri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
