On 16/01/19 3:10 pm, eugene.elyashev wrote: > Hello, > I'm trying to configure squid 3.5.6 as an FTP proxy for native FTP uploads > to be inspected by an ICAP service. Please try an upgrade, there have been a lot of fixes in the 3+ years since that release. Current production/stable release is v4.5. For the FTP issues 3.5.28 would be enough of an upgrade. But ... Since you are also using SSL-Bump you should be tracking the latest Squid releases and upgrading frequently. TLS is a highly volatile environment - almost every Squid release since v3.2 has had additions to cope with that. > > Currently FileZilla fails to connect via proxy and also telnet on port 21 > fails.. > > What is missing in the config and how to configure FileZilla connection? > Your ICAP service is only processing PUT and POST transactions. IIRC, at least some of the FTP native messaging occurs as GET. ... > > http_port 3128 ssl-bump > cert=/usr/local/squid-3.5.6/ssl_cert/squid356_https.pem > key=/usr/local/squid-3.5.6/ssl_cert/squid356_https.pem > always_direct allow all The above is not necessary in v3.2+, it was only useful as a hack workaround for a bug in a single v3.1.x point release. > ssl_bump server-first all This bumping mode is deprecated due to lack of ability to cope with modern TLS extensions and behaviour (ie. TLS SNI). Use the v3.5+ actions instead <https://wiki.squid-cache.org/Features/SslPeekAndSplice> > sslproxy_flags DONT_VERIFY_PEER Please do not do this, ever. It only prevents *you* from seeing problems (eg to debug them), they still exist and affect the traffic. Remove the above line and then actually fix any problems that are then visible. > ftp_port 21 > > coredump_dir /usr/local/squid-3.5.6/var/cache/squid > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > > acl vontu_reqmod_http_upload method POST PUT > icap_service vontu_reqmod reqmod_precache 0 icap://<icap_server:1344>/reqmod > adaptation_service_set class_vontu_reqmod vontu_reqmod > adaptation_access class_vontu_reqmod allow vontu_reqmod_http_upload > The ACL above restricting the ICAP service to only seeing PUT and POT requests is probably the cause of your problem. Another possibility is one of the ICAP bugs which have been fixed in later v3.5 releases. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
