On 12/6/20 10:26 AM, Andrea Venturoli wrote: > I see this feature was introduced in 3.5 as an experimental one; at 4.13 > is it still so or is it considered stable and dependable? AFAIK, FTP proxy is successfully used in some production environments, but I bet that most Squid deployments do not use this feature. YMMV. > Is there a way to restrict the port range of the additional connections > (e.g. to 40000-50000)? I do not know what connections you are talking about (there are at least four connections when it comes to a typical proxied FTP transaction). * If you are talking about source ports used by from-Squid TCP connections, then those are usually handled by your OS ephemeral ports setting (e.g., sysctl net.ipv4.ip_local_port_range). * If you are talking about blocking FTP PORT/EPRT commands based on the ports requested by FTP clients, then, in theory, one should be able to block such requests using http_access ACLs targeting fake/internal/wrapping HTTP requests that represent the corresponding raw FTP command. However, I have not tested whether that works in practice, and I suspect that Squid does _not_ supply enough details for the http_access ACLs to work in this use case. Please note that, AFAICT, Squid code talking to FTP servers does not support PORT/EPRT commands, so Squid converts each received FTP PORT/EPRT command into a PASV command (wrapped in an HTTP request for Squid traversal). In that wrapping HTTP request, the FTP-Command header field value will be set to PASV, not PORT or EPRT. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
