Re: [squid-users] problem with squid and ftp

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 30 Apr 2010 17:13:58 +1200

jnimo wrote:
> hello, Im trying to enable ftp access in squid and is not working, here is my
> squid conf:
>
> http_port 10.10.10.215:3128
> icp_port 0
> tcp_outgoing_address 10.10.10.215
> acl ALLHTTP url_regex ^http://
> acl ALLFTP url_regex ^ftp://

The above are the less-efficient exact equivalents to:

  acl ALLHTTP proto HTTP
  acl ALLFTP proto FTP

> no_cache deny ALLFTP

Why not? FTP has a higher % of cacheable content than HTTP.

> cache_dir ufs /var/spool/squid/ 128 16 128
> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log none
> ftp_user squid_at_test.com
> ftp_passive on
> request_header_max_size 100 KB
> request_body_max_size 0
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl SSL_ports port 443 563 8443 5190 5050 6697 9999 5222 # 5222 is Jabber
> for CD.
> acl Safe_ports port 80 443 563 70 210 1025-65535
> acl Safe_ports port 81 # for some reason some sites use 81 (logwatch.org)
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 554 # RTSP
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 6667 # IRC -
> acl Safe_ports port 1935 # RTE
> acl Safe_ports port 2381 # HP SIM -
> acl Safe_ports port 5222 # Jabber -
> acl Safe_ports port 11371 # PGP keyservers -
> acl Safe_ports port 3000 # ASD access to usa server -
> acl Safe_ports port 20 # FTP access
> acl Safe_ports port 21 # FTP access
> acl CONNECT method CONNECT
> acl FTP proto FTP
> acl ftp_port port 21
> always_direct allow FTP
> acl Network src 10.10.2.0/255.255.255.0
> acl Backup_Network src 10.10.4.0/255.255.255.0
> acl Wireless_Network src 10.10.100.0/255.255.255.0
> acl Network_Test src 10.10.128.0/255.255.255.0
> acl Network_Ext src 10.10.10.192/255.255.255.224
> acl Network_Ext src 10.10.8.32/255.255.255.224
> acl Admins src 10.10.2.132/255.255.255.255
> acl Cache src 10.10.2.226/255.255.255.255
> http_access allow ftp_port CONNECT
> http_access allow FTP
> http_reply_access allow all
> http_access allow manager localhost
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow manager IEDR_Cache
> http_access deny manager
> http_access allow Network
> http_access allow Wireless_Network
> http_access allow Backup_Network
> http_access allow Network_Test
> http_access allow Network_Ext
> http_access deny all
> icp_access allow Network
> icp_access allow Wireless_Network
> icp_access allow Backup_Network
> icp_access allow Network_Test
> icp_access allow Network_Ext
> icp_access deny all
> miss_access allow Network
> miss_access allow Wireless_Network
> miss_access allow Backup_Network
> miss_access allow Network_Test
> miss_access allow Network_Ext
> miss_access deny all
> cache_mgr admin_at_test.com?subject=squid_problems
> cache_effective_user squid
> cache_effective_group squid
> logfile_rotate 14
> append_domain .test.com
> cachemgr_passwd gavisheq all
> coredump_dir /var/spool/squid/
>
> from the squid machine, Im able to open a ftp connection without a problem,
> I already tried without iptables and nothing works
>
> I changed some values but the squid has in reality a real ip address, and
> every time that I try to go to any ftp I get this:
>
> 1272554063.196 8693 10.10.10.194 TCP_MISS/502 1509 GET
> ftp://anonymous@209.132.183.61/ - DIRECT/209.132.183.61 text/html
>
> I tried with ftp.redhat.com and ftp.samba.org and no joy, any ideas?

That log line shows the FTP server at 209.132.183.61 being contacted and
some error message came back. What did the 504 error page contain?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1
Received on Fri Apr 30 2010 - 05:14:15 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 30 2010 - 12:00:05 MDT