Re: [squid-users] Send FileZilla FTP traffic through ICAP server

From: Brendan Kearney <bpk678_at_gmail.com>
Date: Wed, 24 Apr 2013 22:02:21 -0400

Why are you using the CONNECT method with FTP? The CONNECT method is
for use with tunneled connections, such as HTTPS through a proxy. It
does not seem correct that the CONNECT method is being used.

i have:
acl ftp proto FTP
acl Safe_ports port 21 # ftp
http_access allow ftp
always_direct allow FTP

yum sometimes uses FTP to download updates from some mirrors, and i only
see GET methods being used. i could see you needing to use some of the
icap_* directives to push the FTP traffic to your DLP boxes, instead of
the "always_direct allow FTP" config i have.

brendan

On Wed, 2013-04-24 at 21:05 -0400, Dave wrote:
> Good evening everyone,
>
> Using Squid 3.3.3 on Centos 6.4. I need to be able to send FTP client
> traffic through an ICAP server for Data Loss Prevention (DLP) purposes.
>
> I have the following ACLs defined in squid.conf
>
> *******************************************************
> acl ftp proto FTP
> acl ftp_port port 20 21
>
> http_access allow ftp_port connect
> http_access allow ftp
> *******************************************************
>
> However, when I attempt to connect to my FTP server via FileZilla, I get the
> following squid log:
>
> *******************************************************
> 366851550.677 396 192.168.137.1 NONE/200 0 CONNECT
> ftp.thinkwelldesigns.com:21 - HIER_DIRECT/208.106.209.235 -
> *******************************************************
>
> For its part, FileZilla reports:
> *******************************************************
> Status: Connecting to ftp.thinkwelldesigns.com through proxy
> Status: Connecting to 192.168.137.128:3128...
> Status: Connection with proxy established, performing handshake...
> Response: Proxy reply: HTTP/1.1 200 Connection established
> Status: Connection established, waiting for welcome message...
> Error: Connection timed out
> Error: Could not connect to server
> *******************************************************
>
>
> It seems I'm almost there, but not quite. Any help for me?
>
> Thanks,
>
> Dave
>
>
Received on Thu Apr 25 2013 - 02:02:37 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 25 2013 - 12:00:07 MDT