FTP inspection configuration

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

FTP inspection configuration

Eugene E.
Hello,
I'm trying to configure squid 3.5.6 as an FTP proxy for native FTP uploads
to be inspected by an ICAP service.

Currently FileZilla fails to connect via proxy and also telnet on port 21
fails..

What is missing in the config and how to configure FileZilla connection?

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost

http_access deny all

http_port 3128 ssl-bump
cert=/usr/local/squid-3.5.6/ssl_cert/squid356_https.pem
key=/usr/local/squid-3.5.6/ssl_cert/squid356_https.pem
always_direct allow all
ssl_bump server-first all
sslproxy_flags DONT_VERIFY_PEER
ftp_port 21

coredump_dir /usr/local/squid-3.5.6/var/cache/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


acl vontu_reqmod_http_upload method POST PUT
icap_service vontu_reqmod reqmod_precache 0 icap://<icap_server:1344>/reqmod
adaptation_service_set class_vontu_reqmod vontu_reqmod
adaptation_access class_vontu_reqmod allow vontu_reqmod_http_upload

icap_enable on
icap_io_timeout 70
icap_service_failure_limit 20
icap_service_revival_delay 30
icap_preview_enable on
icap_preview_size 0
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: FTP inspection configuration

Amos Jeffries
Administrator
On 16/01/19 3:10 pm, eugene.elyashev wrote:
> Hello,
> I'm trying to configure squid 3.5.6 as an FTP proxy for native FTP uploads
> to be inspected by an ICAP service.

Please try an upgrade, there have been a lot of fixes in the 3+ years
since that release. Current production/stable release is v4.5.

For the FTP issues 3.5.28 would be enough of an upgrade. But ...

Since you are also using SSL-Bump you should be tracking the latest
Squid releases and upgrading frequently. TLS is a highly volatile
environment - almost every Squid release since v3.2 has had additions to
cope with that.


>
> Currently FileZilla fails to connect via proxy and also telnet on port 21
> fails..
>
> What is missing in the config and how to configure FileZilla connection?
>

Your ICAP service is only processing PUT and POST transactions. IIRC, at
least some of the FTP native messaging occurs as GET.

...
>
> http_port 3128 ssl-bump
> cert=/usr/local/squid-3.5.6/ssl_cert/squid356_https.pem
> key=/usr/local/squid-3.5.6/ssl_cert/squid356_https.pem
> always_direct allow all

The above is not necessary in v3.2+, it was only useful as a hack
workaround for a bug in a single v3.1.x point release.


> ssl_bump server-first all

This bumping mode is deprecated due to lack of ability to cope with
modern TLS extensions and behaviour (ie. TLS SNI). Use the v3.5+ actions
instead
 <https://wiki.squid-cache.org/Features/SslPeekAndSplice>


> sslproxy_flags DONT_VERIFY_PEER

Please do not do this, ever. It only prevents *you* from seeing problems
(eg to debug them), they still exist and affect the traffic.
 Remove the above line and then actually fix any problems that are then
visible.


> ftp_port 21
>
> coredump_dir /usr/local/squid-3.5.6/var/cache/squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
>
> acl vontu_reqmod_http_upload method POST PUT
> icap_service vontu_reqmod reqmod_precache 0 icap://<icap_server:1344>/reqmod
> adaptation_service_set class_vontu_reqmod vontu_reqmod
> adaptation_access class_vontu_reqmod allow vontu_reqmod_http_upload
>

The ACL above restricting the ICAP service to only seeing PUT and POT
requests is probably the cause of your problem.

Another possibility is one of the ICAP bugs which have been fixed in
later v3.5 releases.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users