Proxy hierarchy and FTP access

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Proxy hierarchy and FTP access

Grey
Hi guys,
I'm setting up a new infrastructure for my web proxy and I'm having a
problem with FTP access to the internet; I'm running Squid 3.5 on Debian 9
machines by the way.

I used to have a single Squid machine talking freely to the internet from
inside the LAN, with clients connecting on port 3128 for HTTP request and 21
for FTP using FileZilla with "FTP proxy" options enabled.
The relevant part of my Squid configuration is the following, and everything
worked like a charm:

ftp_port 21
acl FTP proto FTP
acl siti_ftp dstdomain "/etc/squid/ftp_sites"
http_access allow FTP ftp_sites

Then for security purposes I've set up a second Squid machine, in our DMZ,
to act as a cache parent for the LAN machine, but now FTP only works through
a browser; I've tried enabling the ftp_port directive on the parent machine,
disabling it in the LAN one and a bunch of other stuff but nothing seems to
be working.
For reference, the parent grants access to the chil proxy thanks to this
setting:

acl child_proxy src 10.9.10.X/32
http_access allow child_proxy

At this point, I'd like to know if what I'm trying to do is possible at all,
beacuse I'm starting to think there's something major I've totally
overlooked.
Thanks a lot to anyone willing to help :)



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Proxy hierarchy and FTP access

Sticher, Jascha
Hi,

> I'm setting up a new infrastructure for my web proxy and I'm having a
> problem with FTP access to the internet; I'm running Squid 3.5 on Debian 9
> machines by the way.
>
> I used to have a single Squid machine talking freely to the internet from
> inside the LAN, with clients connecting on port 3128 for HTTP request and 21
> for FTP using FileZilla with "FTP proxy" options enabled.
> The relevant part of my Squid configuration is the following, and everything
> worked like a charm:
>
> ftp_port 21
> acl FTP proto FTP
> acl siti_ftp dstdomain "/etc/squid/ftp_sites"
> http_access allow FTP ftp_sites
>
> Then for security purposes I've set up a second Squid machine, in our DMZ,
> to act as a cache parent for the LAN machine, but now FTP only works
> through
> a browser; I've tried enabling the ftp_port directive on the parent machine,
> disabling it in the LAN one and a bunch of other stuff but nothing seems to
> be working.

This is exactly my setup right there and I came with the same question to this mailing list.

Sadly, the is no support for an explicit FTP-forwarding proxy at the moment and no development to implement this as far as I know.

> For reference, the parent grants access to the chil proxy thanks to this
> setting:
> acl child_proxy src 10.9.10.X/32
> http_access allow child_proxy

This is for HTTP-Pakets only. When using FTP via the browser you are actually using ftp over http, which uses the 3128 port on your client-side proxy.

When using a FTP client with a FTP proxy you are connecting via native FTP, which does not use the cache_peer settings (as those only support HTTP messages) I'm guessing
you use to access the parent proxy.

See http://squid-web-proxy-cache.1019090.n4.nabble.com/FTP-proxy-chain-with-native-ftp-td4684366.html for the suggested workarounds from my thread.


Kind regards,

Jascha


>
Erleben Sie Industrie 4.0 konkret – auf der HANNOVER MESSE.
Vom 23. bis 27. April 2018.
www.fujitsu.com/de/microsite/hmi/register/index.html?utm_source=Email&utm_medium=Signature%20EMail&utm_campaign=HANNOVER%20MESSE%20DE&utm_term=&utm_content=Ticket-anfordern

-----Ursprüngliche Nachricht-----

> Von: squid-users [mailto:[hidden email]] Im
> Auftrag von Grey
> Gesendet: Mittwoch, 28. Februar 2018 09:31
> An: [hidden email]
> Betreff: [squid-users] Proxy hierarchy and FTP access
>
> Hi guys,
>
>
> At this point, I'd like to know if what I'm trying to do is possible at all,
> beacuse I'm starting to think there's something major I've totally
> overlooked.
> Thanks a lot to anyone willing to help :)
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-
> Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Proxy hierarchy and FTP access

Amos Jeffries
Administrator
In reply to this post by Grey
On 28/02/18 21:30, Grey wrote:
>
> At this point, I'd like to know if what I'm trying to do is possible at all,
> beacuse I'm starting to think there's something major I've totally
> overlooked.


The most obvious thing is that the port 3128 is an *HTTP* port, so when
the Browser is using that port it is using HTTP protocol to

 a) request that Squid perform all the FTP things and deliver the result
as an HTTP response, or

 b) create tunnels through the proxy to the relevant FTP IP:port of the
origin servers.


By comparison the ftp_port receives FTP protocol natively. Squid is
mapping that FTP protocol messages into HTTP and handling the mapped
requests.

IIRC these mapping requests are only handling internally by the same
Squid that created them. The outgoing is mapped back to FTP for the
server contact. I used to think those requests could go to a cache_peer,
but Alex indicated recently that they do not.

It is technically possible to be done with a few additions to Squid. But
those additions are not present in any current version.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Proxy hierarchy and FTP access

Grey
In reply to this post by Grey
Thanks for the replies guys!
I'm sorry Jascha but the suggestions you got in your thead went kind of over
my head, can I ask you if and how you "do allow the front-end Squid to
re-FTP the traffic to the appropriate server then intercept it independently
into the backend with its own ftp_port accepting the "native FTP" coming out
of the frontend"?
If that's a "technically possible only" suggestion, I guess my only
alternative is to let my FileZilla client connect directly to my DMZ Squid
machine and do the ACL stuff there, right?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Proxy hierarchy and FTP access

Amos Jeffries
Administrator
On 28/02/18 23:58, Grey wrote:
> Thanks for the replies guys!
> I'm sorry Jascha but the suggestions you got in your thead went kind of over
> my head, can I ask you if and how you "do allow the front-end Squid to
> re-FTP the traffic to the appropriate server then intercept it independently
> into the backend with its own ftp_port accepting the "native FTP" coming out
> of the frontend"?

With the ftp_port feature the client essentially thinks it is talking to
an FTP server.

The point of the idea was to have your frontend Squid thinking its
talking to the origin, when actually its connections are being sent to
the backend Squid.

Much like most NAT systems do for FTP already.


> If that's a "technically possible only" suggestion, I guess my only
> alternative is to let my FileZilla client connect directly to my DMZ Squid
> machine and do the ACL stuff there, right?

The suggestion was "technically possibly only" at the time simply
because it was an idea I had. Nobody has actually tried do it and
reported the results AFAIK.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Proxy hierarchy and FTP access

Sticher, Jascha
In reply to this post by Grey
Hi,

> I'm sorry Jascha but the suggestions you got in your thead went kind of over
> my head, can I ask you if and how you "do allow the front-end Squid to
> re-FTP the traffic to the appropriate server then intercept it independently
> into the backend with its own ftp_port accepting the "native FTP" coming out
> of the frontend"?

Please see https://wiki.squid-cache.org/SquidFaq/InterceptionProxy for an overview of the interception proxy concept.

Basically, you need to route the FTP-Traffic from your client-side proxy to the DMZ-proxy. I'm not sure on how well this will work with FTP, because of its dual-connection nature.
According to the squid FAQ it is not supported, but there are several FTP-helpers which could make this work. I haven't tried that solution either,
because we can't change our design that way without breaking production traffic. Googling

> If that's a "technically possible only" suggestion, I guess my only
> alternative is to let my FileZilla client connect directly to my DMZ Squid
> machine and do the ACL stuff there, right?

We are currently using the "frox" FTP proxy on our client-side proxy server. This software does support an FTP-Upstream proxy, but has not been maintained for a few years now.
It is not available in the official Debian repositories (since Wheezy, IIRC). If you don't want to use this, you need to allow your users to the DMZ proxy.

On the other hand, FileZilla does support an HTTP proxy (you need to allow CONNECT for the FTP target ports though).


Kind regards,

Jascha


Erleben Sie Industrie 4.0 konkret – auf der HANNOVER MESSE.
Vom 23. bis 27. April 2018.
www.fujitsu.com/de/microsite/hmi/register/index.html?utm_source=Email&utm_medium=Signature%20EMail&utm_campaign=HANNOVER%20MESSE%20DE&utm_term=&utm_content=Ticket-anfordern

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Proxy hierarchy and FTP access

Grey
Thanks a lot guys, I ended up going back to using FileZilla with my LAN Squid
as HTTP proxy and allowing CONNECT requests to unregistered port only for a
list of known FTP/SFTP destinations; probably not ideal from a security
standpoint but it's the easiest way to manage my users requests.

Thanks again for your help and patience!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users