RV: squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RV: squid

javier perez

Good morning squid users,

 

I’m facing a weird situation in my Company… let me explain:

 

I installed squid(3.5.20) on CentOS 7 minimal to perform as an ftp-proxy.

My configuration file looks like this:

 

/etc/squid/squid.conf

##############################################################################

 

acl SSL_ports port 443 21

ftp_port 21

ftp_passive off

 

##############################################################################

 

acl Safe_ports port 80          # http

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 21

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

 

##############################################################################

 

acl FTP proto FTP

always_direct allow FTP

 

##############################################################################

 

http_access allow CONNECT SSL_ports

http_access allow CONNECT Safe_ports

http_access allow SSL_ports

http_access allow Safe_ports

http_access allow all

http_access allow FTP

 

##############################################################################

 

http_port 3128

 

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

 

##############################################################################

 

The thing is that the parameter “ftp_passive off” seems not to be working…

Due to security measures we have to use non-passive mode to be able to transfer anything.

 

The connection works fine with the remote hosts, the login works, but I have to enter “passive” every single time to swap the mode to non-passive.

I don’t know whether the “ftp_passive” is not working or I need to do something else.

 

After doing a deep research I cannot find much information related with this kind of problems, so I decided to get in touch with you. Please help!!

 

Thanks in advance.

Regards

 

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

Antony Stone
On Thursday 15 June 2017 16:22:44 javier perez wrote:

> I installed squid(3.5.20) on CentOS 7 minimal to perform as an ftp-proxy.
>
> My configuration file looks like this:

...snip...

> acl SSL_ports port 443 21

Er, what?

Why are you specifying port 21 as SSL?

> ftp_passive off

...snip...

> The thing is that the parameter "ftp_passive off" seems not to be working.

> The connection works fine with the remote hosts, the login works, but I
> have to enter "passive" every single time to swap the mode to non-passive.

Surely the option merely tells Squid whether to allow active or passive FTP
connections - it doesn't tell the client application what to ask for.

"ftp_passive off" should mean that you can't do passive FTP through the Squid
server, but it won't stop the client application from trying.

You need to tell the client system/s always to use active FTP (which will go
through Squid) - Squid can't do that for you - it will simply allow or block
whatever requests come its way.


Antony.

--
Under UK law, no VAT is charged on biscuits and cakes - they are "zero rated".  
Chocolate covered biscuits, however, are classed as "luxury items" and are
subject to VAT.  McVitie's classed its Jaffa Cakes as cakes, but in 1991 this
was challenged by Her Majesty's Customs and Excise in court.

The question which had to be answered was what criteria should be used to
class something as a cake or a biscuit.  McVitie's defended the classification
of Jaffa Cakes as a cake by arguing that cakes go hard when stale, whereas
biscuits go soft.  It was demonstrated that Jaffa Cakes become hard when stale
and McVitie's won the case.

                                                   Please reply to the list;
                                                         please *don't* CC me.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

javier perez

>> I installed squid(3.5.20) on CentOS 7 minimal to perform as an ftp-proxy.
>>
>> My configuration file looks like this:

>...snip...
snip?

>> acl SSL_ports port 443 21

>Er, what?

>Why are you specifying port 21 as SSL?

I saw many guides that ask for it e.g.
https://unix.stackexchange.com/questions/15484/connecting-to-ftp-sites-via-squid

I understand thet its in order to apply acls to those ports invoking
"SSL_ports".

>> ftp_passive off

>...snip...
snip?
>> The thing is that the parameter "ftp_passive off" seems not to be
>> working.

>> The connection works fine with the remote hosts, the login works, but
>> I have to enter "passive" every single time to swap the mode to
>> non-passive.

>Surely the option merely tells Squid whether to allow active or passive FTP
>connections - it doesn't tell the client application what to ask for.

>"ftp_passive off" should mean that you can't do passive FTP through the
>Squid server, but it won't stop the client application from trying.

>You need to tell the client system/s always to use active FTP (which will
>go through Squid) - Squid can't do that for you - it will simply allow or
>block whatever requests come its way.

The thing is that my destination hosts are only listening on port 21
(active) and my source hosts have the passive mode disabled...

Here you have an example of some other weird stuff:

With a Windows host (passive mode disabled) I do an ftp through CMD to my
proxy, then I enter user@host(this host accepts active and passive mode), I
enter the password, Access granted. But when I try dir/ls the host
disconnects me.
But if I remove " ftp_passive off" it works!! Non-sense to me...

Thank you Anthony for your quick answer.

Regards


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

Matus UHLAR - fantomas
In reply to this post by Antony Stone
>On Thursday 15 June 2017 16:22:44 javier perez wrote:
>
>> I installed squid(3.5.20) on CentOS 7 minimal to perform as an ftp-proxy.
>>
>> My configuration file looks like this:
>
>...snip...
>
>> acl SSL_ports port 443 21

On 15.06.17 13:03, Antony Stone wrote:
>Why are you specifying port 21 as SSL?

apparently result of windows settings "enable folder view for FTP sites" that
causes explorer avoid using proxy for ftp:// and connect directly as FTP
client.

maybe IE in this case uses CONNECT tunnels for FTP protocol.

I wonder how would it behave if you enabled SOCKS server.

>"ftp_passive off" should mean that you can't do passive FTP through the Squid
>server, but it won't stop the client application from trying.
>
>You need to tell the client system/s always to use active FTP (which will go
>through Squid) - Squid can't do that for you - it will simply allow or block
>whatever requests come its way.

clients using squid as CONNECT proxy technically can't use PORT mode, since
HTTP does not contain anything like LISTEN.

intercepted FTP connections are something different, although support for
this is relatively new (since 3.5)

there is SOCKS protocol that supports listening required by PORT/EPRT mode,
although most of FTP clients use passive by default

(not sure about windows commandline FTP client - at least in XP is only
supported PORT mode)


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

javier perez
I found this on the oficial documentation:

ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.5/squid-3.5.0.1-RELEASENOTES.html

Section 2.6 Relay FTP
FTP Relay highlights:
2nd line:

" Active and passive FTP support on the user-facing side; require passive
connections to come from the control connection source IP address."

Does this mean that no active connections will be stablished between the
dest. Host and squid?????

Thank you all in advance.

Regards

>On Thursday 15 June 2017 16:22:44 javier perez wrote:
>
>> I installed squid(3.5.20) on CentOS 7 minimal to perform as an ftp-proxy.
>>
>> My configuration file looks like this:
>
>...snip...
>
>> acl SSL_ports port 443 21

On 15.06.17 13:03, Antony Stone wrote:
>Why are you specifying port 21 as SSL?

apparently result of windows settings "enable folder view for FTP sites"
that causes explorer avoid using proxy for ftp:// and connect directly as
FTP client.

maybe IE in this case uses CONNECT tunnels for FTP protocol.

I wonder how would it behave if you enabled SOCKS server.

>"ftp_passive off" should mean that you can't do passive FTP through the
>Squid server, but it won't stop the client application from trying.
>
>You need to tell the client system/s always to use active FTP (which
>will go through Squid) - Squid can't do that for you - it will simply
>allow or block whatever requests come its way.

clients using squid as CONNECT proxy technically can't use PORT mode, since
HTTP does not contain anything like LISTEN.

intercepted FTP connections are something different, although support for
this is relatively new (since 3.5)

there is SOCKS protocol that supports listening required by PORT/EPRT mode,
although most of FTP clients use passive by default

(not sure about windows commandline FTP client - at least in XP is only
supported PORT mode)


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

Antony Stone
On Thursday 15 June 2017 19:58:59 javier perez wrote:

> I found this on the oficial documentation:
>
> ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.5/squid-3.5.0.1-RELEASENOTES
> .html
>
> Section 2.6 Relay FTP
> FTP Relay highlights:
> 2nd line:
>
> " Active and passive FTP support on the user-facing side; require passive
> connections to come from the control connection source IP address."
>
> Does this mean that no active connections will be stablished between the
> dest. Host and squid?????

Well, yes - but only if you're using the "Native FTP Relay" feature, which
that same documentation lists as being "a new, experimental, complex feature
that has seen limited production exposure".

Therefore, given your situation, you might be best not using this new feature
for the time being (I have no idea whether it's planned to allow active
connections on the server side in future).


Antony.

--
"If I've told you once, I've told you a million times - stop exaggerating!"

                                                   Please reply to the list;
                                                         please *don't* CC me.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

Matus UHLAR - fantomas
In reply to this post by javier perez
On 15.06.17 19:58, javier perez wrote:

>I found this on the oficial documentation:
>
>ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.5/squid-3.5.0.1-RELEASENOTES.html
>
>Section 2.6 Relay FTP
>FTP Relay highlights:
>2nd line:
>
>" Active and passive FTP support on the user-facing side; require passive
>connections to come from the control connection source IP address."

IMHO

that means, if you open FTP control connection to squid, the passive data
connection to it must come from the same IP as control connection.

That in fact means, you can't use squid for FXP (server-server transfers).

>Does this mean that no active connections will be stablished between the
>dest. Host and squid?????

IMHO

that one is still managed by ftp_passive option.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

Eliezer Croitoru
In reply to this post by javier perez
Hey,

Can you re-define your scenario?
Squid in it's basic form is merely a http proxy which you can use to fetch
ftp requests.
I do not know exactly what you expect but when you use squid as a FTP proxy
it would convert the ftp connection into http.
If you are using a specific ftp client it might be different and then you
would need the port 21 on the Safe_Ports list.
But you cannot force a server to use an active or passive connection since
the ftp service will be defined only for active or for both active and
passive connections.
This is not in the hand of squid...
If you have a specific ftp address which we can use to test it would help a
lot.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On
Behalf Of javier perez
Sent: Thursday, June 15, 2017 1:53 PM
To: [hidden email]
Subject: [squid-users] RV: squid

Good morning squid users,

I’m facing a weird situation in my Company… let me explain:

I installed squid(3.5.20) on CentOS 7 minimal to perform as an ftp-proxy.
My configuration file looks like this:

/etc/squid/squid.conf
############################################################################
##

acl SSL_ports port 443 21
ftp_port 21
ftp_passive off

############################################################################
##

acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 21
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

############################################################################
##

acl FTP proto FTP
always_direct allow FTP

############################################################################
##

http_access allow CONNECT SSL_ports
http_access allow CONNECT Safe_ports
http_access allow SSL_ports
http_access allow Safe_ports
http_access allow all
http_access allow FTP

############################################################################
##

http_port 3128

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

############################################################################
##

The thing is that the parameter “ftp_passive off” seems not to be working…
Due to security measures we have to use non-passive mode to be able to
transfer anything.

The connection works fine with the remote hosts, the login works, but I have
to enter “passive” every single time to swap the mode to non-passive.
I don’t know whether the “ftp_passive” is not working or I need to do
something else.

After doing a deep research I cannot find much information related with this
kind of problems, so I decided to get in touch with you. Please help!!

Thanks in advance.
Regards



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

Alex Rousskov
In reply to this post by Matus UHLAR - fantomas
On 06/15/2017 09:55 AM, Matus UHLAR - fantomas wrote:
>> ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.5/squid-3.5.0.1-RELEASENOTES.html
>> " Active and passive FTP support on the user-facing side; require passive
>> connections to come from the control connection source IP address."

> that means, if you open FTP control connection to squid, the passive data
> connection to it must come from the same IP as control connection.

IIRC, the above interpretation is the right one:

* We support both active and passive FTP between an FTP client (a.k.a.
user) and Squid.

* When an FTP client is using passive mode, the data connection must
come from the same IP as the control connection. This restriction blocks
attacks that steal data connection of legitimate FTP users.

AFAIK, there are currently no plans (or even strong demand) to support
active FTP mode between Squid and FTP origin servers.


Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

Antony Stone
In reply to this post by javier perez
On Thursday 15 June 2017 16:22:44 javier perez wrote:

> I installed squid(3.5.20) on CentOS 7 minimal to perform as an ftp-proxy.

Why?

What are you trying to achieve by doing this, instead of simply allowing
clients inside to connect to servers outside?


Antony.

--
I lay awake all night wondering where the sun went, and then it dawned on me.

                                                   Please reply to the list;
                                                         please *don't* CC me.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

javier perez
Hi Anthony,

My server acts as a focal point for all ftp transfer on a highly securized
network.

I have more tan 100 static routes pointing to different gateways deppending
on our client addresses.

The thing is that only 2 of our customers have old fashioned active-ftp
sites, so only bcz of them my work is ruined.

We were trying to change the Windows server that currently do the task
(native active-ftp).

Anyway, thank you so much for your time and interest.

__________________________________________________________________________________________________________


I installed squid(3.5.20) on CentOS 7 minimal to perform as an ftp-proxy.

Why?

What are you trying to achieve by doing this, instead of simply allowing
clients inside to connect to servers outside?


Antony.

--
I lay awake all night wondering where the sun went, and then it dawned on
me.

                                                   Please reply to the list;
                                                         please *don't* CC
me.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

javier perez
In reply to this post by Matus UHLAR - fantomas
Hello Matus,

You are right, the thing is that our clients are not going to open any other
port than 20 and 21 for security meassures (or lazyness).

So, if We can't use a dinamic data- port on the destination, passive ftp is
discarded.

The thing is that with the "ftp_passive off" directive the most of my
clients don't work at all, just a couple of them demand active ftp and make
my life a bit more complicated bcz of this deprecated way of ftp-ing.

We are working with highly securized environments that make very difficult
any kind of modification.

Thank you very much for your time and effort.
Regards


On 15.06.17 19:58, javier perez wrote:

>I found this on the oficial documentation:
>
>ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.5/squid-3.5.0.1-RELEASE
>NOTES.html
>
>Section 2.6 Relay FTP
>FTP Relay highlights:
>2nd line:
>
>" Active and passive FTP support on the user-facing side; require
>passive connections to come from the control connection source IP address."

IMHO

that means, if you open FTP control connection to squid, the passive data
connection to it must come from the same IP as control connection.

That in fact means, you can't use squid for FXP (server-server transfers).

>Does this mean that no active connections will be stablished between
>the dest. Host and squid?????

IMHO

that one is still managed by ftp_passive option.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

javier perez
In reply to this post by Eliezer Croitoru
Hello Eliezer,

I have more tan 100 clients and only 2 of them demand active ftp, so only
bcz of them we are rolling-back to Windows.
Squid works perfectly with the other 100+ clients, so I am really happy
with Squid, and I will use it in the future for sure.

I can't redefine the thing bcz it depends on my clients, not on me.

Thank you very much for your interest and feedback.

Regards
__________________________________________________________________________
__________________________________________

Hey,

Can you re-define your scenario?
Squid in it's basic form is merely a http proxy which you can use to fetch
ftp requests.
I do not know exactly what you expect but when you use squid as a FTP
proxy it would convert the ftp connection into http.
If you are using a specific ftp client it might be different and then you
would need the port 21 on the Safe_Ports list.
But you cannot force a server to use an active or passive connection since
the ftp service will be defined only for active or for both active and
passive connections.
This is not in the hand of squid...
If you have a specific ftp address which we can use to test it would help
a lot.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On
Behalf Of javier perez
Sent: Thursday, June 15, 2017 1:53 PM
To: [hidden email]
Subject: [squid-users] RV: squid

Good morning squid users,

I’m facing a weird situation in my Company… let me explain:

I installed squid(3.5.20) on CentOS 7 minimal to perform as an ftp-proxy.
My configuration file looks like this:

/etc/squid/squid.conf
##########################################################################
##
##

acl SSL_ports port 443 21
ftp_port 21
ftp_passive off

##########################################################################
##
##

acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher acl Safe_ports port 21 acl
Safe_ports port 210         # wais acl Safe_ports port 1025-65535  #
unregistered ports acl Safe_ports port 280         # http-mgmt acl
Safe_ports port 488         # gss-http acl Safe_ports port 591         #
filemaker acl Safe_ports port 777         # multiling http acl CONNECT
method CONNECT

##########################################################################
##
##

acl FTP proto FTP
always_direct allow FTP

##########################################################################
##
##

http_access allow CONNECT SSL_ports
http_access allow CONNECT Safe_ports
http_access allow SSL_ports
http_access allow Safe_ports
http_access allow all
http_access allow FTP

##########################################################################
##
##

http_port 3128

refresh_pattern ^ftp:           1440    20%     10080 refresh_pattern
^gopher:        1440    0%      1440 refresh_pattern -i (/cgi-bin/|\?)
0     0%      0 refresh_pattern .               0       20%     4320

##########################################################################
##
##

The thing is that the parameter “ftp_passive off” seems not to be working…
Due to security measures we have to use non-passive mode to be able to
transfer anything.

The connection works fine with the remote hosts, the login works, but I
have to enter “passive” every single time to swap the mode to non-passive.

I don’t know whether the “ftp_passive” is not working or I need to do
something else.

After doing a deep research I cannot find much information related with
this kind of problems, so I decided to get in touch with you. Please
help!!

Thanks in advance.
Regards



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

javier perez
In reply to this post by Alex Rousskov
Hi Alex,

I totally understand it, and I know that active ftp is being deprecated, so
It's logic that no further development It's gonna take place.

I'm happy with Squid, and it works perfectly on 99% of my clients but two.

Thank you for your time.
Regards.

On 06/15/2017 09:55 AM, Matus UHLAR - fantomas wrote:
>> ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.5/squid-3.5.0.1-RELEA
>> SENOTES.html " Active and passive FTP support on the user-facing
>> side; require passive connections to come from the control connection
>> source IP address."

> that means, if you open FTP control connection to squid, the passive
> data connection to it must come from the same IP as control connection.

IIRC, the above interpretation is the right one:

* We support both active and passive FTP between an FTP client (a.k.a.
user) and Squid.

* When an FTP client is using passive mode, the data connection must come
from the same IP as the control connection. This restriction blocks attacks
that steal data connection of legitimate FTP users.

AFAIK, there are currently no plans (or even strong demand) to support
active FTP mode between Squid and FTP origin servers.


Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

Amos Jeffries
Administrator
On 16/06/17 18:42, javier perez wrote:
> Hi Alex,
>
> I totally understand it, and I know that active ftp is being deprecated, so
> It's logic that no further development It's gonna take place.

That reason just makes it unlikely, not impossible. Squid being FOSS
anyone can contribute patches at any time that make things like this happen.

Patches to make Squid accept active-FTP from clients and convert that to
passive-FTP on the server connection would be welcome.


> I'm happy with Squid, and it works perfectly on 99% of my clients but two.

FYI; you might want to look into foxyproxy or similar dedicated FTP
proxies rather than Squid., They have a much better focus on proxying
FTP and a longer history than Squid in the area, so probably less
missing features.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

Matus UHLAR - fantomas
In reply to this post by Alex Rousskov
>>> ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.5/squid-3.5.0.1-RELEASENOTES.html
>>> " Active and passive FTP support on the user-facing side; require passive
>>> connections to come from the control connection source IP address."

>On 06/15/2017 09:55 AM, Matus UHLAR - fantomas wrote:
>> that means, if you open FTP control connection to squid, the passive data
>> connection to it must come from the same IP as control connection.

On 15.06.17 10:06, Alex Rousskov wrote:
>IIRC, the above interpretation is the right one:

just for sure: my one?

>* We support both active and passive FTP between an FTP client (a.k.a.
>user) and Squid.
>
>* When an FTP client is using passive mode, the data connection must
>come from the same IP as the control connection. This restriction blocks
>attacks that steal data connection of legitimate FTP users.
>
>AFAIK, there are currently no plans (or even strong demand) to support
>active FTP mode between Squid and FTP origin servers.

what is ftp_passive for then?

btw I suggest calling it "port" FTP mode instead of active


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

javier perez
In reply to this post by Amos Jeffries
Thank you very much Amos for your suggestion, I'm gonna study it straight
away.

Regards!

________________________________________________________________________________________________________________________________

On 16/06/17 18:42, javier perez wrote:
> Hi Alex,
>
> I totally understand it, and I know that active ftp is being
> deprecated, so It's logic that no further development It's gonna take
> place.

That reason just makes it unlikely, not impossible. Squid being FOSS anyone
can contribute patches at any time that make things like this happen.

Patches to make Squid accept active-FTP from clients and convert that to
passive-FTP on the server connection would be welcome.


> I'm happy with Squid, and it works perfectly on 99% of my clients but two.

FYI; you might want to look into foxyproxy or similar dedicated FTP
proxies rather than Squid., They have a much better focus on proxying
FTP and a longer history than Squid in the area, so probably less
missing features.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

Amos Jeffries
Administrator
In reply to this post by Matus UHLAR - fantomas
On 16/06/17 22:40, Matus UHLAR - fantomas wrote:

>>>> ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.5/squid-3.5.0.1-RELEASENOTES.html
>>>>
>>>> " Active and passive FTP support on the user-facing side; require
>>>> passive
>>>> connections to come from the control connection source IP address."
>
>> On 06/15/2017 09:55 AM, Matus UHLAR - fantomas wrote:
>>> that means, if you open FTP control connection to squid, the passive
>>> data
>>> connection to it must come from the same IP as control connection.
>
> On 15.06.17 10:06, Alex Rousskov wrote:
>> IIRC, the above interpretation is the right one:
>
> just for sure: my one?
>
>> * We support both active and passive FTP between an FTP client (a.k.a.
>> user) and Squid.
>>
>> * When an FTP client is using passive mode, the data connection must
>> come from the same IP as the control connection. This restriction blocks
>> attacks that steal data connection of legitimate FTP users.
>>
>> AFAIK, there are currently no plans (or even strong demand) to support
>> active FTP mode between Squid and FTP origin servers.
>
> what is ftp_passive for then?

For controlling how Squid gateways  "GET ftp://example.com/ HTTP/1.1"
requests to an FTP server. Whether it attempts PASV / EPSV mode commands
at all, or skips straight to the fallback "active" PORT/EPRT commands.


> btw I suggest calling it "port" FTP mode instead of active

active vs passive are well-known terms for how DATA connections in FTP
work (<http://slacksite.com/other/ftp.html> to pick the top result in
from Google claiming to be *the* definition of the terms). AFAIK, the
words come from RFC 959 itself:

  "server-DTP

          The data transfer process, in its normal "active" state,
          establishes the data connection with the "listening" data port.
          It sets up parameters for transfer and storage, and transfers
          data on command from its PI.  The DTP can be placed in a
          "passive" state to listen for, rather than initiate a
          connection on the data port.
"

They refer to whether the server is actively initiating TCP connections
to the client, or passively waiting for the client to connect to a
random listener port the server sets up.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

Amos Jeffries
Administrator
In reply to this post by javier perez
On 16/06/17 23:26, javier perez wrote:
> Thank you very much Amos for your suggestion, I'm gonna study it straight
> away.
>

Ouch. Sorry I thought one thing and typed another. What I meant to
suggest was FROX and similar. FoxyProxy is the browser integration thing
for proxying.

<http://frox.sourceforge.net/>

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RV: squid

Amos Jeffries
Administrator
In reply to this post by javier perez
On 16/06/17 18:33, javier perez wrote:
> Hello Matus,
>
> You are right, the thing is that our clients are not going to open any other
> port than 20 and 21 for security meassures (or lazyness).

FYI: The "for security" argument is bogus because;

a)  allowing any random client to determine their own arbitrary port
number(s) is strictly worse for security than having your control point
(Squid) select the port, and

b) limiting that client-selected port to 20/21 makes the data between
client and Squid go over a port which is more easily predicted and
therefore interceptable by passive attack.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
12
Loading...