Finally I've managed to go on ftp.intel.com using FileZilla through my squid gateway in standart (proxy) mode.
Squid conf: ftp_port x.x.x.x 2122 Then I try to block FTP-Command and nothing happen. Some from my config: acl rh req_header -i ^FTP-Command http_access deny rh http_access permit all And also add following: request_header_access "FTP-Command: LIST" deny all Connect and browsing of remote ftp.intel.com is OK - nothing blocked. In squid log i see (fragment): 2016/10/04 15:23:04.177 kid1| 9,2| FtpServer.cc(495) writeReply: FTP Client REPLY: --------- 227 Entering Passive Mode (192,168,33,254,230,30). ---------- 2016/10/04 15:23:04.177 kid1| 20,2| store.cc(949) checkCachable: StoreEntry::checkCachable: NO: not cachable 2016/10/04 15:23:04.177 kid1| 20,2| store.cc(949) checkCachable: StoreEntry::checkCachable: NO: not cachable 2016/10/04 15:23:04.178 kid1| 33,2| FtpServer.cc(699) parseOneRequest: >>ftp LIST 2016/10/04 15:23:04.178 kid1| 9,2| FtpServer.cc(1320) handleRequest: FTP Client local=192.168.33.254:2122 remote=192.168.33.10:60838 FD 9 flags=1 2016/10/04 15:23:04.178 kid1| 9,2| FtpServer.cc(1322) handleRequest: FTP Client REQUEST: --------- GET / HTTP/1.1 FTP-Command: LIST FTP-Arguments: ---------- 2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET ftp://ftp.intel.com/ is ALLOWED; last ACL checked: net33 2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(720) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW 2016/10/04 15:23:04.178 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET ftp://ftp.intel.com/ is ALLOWED; last ACL checked: net33 2016/10/04 15:23:04.178 kid1| 17,2| FwdState.cc(133) FwdState: Forwarding client request local=192.168.33.254:2122 remote=192.168.33.10:60838 FD 9 flags=1, url=ftp://ftp.intel.com/ 2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: ftp://ftp.intel.com/' via ftp.intel.com 2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: ftp://ftp.intel.com/' via ftp.intel.com 2016/10/04 15:23:04.178 kid1| 44,2| peer_select.cc(280) peerSelectDnsPaths: Found sources for 'ftp://ftp.intel.com/' But I need to block FTP-Command: LIST (for example) 2016-10-03 20:34 GMT+03:00 Alex Rousskov <rouss...@measurement-factory.com>: > Please ask these questions on squid-users... > > On 10/03/2016 05:51 AM, oleg gv wrote: > > Thanks, but problems still exist - FTP doesn't work through proxy. > > > > 1. I've set in proxy > > ftp_port 192.168.0.1:2121 <http://192.168.0.1:2121> > > 2. set in client browser to use proxy for FTP on 192.168.0.1:2121 > > <http://192.168.0.1:2121> > > > > Trying to go ftp://ftp.intel.com and In log of squid i see: > > > > FTP Client REPLY: > > --------- > > 530 Must login first > > > > #### > > > > Another variant: setup inerception ftp_proxy (with nat redirect) - and > > it also doesn'nt work: last commands in log: > > 2016/10/03 14:43:09.929 kid1| 9,2| FtpRelay.cc(733) > > dataChannelConnected: connected FTP server data channel: > > local=8x.xxx.xxx.xxx:41231 remote=192.198.164.82:36034 > > <http://192.198.164.82:36034> FD 19 flags=1 > > 2016/10/03 14:43:09.929 kid1| 9,2| FtpClient.cc(791) writeCommand: ftp<< > > LIST > > > > 2016/10/03 14:43:10.125 kid1| 9,2| FtpClient.cc(1108) parseControlReply: > > ftp>> 125 Data connection already open; Transfer starting. > > > > And ftp.intel com is hang, trying to open.. > > > > > > > > > > > > 2016-10-01 2:12 GMT+03:00 Alex Rousskov > > <rouss...@measurement-factory.com > > <mailto:rouss...@measurement-factory.com>>: > > > > On 09/30/2016 10:42 AM, oleg gv wrote: > > > > > Hello, I've found that NativeFtpRelay appeared in squid 3.5 . Is it > > > possible to apply http-access acl for FTP proto concerning > filtering of > > > FTP methods(commands) > > > > Yes, it should be possible. > > > > > > > by analogy of HTTP methods ? > > > > Not quite. IIRC, when the HTTP message representing the FTP > transaction > > is relayed through Squid, the FTP command name is _not_ stored as an > > HTTP method. The FTP command name is stored as HTTP "FTP-Command" > header > > value. See http://wiki.squid-cache.org/Features/FtpRelay > > <http://wiki.squid-cache.org/Features/FtpRelay> > > > > You should be able to block FTP commands using a req_header ACL. > > > > > > > what other possibilities in squid exist to do this ? > > > > An ICAP or eCAP service can also filter relayed FTP messages. > > > > Alex. > > > > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
