Discussion:
[squid-users] Proxy hierarchy and FTP access
Grey
2018-02-28 08:30:54 UTC
Permalink
Hi guys,
I'm setting up a new infrastructure for my web proxy and I'm having a
problem with FTP access to the internet; I'm running Squid 3.5 on Debian 9
machines by the way.

I used to have a single Squid machine talking freely to the internet from
inside the LAN, with clients connecting on port 3128 for HTTP request and 21
for FTP using FileZilla with "FTP proxy" options enabled.
The relevant part of my Squid configuration is the following, and everything
worked like a charm:

ftp_port 21
acl FTP proto FTP
acl siti_ftp dstdomain "/etc/squid/ftp_sites"
http_access allow FTP ftp_sites

Then for security purposes I've set up a second Squid machine, in our DMZ,
to act as a cache parent for the LAN machine, but now FTP only works through
a browser; I've tried enabling the ftp_port directive on the parent machine,
disabling it in the LAN one and a bunch of other stuff but nothing seems to
be working.
For reference, the parent grants access to the chil proxy thanks to this
setting:

acl child_proxy src 10.9.10.X/32
http_access allow child_proxy

At this point, I'd like to know if what I'm trying to do is possible at all,
beacuse I'm starting to think there's something major I've totally
overlooked.
Thanks a lot to anyone willing to help :)



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
Sticher, Jascha
2018-02-28 10:06:51 UTC
Permalink
Hi,
Post by Grey
I'm setting up a new infrastructure for my web proxy and I'm having a
problem with FTP access to the internet; I'm running Squid 3.5 on Debian 9
machines by the way.
I used to have a single Squid machine talking freely to the internet from
inside the LAN, with clients connecting on port 3128 for HTTP request and 21
for FTP using FileZilla with "FTP proxy" options enabled.
The relevant part of my Squid configuration is the following, and everything
ftp_port 21
acl FTP proto FTP
acl siti_ftp dstdomain "/etc/squid/ftp_sites"
http_access allow FTP ftp_sites
Then for security purposes I've set up a second Squid machine, in our DMZ,
to act as a cache parent for the LAN machine, but now FTP only works through
a browser; I've tried enabling the ftp_port directive on the parent machine,
disabling it in the LAN one and a bunch of other stuff but nothing seems to
be working.
This is exactly my setup right there and I came with the same question to this mailing list.

Sadly, the is no support for an explicit FTP-forwarding proxy at the moment and no development to implement this as far as I know.
Post by Grey
For reference, the parent grants access to the chil proxy thanks to this
acl child_proxy src 10.9.10.X/32
http_access allow child_proxy
This is for HTTP-Pakets only. When using FTP via the browser you are actually using ftp over http, which uses the 3128 port on your client-side proxy.

When using a FTP client with a FTP proxy you are connecting via native FTP, which does not use the cache_peer settings (as those only support HTTP messages) I'm guessing
you use to access the parent proxy.

See http://squid-web-proxy-cache.1019090.n4.nabble.com/FTP-proxy-chain-with-native-ftp-td4684366.html for the suggested workarounds from my thread.


Kind regards,

Jascha
Erleben Sie Industrie 4.0 konkret – auf der HANNOVER MESSE.
Vom 23. bis 27. April 2018.
www.fujitsu.com/de/microsite/hmi/register/index.html?utm_source=Email&utm_medium=Signature%20EMail&utm_campaign=HANNOVER%20MESSE%20DE&utm_term=&utm_content=Ticket-anfordern

-----Ursprüngliche Nachricht-----
Post by Grey
Auftrag von Grey
Gesendet: Mittwoch, 28. Februar 2018 09:31
Betreff: [squid-users] Proxy hierarchy and FTP access
Hi guys,
At this point, I'd like to know if what I'm trying to do is possible at all,
beacuse I'm starting to think there's something major I've totally
overlooked.
Thanks a lot to anyone willing to help :)
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-
Users-f1019091.html
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Amos Jeffries
2018-02-28 10:10:48 UTC
Permalink
Post by Grey
At this point, I'd like to know if what I'm trying to do is possible at all,
beacuse I'm starting to think there's something major I've totally
overlooked.
The most obvious thing is that the port 3128 is an *HTTP* port, so when
the Browser is using that port it is using HTTP protocol to

a) request that Squid perform all the FTP things and deliver the result
as an HTTP response, or

b) create tunnels through the proxy to the relevant FTP IP:port of the
origin servers.


By comparison the ftp_port receives FTP protocol natively. Squid is
mapping that FTP protocol messages into HTTP and handling the mapped
requests.

IIRC these mapping requests are only handling internally by the same
Squid that created them. The outgoing is mapped back to FTP for the
server contact. I used to think those requests could go to a cache_peer,
but Alex indicated recently that they do not.

It is technically possible to be done with a few additions to Squid. But
those additions are not present in any current version.

Amos
Grey
2018-02-28 10:58:45 UTC
Permalink
Thanks for the replies guys!
I'm sorry Jascha but the suggestions you got in your thead went kind of over
my head, can I ask you if and how you "do allow the front-end Squid to
re-FTP the traffic to the appropriate server then intercept it independently
into the backend with its own ftp_port accepting the "native FTP" coming out
of the frontend"?
If that's a "technically possible only" suggestion, I guess my only
alternative is to let my FileZilla client connect directly to my DMZ Squid
machine and do the ACL stuff there, right?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
Amos Jeffries
2018-02-28 12:28:57 UTC
Permalink
Post by Grey
Thanks for the replies guys!
I'm sorry Jascha but the suggestions you got in your thead went kind of over
my head, can I ask you if and how you "do allow the front-end Squid to
re-FTP the traffic to the appropriate server then intercept it independently
into the backend with its own ftp_port accepting the "native FTP" coming out
of the frontend"?
With the ftp_port feature the client essentially thinks it is talking to
an FTP server.

The point of the idea was to have your frontend Squid thinking its
talking to the origin, when actually its connections are being sent to
the backend Squid.

Much like most NAT systems do for FTP already.
Post by Grey
If that's a "technically possible only" suggestion, I guess my only
alternative is to let my FileZilla client connect directly to my DMZ Squid
machine and do the ACL stuff there, right?
The suggestion was "technically possibly only" at the time simply
because it was an idea I had. Nobody has actually tried do it and
reported the results AFAIK.

Amos
Sticher, Jascha
2018-02-28 12:32:32 UTC
Permalink
Hi,
Post by Grey
I'm sorry Jascha but the suggestions you got in your thead went kind of over
my head, can I ask you if and how you "do allow the front-end Squid to
re-FTP the traffic to the appropriate server then intercept it independently
into the backend with its own ftp_port accepting the "native FTP" coming out
of the frontend"?
Please see https://wiki.squid-cache.org/SquidFaq/InterceptionProxy for an overview of the interception proxy concept.

Basically, you need to route the FTP-Traffic from your client-side proxy to the DMZ-proxy. I'm not sure on how well this will work with FTP, because of its dual-connection nature.
According to the squid FAQ it is not supported, but there are several FTP-helpers which could make this work. I haven't tried that solution either,
because we can't change our design that way without breaking production traffic. Googling
Post by Grey
If that's a "technically possible only" suggestion, I guess my only
alternative is to let my FileZilla client connect directly to my DMZ Squid
machine and do the ACL stuff there, right?
We are currently using the "frox" FTP proxy on our client-side proxy server. This software does support an FTP-Upstream proxy, but has not been maintained for a few years now.
It is not available in the official Debian repositories (since Wheezy, IIRC). If you don't want to use this, you need to allow your users to the DMZ proxy.

On the other hand, FileZilla does support an HTTP proxy (you need to allow CONNECT for the FTP target ports though).


Kind regards,

Jascha


Erleben Sie Industrie 4.0 konkret – auf der HANNOVER MESSE.
Vom 23. bis 27. April 2018.
www.fujitsu.com/de/microsite/hmi/register/index.html?utm_source=Email&utm_medium=Signature%20EMail&utm_campaign=HANNOVER%20MESSE%20DE&utm_term=&utm_content=Ticket-anfordern
Grey
2018-03-09 13:01:21 UTC
Permalink
Thanks a lot guys, I ended up going back to using FileZilla with my LAN Squid
as HTTP proxy and allowing CONNECT requests to unregistered port only for a
list of known FTP/SFTP destinations; probably not ideal from a security
standpoint but it's the easiest way to manage my users requests.

Thanks again for your help and patience!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
Loading...