Linux
--
Questions
--
Followers
Top Experts
Squid 3.1.1 proxy server will not FTP
Hello All,
I have 4 servers running squid/3.1.1 proxy server. Since the latest version I can no longer FTP. I have posted this problem in multiple places but have received almost no response. I've found several other post to this problem throughout the Internet which have also gone unanswered. So, once again I thought I'd give it a try.
As I said "I have 4 servers running the newest version of Squid". When I try to access an ftp, any ftp, I receive an error (check attached image). This was never a problem until just recently. Squid should work perfectly fine with ftp, it is not a strictly http proxy.
I turned my firewall off just to make sure, still had the same issue. If I jump directly on the server itself with no proxy settings set in the browser it will work fine. As soon as I set the browser setting to access the Squid software I get the same error.
I've included my squid config (which is unchanged from the default settings), maybe somebody better versed than myself can point out an obvious flaw. Everything else seems to work just fine, it's only FTP that's a problem.
Thanks for any help
Eric
squid-311-config.txt
Squid-ftp-error.JPG
I have 4 servers running squid/3.1.1 proxy server. Since the latest version I can no longer FTP. I have posted this problem in multiple places but have received almost no response. I've found several other post to this problem throughout the Internet which have also gone unanswered. So, once again I thought I'd give it a try.
As I said "I have 4 servers running the newest version of Squid". When I try to access an ftp, any ftp, I receive an error (check attached image). This was never a problem until just recently. Squid should work perfectly fine with ftp, it is not a strictly http proxy.
I turned my firewall off just to make sure, still had the same issue. If I jump directly on the server itself with no proxy settings set in the browser it will work fine. As soon as I set the browser setting to access the Squid software I get the same error.
I've included my squid config (which is unchanged from the default settings), maybe somebody better versed than myself can point out an obvious flaw. Everything else seems to work just fine, it's only FTP that's a problem.
Thanks for any help
Eric
squid-311-config.txt
Squid-ftp-error.JPG
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Also, if I go look at the /var/log/squid/access.log file I see the following message:
1273527600.117 Â Â 51 172.17.137.11 TCP_REFRESH_UNMODIFIED/304
1273527600.117 Â Â 51 172.17.137.11 TCP_REFRESH_UNMODIFIED/304
Other than the ACL that allows port 21 you do not include the settings for FTP.
http://www.squid-cache.org/Versions/v3/3.1/cfgman/
Your error deals with what the proxy server retrieved from itself to render the error message you are displaying.
Could you look at what your squid proxy does for the request ftp://ftp.
check to make sure you do not have an EXE restriction.
See if you can access the directory listing where the application you wish to download resides.
http://www.squid-cache.org/Versions/v3/3.1/cfgman/
Your error deals with what the proxy server retrieved from itself to render the error message you are displaying.
Could you look at what your squid proxy does for the request ftp://ftp.
check to make sure you do not have an EXE restriction.
See if you can access the directory listing where the application you wish to download resides.
ftp://ftp... both Firefox and IE8 say they can not find the page, but I don't get the a Squid error. There is no .exe restriction. As I said this is an out of the box config. I have tried my personal ftp as well and it gives the same error, regardless if I point it at a folder or a file.
All works fine if the proxy is turned off.
I'm not sure what you talking about in your first paragraph.
All works fine if the proxy is turned off.
I'm not sure what you talking about in your first paragraph.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Double check whether your proxy configuration on the systems or within the application direct the application IE or Firefox to use the proxy for the FTP protocol.
Often you have to either specify that the proxy is to be used for all protocols http, ftp, https, etc. or it only applies to HTTP type of connections.
Could you check your squid log to see whethe it is actually getting a request for ftp?
try the ftp connection in the following form:
ftp://ftp.host.com:21/Â to see if it will make a difference provided the configuration of the local proxy setup reflects that all connection or at least http and ftp should go through the proxy server?
Often you have to either specify that the proxy is to be used for all protocols http, ftp, https, etc. or it only applies to HTTP type of connections.
Could you check your squid log to see whethe it is actually getting a request for ftp?
try the ftp connection in the following form:
ftp://ftp.host.com:21/Â to see if it will make a difference provided the configuration of the local proxy setup reflects that all connection or at least http and ftp should go through the proxy server?
Yes, my browsers are pointing at the proxy for ftp access, if they weren't, I wouldn't get the Squid error.
Specifying port 21 has the same result.
1273604907.384 Â Â 382 172.17.137.105 TCP_MISS/502 4089 GET ftp://ftp.fedex.com/pub/us/software/FedExShipManager_2453.exe:21Â - DIRECT/199.81.203.40 text/html
I'm getting the same line as I posted above in access.log when I try to access a ftp site. There is no doubt that the machines are talking to Squid. Squid just keeps rejecting ftp requests for some reason.
Specifying port 21 has the same result.
1273604907.384 Â Â 382 172.17.137.105 TCP_MISS/502 4089 GET ftp://ftp.fedex.com/pub/us/software/FedExShipManager_2453.exe:21Â - DIRECT/199.81.203.40 text/html
I'm getting the same line as I posted above in access.log when I try to access a ftp site. There is no doubt that the machines are talking to Squid. Squid just keeps rejecting ftp requests for some reason.
The port is specified at the end of the host and not at the end as you have:
ftp://ftp.fedex.com:21/pub/us/software/FedExShipManager_2453.exe
You need to check and possible set the several ftp related option i.e. to use the telnet protocol or not to use it.
To make sure that passive FTP is on.
do you have tcpdump or another network utility that you could use to see what is going on on the proxy?  i.e. does its outgoing FTP connection suceeds? i.e. telnet ftp.fedex.com 21.
Can you from the proxy ftp out using ftp, ncftp or anyother ftp program that you may have available?
ftp://ftp.fedex.com:21/pub/us/software/FedExShipManager_2453.exe
You need to check and possible set the several ftp related option i.e. to use the telnet protocol or not to use it.
To make sure that passive FTP is on.
do you have tcpdump or another network utility that you could use to see what is going on on the proxy?  i.e. does its outgoing FTP connection suceeds? i.e. telnet ftp.fedex.com 21.
Can you from the proxy ftp out using ftp, ncftp or anyother ftp program that you may have available?
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Sorry about that, I copied and pasted the wrong line. Yes I put the :21 in the correct place, no joy.
I forced my ftp as well, if what you mean is not selecting "use this proxy server for all protocols" and then manually imputing the proxy server. Again, no joy.
As far as through an FTP client. It seems to work through FireFTP (Firefox addon) OK, I can see it talking through the proxy in the access.log file.
I forced my ftp as well, if what you mean is not selecting "use this proxy server for all protocols" and then manually imputing the proxy server. Again, no joy.
As far as through an FTP client. It seems to work through FireFTP (Firefox addon) OK, I can see it talking through the proxy in the access.log file.
Now the issue is when you are using a browser IE or Firefox, is there a difference in behavior based on the entries in the access log?
Not positive about that yet. I've tried about 4 different ftp utilities to try and get one that I know is using the proxy correctly. I'm not exactly sure what Fireftp is doing. So far I'm not having a lot of luck finding one that will.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Ok ended up using TurboFTP,
Here is what it says in Squid's log file:
1273669060.572 Â Â 13 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
1273669070.850 Â Â Â 0 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
1273669080.869 Â Â Â 0 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
1273669090.872 Â Â Â 0 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
1273669100.875 Â Â Â 0 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
1273669110.878 Â Â Â 0 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
1273669120.881 Â Â Â 0 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
I have access to the server that I'm trying to connect to and it Squid doesn't even appear to be talking to it. Works fine if I remove the proxy settings.
Here is what it says in Squid's log file:
1273669060.572 Â Â 13 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
1273669070.850 Â Â Â 0 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
1273669080.869 Â Â Â 0 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
1273669090.872 Â Â Â 0 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
1273669100.875 Â Â Â 0 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
1273669110.878 Â Â Â 0 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
1273669120.881 Â Â Â 0 172.17.137.105 TCP_DENIED/403 3293 CONNECT hostname.com:21 - NONE/- text/html
I have access to the server that I'm trying to connect to and it Squid doesn't even appear to be talking to it. Works fine if I remove the proxy settings.
Is there a way to get squid to give me a little more info in the log file?
You need to add a rule to add CONNECT to 21.
I.e. add
acl SSL_PORTS port 21.
reload the config and you should be good to go.
Currently the CONNECT method is restricted to the SSL_PORTS only.
This might be because the FTP server is not working according to the FTP standards.
you could try setting the ftp_telnet_protocol to off and see if that also makes a difference.
You should have a sample squid.conf.default as an example that includes descriptions and application of the various options.
I.e. add
acl SSL_PORTS port 21.
reload the config and you should be good to go.
Currently the CONNECT method is restricted to the SSL_PORTS only.
This might be because the FTP server is not working according to the FTP standards.
you could try setting the ftp_telnet_protocol to off and see if that also makes a difference.
You should have a sample squid.conf.default as an example that includes descriptions and application of the various options.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Added and restarted squid. Same issue.
Which options did you add?
Try the following (lines starting with a # are a comment or provide information. Entries surrounded by less than and greater signs <>Â are variables that need to be replaced
telnet <your_proxy_server> <your proxy port>
#upon connecting to your proxy type in:
CONNECT <ftp.hostname.com>:21 HTTP/1.0
#after hitting the enter key you should either get a warning that the connection can not be established or a connection to the remote server is established (and you get a 220) and the server is ready for authentication. using user anonymous and pass <your_email_address>
#after a successful authentication typing in
PASV
#will set the ftp server to PASV mode which means it will output the information through which the FTP client will calculate the data port to which it needs to connect on the server. Â This might be the problem. Â You need to add a range >1024 to the SSL_ports as well.
#This test will confirm whether your proxy can handle the connection to the remote FTP server.
Forgot about the data stream component of the FTP.
Try the following (lines starting with a # are a comment or provide information. Entries surrounded by less than and greater signs <>Â are variables that need to be replaced
telnet <your_proxy_server> <your proxy port>
#upon connecting to your proxy type in:
CONNECT <ftp.hostname.com>:21 HTTP/1.0
#after hitting the enter key you should either get a warning that the connection can not be established or a connection to the remote server is established (and you get a 220) and the server is ready for authentication. using user anonymous and pass <your_email_address>
#after a successful authentication typing in
PASV
#will set the ftp server to PASV mode which means it will output the information through which the FTP client will calculate the data port to which it needs to connect on the server. Â This might be the problem. Â You need to add a range >1024 to the SSL_ports as well.
#This test will confirm whether your proxy can handle the connection to the remote FTP server.
Forgot about the data stream component of the FTP.
Another option to try is from http://nixcraft.com/linux-software/384-ftp-through-squid.html
use an ACL to allow FTP.
http://www.labtestproject.com/linux_network/step_by_step_enable_ftp_on_squid_proxy_in_linux_fedora_10.html
acl FTP proto FTP
always_direct allow FTP
Adding a range of IPs will solve the issue, but will let any user behind your proxy who knows to use the connect method to bypass any/all restrictions you may have.
use an ACL to allow FTP.
http://www.labtestproject.com/linux_network/step_by_step_enable_ftp_on_squid_proxy_in_linux_fedora_10.html
acl FTP proto FTP
always_direct allow FTP
Adding a range of IPs will solve the issue, but will let any user behind your proxy who knows to use the connect method to bypass any/all restrictions you may have.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
I disabled SeLinux on a hunch.
I can now get to sites like this:
ftp://ftp.samurai.com/pub/squid/archive/3.1/
but can not get to this site:
ftp://ftp.fedex.com/pub/us/software/FedExShipManager_2453.exe
or my own ftp (vsftpd) for that matter.
It would appear that I have multiple problems. Oviously Squid is till blocking something, and SeLinux needs to have a whole opened in it for Squid.
I can now get to sites like this:
ftp://ftp.samurai.com/pub/squid/archive/3.1/
but can not get to this site:
ftp://ftp.fedex.com/pub/us/software/FedExShipManager_2453.exe
or my own ftp (vsftpd) for that matter.
It would appear that I have multiple problems. Oviously Squid is till blocking something, and SeLinux needs to have a whole opened in it for Squid.
check whether you have an exe exclusion in the squid.conf or your web content filter, if any.
I don't have an exclusion for .exe files. But forget about the .exe link, it won't go here either:
ftp://ftp.fedex.com/pub/us/software/
Works fine if I take it off the proxy.
My error is different now since I disable SELinux however:
The following error was encountered while trying to retrieve the URL: ftp://ftp.fedex.com/pub/us/software/
Read Timeout
The system returned: [No Error]
A Timeout occurred while waiting to read data from the network. The network or server may be down or congested. Please retry your request.
Your cache administrator is root.
My guess is that the squid mirror link above uses some http front end and the the ftp links that are not working are talking directly to an ftp server because they just through up the standard "tree view" in the browser.
The squid mirror link had some icons and other eye-candy when I pulled it up. I don't think it's purely FTP, just a guess however.
ftp://ftp.fedex.com/pub/us/software/
Works fine if I take it off the proxy.
My error is different now since I disable SELinux however:
The following error was encountered while trying to retrieve the URL: ftp://ftp.fedex.com/pub/us/software/
Read Timeout
The system returned: [No Error]
A Timeout occurred while waiting to read data from the network. The network or server may be down or congested. Please retry your request.
Your cache administrator is root.
My guess is that the squid mirror link above uses some http front end and the the ftp links that are not working are talking directly to an ftp server because they just through up the standard "tree view" in the browser.
The squid mirror link had some icons and other eye-candy when I pulled it up. I don't think it's purely FTP, just a guess however.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Did you add the SSL_port 1024-23000?
After the connection is established to the server, a PASV connection requires that a second connection from your FTP client be made to a port specified by the remote server when PASV mode was set.
Does you squid's access log indicate that a connection is being denied?
The problem is that the PASV mode ports on the ftp server differ in ranges by the server's configuration.
fedex has/uses a 1600-2200 range for incoming passive FTP connections.
After the connection is established to the server, a PASV connection requires that a second connection from your FTP client be made to a port specified by the remote server when PASV mode was set.
Does you squid's access log indicate that a connection is being denied?
The problem is that the PASV mode ports on the ftp server differ in ranges by the server's configuration.
fedex has/uses a 1600-2200 range for incoming passive FTP connections.
Is this what you meant:
acl SSL_ports port 443 1024-23000
If it is, still no joy. Same issue.
acl SSL_ports port 443 1024-23000
If it is, still no joy. Same issue.
Try and restart the proxy.
acl SSL_ports port 21
acl SSL_ports port 443
acl SSL_ports port 1024-23000
If you've made other alterations, could you repost the current squid config?
acl SSL_ports port 21
acl SSL_ports port 443
acl SSL_ports port 1024-23000
If you've made other alterations, could you repost the current squid config?
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Could you post the logs dealing with the FTP access entries?
Do you still get a Deny on connections to port 21? or is that not an issue any more and you get the second connection as the issue. Â Make sure you have Passive ftp connection.
Do you still get a Deny on connections to port 21? or is that not an issue any more and you get the second connection as the issue. Â Make sure you have Passive ftp connection.
Linux
--
Questions
--
Followers
Top Experts
Linux is a UNIX-like open source operating system with hundreds of distinct distributions, including: Fedora, openSUSE, Ubuntu, Debian, Slackware, Gentoo, CentOS, and Arch Linux. Linux is generally associated with web and database servers, but has become popular in many niche industries and applications.