Hola a todos, tengo el siguiente problema con squid y el cliente FTP
Filezilla: Me esta sucediendo que cuando trato de acceder al sitio ftp
de mi organizacion mediante el cliente ftp Filezilla me dice lo siguiente:
Estado: Connecting to 10.0.0.0 through HTTP proxy
Estado: Resolviendo la direccion de example.com.cu
Estado: Conectando a 192.168.0.1:3128
Estado: Conexion con el proxy establecida, realizando negociacion...
Respuesta: Respuesta del proxy: HTTP/1.1 407 Proxy Authentificacion
Required
Error: No se pudo conectar con el servidor
Cuando reviso los access log del squid dice esto
1617631073.774 0 192.168.17.52 TCP_DENIED/407 3840 CONNECT 10.1.2.2:21 -
HIER_NONE/- text/html
1617631078.802 0 192.168.17.52 TCP_DENIED/407 3840 CONNECT 10.1.2.2:21 -
HIER_NONE/- text/html
1617631083.749 0 192.168.17.52 TCP_DENIED/407 3888 CONNECT
ftp.example.com.cu:21 - HIER_NONE/- text/html
1617631088.773 0 192.168.17.52 TCP_DENIED/407 3888 CONNECT
ftp.example.com.cu:21 - HIER_NONE/- text/html
He cambiado el de las reglas del squid, he quitado y he puesto, pero no
logro poder acceder al FTP a traves del filezilla cosa que si estoy
logrando con el navegador, les pongo mi configuracion del squid a ver
si alguien me puede ayudar a econtrar la regla correcta que me permita
acceder al ftp con el filezilla y tambien que me muestre el usuario que
se esta conectando al proxy en el access.log del squid
# WELCOME TO SQUID 3.5.23
# ------------------------
# OPTIONS FOR AUTHENTICATION
# ---------------------------------------------------------------------
# Kerberos authentication
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
/etc/squid/HTTP.keytab -s HTTP/dc.example.com...@example.com.cu
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off
# Kerberos group mapping
external_acl_type INTRANET ttl=300 negative_ttl=60 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g Intranet -D
EXAMPLE.COM.CU
external_acl_type INTERNET ttl=300 negative_ttl=60 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g Internet -D
EXAMPLE.COM.CU
external_acl_type UNRESTRICTED ttl=300 negative_ttl=60 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g Unrestricted -D
EXAMPLE.COM.CU
acl intranet external INTRANET
acl internet external INTERNET
acl unrestricted external UNRESTRICTED
authenticate_ip_ttl 20 seconds
request_header_max_size 5 KB
# ACCESS CONTROL LISTS
#
-----------------------------------------------------------------------------
acl localnet src 192.168.17.0/24
acl proxy_ip src 192.168.17.19/32
acl local_esc dstdomain .example.com.cu
acl ftp_ip src 10.1.2.2
acl domain_cu dstdomain .cu
acl porn_site dstdomain .porn.com
acl SSL_ports port 443 8443
acl Safe_ports port 80 443 8443 70 210 280 488 591 777
acl FTP_ports port 21 1025-65535
#acl sitio_ip src 10.1.2.2 10.1.2.5
acl PURGE method PURGE
acl CONNECT method CONNECT
acl kerb-auth proxy_auth REQUIRED
# NETWORK OPTIONS
#
-----------------------------------------------------------------------------
http_port 3128
visible_hostname dc.example.com.cu
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
#
-----------------------------------------------------------------------------
cache_peer proxy.example.com.cu parent 3128 0 no-query
login=*******:***********
cache_peer_domain proxy.example.com.cu
always_direct allow local_esc
always_direct allow ftp_ip
#always_direct deny all
never_direct allow all
acl ftp proto FTP
http_access allow kerb-auth ftp
# HTTP_ACCESS
#
-----------------------------------------------------------------------------
http_access allow localhost manager
http_access allow proxy_ip manager
http_access deny manager
#http_access allow CONNECT local_esc ports
http_access allow kerb-auth ftp
# Using Kerberos
http_access allow kerb-auth unrestricted
http_access allow kerb-auth internet !porn_site
http_access allow kerb-auth intranet domain_cu
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports !FTP_ports
http_access allow PURGE localhost
http_access deny PURGE
http_access allow localhost
# MEMORY CACHE OPTIONS
#
-----------------------------------------------------------------------------
cache_mem 256 MB
maximum_object_size_in_memory 1024 KB
memory_replacement_policy heap GDSF
# DISK CACHE OPTIONS
#
-----------------------------------------------------------------------------
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid 1024 16 256
minimum_object_size 0 KB
maximum_object_size 102400 KB
cache_swap_low 95
cache_swap_high 99
offline_mode off
uri_whitespace chop
# LOGFILE OPTIONS
#
-----------------------------------------------------------------------------
logfile_rotate 0
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log /var/log/squid/access.log squid
cache_store_log /var/log/squid/store.log
#mime_table /usr/share/squid/mime.conf
pid_filename /var/run/squid.pid
# OPTIONS FOR TROUBLESHOOTING
#
-----------------------------------------------------------------------------
cache_log /var/log/squid/cache.log
debug_options ALL,1
coredump_dir /squid/var/cache/squid
shutdown_lifetime 2 seconds
# OPTIONS FOR TUNING THE CACHE
#
-----------------------------------------------------------------------------
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# HTTP OPTIONS
#
----------------------------------------------------------------------------
request_header_access User-Agent deny all
request_header_replace User-Agent Mozilla/5.0 (X11; Linux x86_64;
rv:59.0) Gecko/20100101 Firefox/59.0
# INTERNAL ICON OPTIONS
#
-----------------------------------------------------------------------------
icon_directory /usr/share/squid/icons
global_internal_static on
short_icon_urls on
# ERROR PAGE OPTIONS
#
-----------------------------------------------------------------------------
error_directory /usr/share/squid/errors/es
err_page_stylesheet /etc/squid/errorpage.css
# OPTIONS INFLUENCING REQUEST FORWARDING
#
-----------------------------------------------------------------------------
#always_direct allow local_esc
#always_direct deny all
#never_direct allow all
# DNS OPTIONS
#
-----------------------------------------------------------------------------
hosts_file /etc/hosts
dns_v4_first on
dns_timeout 1 seconds
dns_nameservers 192.168.0.1
# MISCELLANEOUS
#
----------------------------------------------------------------------------
follow_x_forwarded_for allow localhost
forwarded_for delete
cachemgr_passwd MyS3cr3tP@s$w0rd all
httpd_suppress_version_string on
_______________________________________________
Gutl-l mailing list -- gutl-l@listas.jovenclub.cu
To unsubscribe send an email to gutl-l-le...@listas.jovenclub.cu
