[squid-users] FTP with squid 3.1.3 failed
Hi With Squid 3.1.3, I'm not able to connect a ftp-site (ex. ftp://ftp.gnu.org/). The squid-process tries to connect the ftp-server with a dynamic port (not tcp 21). This will be blocked through our firewall: tcp0 1 squidproxy:37656ftp.gnu.org:64789 SYN_SENT 106562158 6442/(squid) I have a analog configuration with squid 3.0.STABLE 23 and there it works. The squid-process connect the remote-ftp-server with the normal port tcp 21. What could be wrong here? Thanks a lot. Tom
Re: [squid-users] NTLM authentication pass-through to upstream proxy
Before I reply in detail, I think I may not have made one point clear enough. This is not NTLM pass-through to webservers via an upstream proxy, it's NTLM pass-through *to* an upstream proxy. myproxy is sending 407/Proxy-Authenticate, not relaying 401/WWW-Authenticate on behalf of a website. If the pinning/unpinning in Squid is dependent on the hostname in the request, then this might explain what I'm seeing. What I need is for the pinning to remain in place regardless of the website being accessed. In fact I can't think of any circumstance in which the upstream connection could legitimately be unpinned once the NTLM conversation has been completed, as the upstream end would still believe that the connection is in use by the original user. Anyway, I shall do some more detailed packet traces so that I can answer Amos's questions. Amos Jeffries wrote: On Wed, 9 Jun 2010 17:22:09 +0100, Jeff Silver wrote: I'm using squid/3.1.3. It is configured with a cache-peer thus: cache_peer myproxy parent 8081 0 default no-query no-digest no-netdb-exchange login=PASS 'myproxy' is not squid. It is NTLM-capable. The NTLM log-in process works OK, but it looks as if squid is not maintaining separation between sessions (what I think used to be called "connection pinning"). In other words, if two users log in from two separate browsers, upstream connections are shared across the two sessions (especially if the same site is being visited). Are you sure both clients getting TCP_MISS? If one was a HIT then that one never actually used the link, even if it used some content previously fetch through the link. Do you mean Squid itself is sharing the Squid->Upstream link with both clients? Is Squid interleaving their requests? Is squid forcing one to auth to use the link, then forcing the other to re-auth to use it, etc? Squid will 'pin' previously used persistent connections if the client starts sending NTLM auth down it. Also 'unpin' a connection if the client changes its auth type, if auth fails, or the server connection dies. This latter allows persistent client connections if something recoverable happens to the server connection (ie TCP timeout), though the client should be challenged to re-auth the full link. An HTTP trace (of at least the request/reply header flowing over the link), for both the links client->squid and squid->upstream will be needed to look deeper at this. I tried adding connection-auth=on to both the cache-peer line and the http_port line (although squid 3.1 docs say that this is on by default). I also tried sending a 'Proxy-support: Session-Based-Authentication' header from myproxy. Upstream connections were still being shared. Is there anything else I should set in the configuration? Is this a bug? Persistent connections for both servers and clients is required. Though the default should be to have both on now as well. persistent_connection_after_error should also be left ON. Other than those it should be working. Amos To report this as spam, please forward to s...@websense.com. Thank you. Protected by Websense Hosted Email Security -- www.websense.com
Re: [squid-users] FTP with squid 3.1.3 failed
Tom Tux wrote: Hi With Squid 3.1.3, I'm not able to connect a ftp-site (ex. ftp://ftp.gnu.org/). The squid-process tries to connect the ftp-server Error message generated by the failure please. with a dynamic port (not tcp 21). This will be blocked through our firewall: tcp0 1 squidproxy:37656ftp.gnu.org:64789 SYN_SENT 106562158 6442/(squid) I have a analog configuration with squid 3.0.STABLE 23 and there it works. The squid-process connect the remote-ftp-server with the normal port tcp 21. What could be wrong here? I think that port you see is one of the DATA channels FTP protocol uses, separate to the control channel on port 21. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4
Re: [squid-users] FTP with squid 3.1.3 failed
I'm using kernel 2.6.32. I read, that there's a problem with Tproxy and Kernel 2.6.32 (http://wiki.squid-cache.org/Features/Tproxy4). Could this perhaps be the same problem? In the accesslog I have the following entry: 1276164891.054 14880 xx.xx.xx.xx TCP_MISS/504 3865 GET ftp://ftp.gnu.org/ user1 DIRECT/140.186.70.20 text/html Thanks. Tom 2010/6/10 Amos Jeffries : > Tom Tux wrote: >> >> Hi >> With Squid 3.1.3, I'm not able to connect a ftp-site (ex. >> ftp://ftp.gnu.org/). The squid-process tries to connect the ftp-server > > Error message generated by the failure please. > >> with a dynamic port (not tcp 21). This will be blocked through our >> firewall: >> tcp 0 1 squidproxy:37656 ftp.gnu.org:64789 SYN_SENT >> 106 562158 6442/(squid) >> >> I have a analog configuration with squid 3.0.STABLE 23 and there it >> works. The squid-process connect the remote-ftp-server with the normal >> port tcp 21. >> >> What could be wrong here? > > I think that port you see is one of the DATA channels FTP protocol uses, > separate to the control channel on port 21. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.4 >
Re: [squid-users] Increased memory usage (memory leak?)
On Thu, Jun 10, 2010 at 12:33:18AM +, Amos Jeffries wrote:
> On Wed, 09 Jun 2010 22:29:50 +0300, Panagiotis Christias
> wrote:
> > Hello list (sorry for the long message),
> >
> > we are using eight servers (running FreeBSD 7.3 amd64 with 2G ram each)
> > as transparent proxy servers (Squid 2.7.9 along with squidGuard 1.4) for
>
> > the content filtering service of the Greek School Network.
> >
> > Our current squid configuration includes:
> >http_port 80 transparent
> >http_port 8080
> >cache_mem 192 MB
> >cache_swap_low 80
> >cache_swap_high 85
> >maximum_object_size 4096 KB
> >ipcache_size94208
> >ipcache_low 90
> >ipcache_high95
> >cache_store_log none
> >cache_dir null /tmp
> >redirect_program/usr/local/bin/squidGuard
> >redirect_children 48
> >redirector_bypass on
> >uri_whitespace encode
> >request_header_max_size 25 KB
> >
> > Although it is not peak season (schools have exams and are about to
> > close for summer), we are experiencing high memory usage in some cases
> > (see cache01 at http://noc.ntua.gr/~christia/squid-vsize.png). All boxes
>
> > are identical. The memory usage seems to be related to the type of the
> > requests (not the volume, http://noc.ntua.gr/~christia/squid-reqs.png).
> > In order to rule out any possibility of server specific problems we
> > moved the client requests from one cache box to another and the memory
> > allocation problem moved along (at first it was cache04 and now it is
> > cache01).
> >
> > We compared the cache.log files and found no special messages in cache01
>
> > or in any other server that showed increased memory usage. After looking
>
> > into the access.log we tend to believe that the memory leaps occur
> > during periods that squid receives too many concurrent requests for
> > sites that are responding too slowly or not responding at all
> > (firewalled, not sending any packets back). In these cases, concurrent
> > requests vary from 40 reqs/sec to 700 reqs/sec, the average service
> > varies from 570 msec to 178502 msec and the HTTP return codes are
> > usually TCP_MISS/417, TCP_MISS/504 and TCP_MISS/000.
> >
> > Cache manager reports for cache01 692882 allocated cbdata
> > clientHttpRequest objects occupying 742381 KB and 100% of them in use
> > (ten times more than the other cache boxes).
> >
> > Full report is available here:
> >http://noc.ntua.gr/~christia/cache01.mem.20100609-21:35.txt
> >http://noc.ntua.gr/~christia/cache01.info.20100609-21:35.txt
> >
> > At the same 'top' in cache01 reports about the squid process:
> >1575 MB virtual size
> > 303 MB resident size
> >
> > Finally, pmap (FreeBSD sysutils/pmap port) report is available here (in
> > case it is useful):
> >http://noc.ntua.gr/~christia/cache01.pmap.20100609-21:35.txt
> >
> > Anyway, is this behaviour normal or is it a bug or memory leak? I am
> > willing to try any suggestion, provide any other information and help
> > debugging.
> >
> > For the moment, I am manually excluding from the transparent cache
> > schema the sites that seem to cause problems. I am also considering
> > adding a maxconn acl and lowering some connection timeouts. Waiting for
> > 18 msec for a firewalled connection is *too* much.
> >
> > Regards,
> > Panagiotis
>
> Looks like broken almost-HTTP/1.1 clients to me. The behaviour when a
> client sends "Expect: 100-continue" without properly supporting it
> themselves. Squid does not fully support that feature of HTTP/1.1, just
> enough to send back the right 417 error and negotiate its non-existence
> with the client.
>
> What I think is happening is that many requests come in using the Expect:
> header for HTTP/1.1 (which Squid does not yet support) the clients then
> wait for the 100 status code to return. Which will never happen.
> Standards-compliant Squid will reply with 417 errors and hope the client
> retries without Expect:.
>
> Check that your cache01 is configured with "ignore_expect_100 off". This
> will send back the 417 error immediately for any clients which are actually
> working to negotiate a faster response back. Broken clients will die
> immediately with the error instead of dying after holding your resources
> for that timeout.
ignore_expect_100 parameter is not set in any of our cache boxes's
squid.conf. I assume that this means that the default value ("off")
is used.
Panagiotis
--
Panagiotis J. ChristiasNetwork Management Center
p.christ...@noc.ntua.grNational Technical Univ. of Athens, GREECE
Re: [squid-users] FTP with squid 3.1.3 failed
I compiled squid 3.1.3 on a 2.6.27-kernel. There I have the same problems. I still cannot access the ftp-server (ftp://ftp.gnu.org) or ftp://ftp.novell.com. With the old one (3.0.Stable23), it's working. 2010/6/10 Tom Tux : > I'm using kernel 2.6.32. I read, that there's a problem with Tproxy > and Kernel 2.6.32 (http://wiki.squid-cache.org/Features/Tproxy4). > Could this perhaps be the same problem? > > In the accesslog I have the following entry: > 1276164891.054 14880 xx.xx.xx.xx TCP_MISS/504 3865 GET > ftp://ftp.gnu.org/ user1 DIRECT/140.186.70.20 text/html > > Thanks. > Tom > > > 2010/6/10 Amos Jeffries : >> Tom Tux wrote: >>> >>> Hi >>> With Squid 3.1.3, I'm not able to connect a ftp-site (ex. >>> ftp://ftp.gnu.org/). The squid-process tries to connect the ftp-server >> >> Error message generated by the failure please. >> >>> with a dynamic port (not tcp 21). This will be blocked through our >>> firewall: >>> tcp 0 1 squidproxy:37656 ftp.gnu.org:64789 SYN_SENT >>> 106 562158 6442/(squid) >>> >>> I have a analog configuration with squid 3.0.STABLE 23 and there it >>> works. The squid-process connect the remote-ftp-server with the normal >>> port tcp 21. >>> >>> What could be wrong here? >> >> I think that port you see is one of the DATA channels FTP protocol uses, >> separate to the control channel on port 21. >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.4 >> >
[squid-users] restrict bandwidth
Hi, Please let me know the procedure to restrict bandwidth in squid server. Thanks, Kaushal
RE: [squid-users] FTP with squid 3.1.3 failed
Hello Tom I too have the same problem Squid-3.1.3 stable Kernel 2.6.18-194.3.1.el5 Centos 5.5 Cannot access ftp sites, getting this in my dmesg: conntrack_ftp: partial 229 568375762+13 conntrack_ftp: partial 229 568375762+13 conntrack_ftp: partial 229 568375762+13 conntrack_ftp: partial 229 568375762+13 conntrack_ftp: partial 229 568375762+13 conntrack_ftp: partial 229 568375762+13 conntrack_ftp: partial 229 568375762+13 conntrack_ftp: partial 229 568375762+13 conntrack_ftp: partial 229 568375762+13 regards, Dawie Pretorius senior linux engineer I compiled squid 3.1.3 on a 2.6.27-kernel. There I have the same problems. I still cannot access the ftp-server (ftp://ftp.gnu.org) or ftp://ftp.novell.com. With the old one (3.0.Stable23), it's working. 2010/6/10 Tom Tux : > I'm using kernel 2.6.32. I read, that there's a problem with Tproxy > and Kernel 2.6.32 (http://wiki.squid-cache.org/Features/Tproxy4). > Could this perhaps be the same problem? > > In the accesslog I have the following entry: > 1276164891.054 14880 xx.xx.xx.xx TCP_MISS/504 3865 GET > ftp://ftp.gnu.org/ user1 DIRECT/140.186.70.20 text/html > > Thanks. > Tom > > > 2010/6/10 Amos Jeffries : >> Tom Tux wrote: >>> >>> Hi >>> With Squid 3.1.3, I'm not able to connect a ftp-site (ex. >>> ftp://ftp.gnu.org/). The squid-process tries to connect the ftp-server >> >> Error message generated by the failure please. >> >>> with a dynamic port (not tcp 21). This will be blocked through our >>> firewall: >>> tcp 0 1 squidproxy:37656 ftp.gnu.org:64789 SYN_SENT >>> 106 562158 6442/(squid) >>> >>> I have a analog configuration with squid 3.0.STABLE 23 and there it >>> works. The squid-process connect the remote-ftp-server with the normal >>> port tcp 21. >>> >>> What could be wrong here? >> >> I think that port you see is one of the DATA channels FTP protocol uses, >> separate to the control channel on port 21. >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.4 >> > Note: Privileged/Confidential information may be contained in this message and may be subject to legal privilege. Access to this e-mail by anyone other than the intended is unauthorised. If you are not the intended recipient (or responsible for delivery of the message to such person), you may not use, copy, distribute or deliver to anyone this message (or any part of its contents ) or take any action in reliance on it. All reasonable precautions have been taken to ensure no viruses are present in this e-mail. As our company cannot accept responsibility for any loss or damage arising from the use of this e-mail or attachments we recommend that you subject these to your virus checking procedures prior to use. The views, opinions, conclusions and other information expressed in this electronic mail are not given or endorsed by the company unless otherwise indicated by an authorized representative independent of this message.
Re: [squid-users] restrict bandwidth
Le jeudi 10 juin 2010 06:24:00, Kaushal Shriyan a écrit : > Hi, > > Please let me know the procedure to restrict bandwidth in squid server. > > Thanks, > > Kaushal The ieasies way i know is by marking packet with TOS' squid capabilities and then with your FW you may manage bandwidth shapping. LD
RE: [squid-users] Rotating logs restarts authentication/acl helpers?
I understand, thank you. So, I'm mucking with log modules in 3.HEAD now, but not understanding the process 100% from the LogModules docs page. There are modules (udp, tcp, etc) that I configure for each log file, such as: access_log udp://localhost:1000 cache_store_log upd://localhost:1001 Seems easy enough. But what is this log_file_daemon? Is that a helper akin to a auth/acl helper that reads info from STDIN? If so, the best approach seems to be a log helper, started by squid, which could cache the logs to disk if the external logfile processing app is down. UDP/TCP makes me nervous in case the log helper process is ever down or started in the wrong order by human error (it's just an extra dependency to manage). If this is the scheme in place here, can you give me a couple of sentences describing the creation of a log helper? What is it's input/output protocol & method? What log files is it applicable to? Does squid start the process and manage it? Thanks! David -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, June 09, 2010 8:41 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Rotating logs restarts authentication/acl helpers? On Wed, 9 Jun 2010 18:49:22 -0600, "David Parks" wrote: > Using 3.1.4, when I call squid -k rotate to rotate the logs, it restarts > all the authentication and acl helpers. > Why is this? I have an ACL helper running for every request (very quick), > and the reload of logs is causing it to be down for ~10 seconds. > I would like to be able to parse logs every 30 seconds for near-real-time > reporting. This is because the helpers are attached to the cache.log for debugging and error reporting. This has always been the case AFAIK. Use the log daemon: feature instead for real-time access to log data. It lets you easily create a daemon script to receive and do anything with the log lines. http://wiki.squid-cache.org/Features/LogDaemon Amos
Re: [squid-users] Url-encoded passwords - Solved!
On Wed, 9 Jun 2010 17:50:57 +0200
Luciano Mannucci wrote:
> my squid 3.1.4 seems unable to handle URL-encoded passwords. I think
> it sends them as they are, so I get "Login Incorrect" from the FTP
> server. Is that normal?
I reverted to squid 2.7.STABLE9 mainly because I don't understand C++.
(2.7 seems slightly faster BTW :) I don't know why the password is
sent as-is instead of RFC 1738 converted. Forcing the conversion is
pretty safe, although a quick and dirty trick: I simply modified the
ftpSendPass() function in ftp.c this way:
static void
ftpSendPass(FtpStateData * ftpState)
{
char *my_str_ptr;
my_str_ptr = xstrdup(ftpState->password);
rfc1738_unescape(my_str_ptr);
/*
snprintf(cbuf, 1024, "PASS %s\r\n", ftpState->password);
*/
snprintf(cbuf, 1024, "PASS %s\r\n", my_str_ptr);
ftpWriteCommand(cbuf, ftpState);
ftpState->state = SENT_PASS;
safe_free(my_str_ptr);
}
so now it "unescapes" every password before sending, which is safe
because it has no effect on non url-encoded ("escaped") strings.
Now it works flawlessly even with sites asking for passwords
containing "/", ":", "@"... :-)
Regards,
luciano.
--
/"\ /Via A. Salaino, 7 - 20144 Milano (Italy)
\ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250
X AGAINST HTML MAIL/ E-MAIL: posthams...@sublink.sublink.org
/ \ AND POSTINGS/ WWW: http://www.mannucci.ORG/
[squid-users] Squid / OWA authentication issues - part 2
I've been messing around with getting my squid proxy to allow authentication to OWA (outlook web access) and discovered something very interesting... If I try another site that has OWA running behind an iptables based firewall (shorewall) I get the exact same message. This OWA is accessible with no issues if I do not use Squid. However, if I try accessing OWA through the Squid to an OWA that exists behind a commercial firewall (sonicwall) it works just fine. I'm now thinking that it's an issue with Squid and iptables based firewalls. I played around with packet mangling but that didn't seem to have any effect. Does anyone have an idea on what might be causing this? Thanks!
RE: [squid-users] Rotating logs restarts authentication/acl helpers?
Got it working easily enough. Exactly what I was looking for! Thanks again for the great help!! On a side note, it might be nice to copy the comments in the .c file you mentioned, to the squid.conf.documented file under the logfile_daemon directive, the one line description there now is a bit cryptic for those wanting to extend the functionality. Thanks, David -Original Message- From: Henrik Nordström [mailto:hen...@henriknordstrom.net] Sent: Thursday, June 10, 2010 1:57 PM To: David Parks Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Rotating logs restarts authentication/acl helpers? tor 2010-06-10 klockan 07:38 -0600 skrev David Parks: > Seems easy enough. But what is this log_file_daemon? > Is that a helper akin to a auth/acl helper that reads info from STDIN? Yes, kind of. It's using a special format with some commands for rotation etc. See helpers/log_daemon/file/ for the default daemon which writes log data to files. (log_file_daemon). This (log_file_daemon.c) also contains an explanation of the log data format. Regards Henrik
[squid-users] Full cache windows update
hello. list, query, always used squid in the industry now 2.7.xx 3.1.xx I go to and need to know if there way to make full cache windowsupdate?
Re: [squid-users] Multicast
ons 2010-06-09 klockan 20:51 -0500 skrev Luis Daniel Lucio Quiroz: > So i understand by now > it is kind imposible to do a > > cache_peer 10.200.0.0 sibling 3128 3130 multicast-responder > nor > cache_peer 10.200.255.255 sibling 3128 3130 multicast-responder Correct. But as Amos said it should be possible with some coding to support a multicast cache_peer template with an attached acl defining valid responders. Or alternatively you can just preconfigure a bunch of multicast peers for each IP that may be used. These are not used unless there is a response from that IP in response to the multicast query. Regards Henrik
RE: [squid-users] Rotating logs restarts authentication/acl helpers?
tor 2010-06-10 klockan 07:38 -0600 skrev David Parks: > Seems easy enough. But what is this log_file_daemon? > Is that a helper akin to a auth/acl helper that reads info from STDIN? Yes, kind of. It's using a special format with some commands for rotation etc. See helpers/log_daemon/file/ for the default daemon which writes log data to files. (log_file_daemon). This (log_file_daemon.c) also contains an explanation of the log data format. Regards Henrik
Re: [squid-users] restrict bandwidth
You could also take a look into the "Delay Pools" feature, which might be able to limit bw. http://wiki.squid-cache.org/Features/DelayPools?highlight=%28faqlisted.yes%29 Regards HASSAN On Thu, Jun 10, 2010 at 19:00, Luis Daniel Lucio Quiroz wrote: > > Le jeudi 10 juin 2010 06:24:00, Kaushal Shriyan a écrit : > > Hi, > > > > Please let me know the procedure to restrict bandwidth in squid server. > > > > Thanks, > > > > Kaushal > The ieasies way i know is by marking packet with TOS' squid capabilities > and then with your FW you may manage bandwidth shapping. > > LD
Re: [squid-users] Full cache windows update
On Fri, Jun 11, 2010 at 01:34, Ariel wrote: > hello. list, query, always used squid in the industry now 2.7.xx > 3.1.xx I go to and need to know if there way to make full cache > windowsupdate? > This might be helpful: http://wiki.squid-cache.org/SquidFaq/WindowsUpdate The following is from an external wiki: http://doc.pfsense.org/index.php/Squid_Package_Tuning#Caching_Windows_Updates Regards HASSAN
Re: [squid-users] FTP with squid 3.1.3 failed
tor 2010-06-10 klockan 10:29 +0200 skrev Tom Tux: > Hi > With Squid 3.1.3, I'm not able to connect a ftp-site (ex. > ftp://ftp.gnu.org/). The squid-process tries to connect the ftp-server > with a dynamic port (not tcp 21). This will be blocked through our > firewall: > tcp0 1 squidproxy:37656ftp.gnu.org:64789 SYN_SENT >106562158 6442/(squid) Works for me. > I have a analog configuration with squid 3.0.STABLE 23 and there it > works. The squid-process connect the remote-ftp-server with the normal > port tcp 21. The main difference is that 3.1 uses EPSV if supported by the FTP server, while 3.0 uses PASV. So your firewall need to support EPSV FTP data connection tracking if strict on checking outgoing connections. Regards Henrik
Re: [squid-users] Url-encoded passwords - Solved!
tor 2010-06-10 klockan 17:26 +0200 skrev Luciano Mannucci:
> ftpSendPass() function in ftp.c this way:
>
> static void
> ftpSendPass(FtpStateData * ftpState)
> {
> char *my_str_ptr;
> my_str_ptr = xstrdup(ftpState->password);
> rfc1738_unescape(my_str_ptr);
> /*
> snprintf(cbuf, 1024, "PASS %s\r\n", ftpState->password);
> */
Then your client is sending the data doubly-escaped.
Squid is already urldecoding the login & password once when populating
ftpState.
Regards
Henrik
Re: [squid-users] restrict bandwidth
Kaushal Shriyan wrote: > Hi, > > Please let me know the procedure to restrict bandwidth in squid server. > For traffic going through squid you can use built in delay pools, it is already documented in the wiki: http://wiki.squid-cache.org/Features/DelayPools > Thanks, > > Kaushal > -- Jorge Armando Medina Computación Gráfica de México Web: http://www.e-compugraf.com Tel: 55 51 40 72, Ext: 124 Email: jmed...@e-compugraf.com GPG Key: 1024D/28E40632 2007-07-26 GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632
[squid-users] winbind error
Hi, I have installed samba on my Linux machine. I have joined Active Directory Server for authentication. When I start winbind, I get an error saying create_sock_pipe /tmp/.winbind/pipe failed because Permission Denied and winbind stops. As per suggestion on some website I disabled the firewall, winbind started once. But again I have the same problem with same error. I am using samba 3.5.3 on Red Hat Linux 5.1. Can you please tell me what could be the problem? Regards, Prashant
[squid-users] SOLVED: Re: [squid-users] FTP with squid 3.1.3 failed
Hi Henrik Thank you for this hint. I put the directive "ftp_epsv off" in my squid.conf; now it's working as expected. Regards, Tom 2010/6/10 Henrik Nordström : > tor 2010-06-10 klockan 10:29 +0200 skrev Tom Tux: >> Hi >> With Squid 3.1.3, I'm not able to connect a ftp-site (ex. >> ftp://ftp.gnu.org/). The squid-process tries to connect the ftp-server >> with a dynamic port (not tcp 21). This will be blocked through our >> firewall: >> tcp 0 1 squidproxy:37656 ftp.gnu.org:64789 SYN_SENT >> 106 562158 6442/(squid) > > Works for me. > >> I have a analog configuration with squid 3.0.STABLE 23 and there it >> works. The squid-process connect the remote-ftp-server with the normal >> port tcp 21. > > The main difference is that 3.1 uses EPSV if supported by the FTP > server, while 3.0 uses PASV. So your firewall need to support EPSV FTP > data connection tracking if strict on checking outgoing connections. > > Regards > Henrik > >
