[squid-users] Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based
Hi, I tried debug_options 9,9 and the first process performed is anonymous login (not user / password if exists). User / password are used after if anonymous authentication failed. If ftp site used both Anonymous and User/ password and anonymous connection is ok, User /password authentication is not performed. Seeing in Squid 3.1.11 and 3.1.18. Thanks, Guillaume - Mail original - De : Amos Jeffries squ...@treenet.co.nz À : squid-users@squid-cache.org Cc : Envoyé le : Mercredi 28 Décembre 2011 3h39 Objet : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based On 28/12/2011 1:02 a.m., Al Batard wrote: Hi and thanks for your answers, If I understand this is a bug in the order of ftp authentication ? Yes, though what is unknown. Which Squid version are you seeing it in? And can you get an FTP section level-9 debug trace. It should show the exact username processing steps performed. With both encoded and decoded user/pass, so be careful replying here with anything. Amos
[squid-users] Re : [squid-users] Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based
Hi and thanks for your answers, If I understand this is a bug in the order of ftp authentication ? Guillaume - Mail original - De : Amos Jeffries squ...@treenet.co.nz À : squid-users@squid-cache.org Cc : Envoyé le : Mardi 20 Décembre 2011 12h00 Objet : Re: [squid-users] Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based On 20/12/2011 9:35 p.m., Henrik Nordström wrote: mån 2011-12-19 klockan 23:53 +1300 skrev Amos Jeffries: Do you have a trace from this server when requesting something from the login-required area of the site? If the requested URL contains login credentials then anonymous FTP login SHOULD NOT be attempted. Regards Henrik Sorry. My brain seems to have died :( see the src/ftp.cc checkAuth() function for reality. Default is username anonymous with password from config file (default Squid@). Which gets overridden by HTTP Basic auth headers (if any). Which then gets overridden by URL details (if any). The final result of all that merging is what gets sent to the server in a single USER command. (I was thinking of it incorrectly as the order of several USER commands) Amos
Re: [squid-users] Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based
mån 2011-12-19 klockan 23:53 +1300 skrev Amos Jeffries: Do you have a trace from this server when requesting something from the login-required area of the site? If the requested URL contains login credentials then anonymous FTP login SHOULD NOT be attempted. Regards Henrik
Re: [squid-users] Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based
On 20/12/2011 9:35 p.m., Henrik Nordström wrote: mån 2011-12-19 klockan 23:53 +1300 skrev Amos Jeffries: Do you have a trace from this server when requesting something from the login-required area of the site? If the requested URL contains login credentials then anonymous FTP login SHOULD NOT be attempted. Regards Henrik Sorry. My brain seems to have died :( see the src/ftp.cc checkAuth() function for reality. Default is username anonymous with password from config file (default Squid@). Which gets overridden by HTTP Basic auth headers (if any). Which then gets overridden by URL details (if any). The final result of all that merging is what gets sent to the server in a single USER command. (I was thinking of it incorrectly as the order of several USER commands) Amos
[squid-users] Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based
Hi Henrik, I try IE8, FF, and squidclient ... and the result is the same. Without Squid proxy, ftp://login:password@siteftp on a ftp site which used anonymous as default and authenticated access, the connexion with login / password is ok. With Squid proxy, ftp://login:password@siteftp only return anonymous access. Regards Guillaume - Mail original - De : Henrik Nordström hen...@henriknordstrom.net À : Al Batard albatar...@yahoo.fr Cc : squid-users@squid-cache.org squid-users@squid-cache.org Envoyé le : Samedi 17 Décembre 2011 3h54 Objet : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based Please try testing this with squidclient or another dumb http client. The major browsers are all pretty braindead in different manners when it comes to non-anonymous FTP URLs and can confuse matters greatly. Regards Henrik
Re: [squid-users] Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based
On 17/12/2011 2:24 a.m., Al Batard wrote: Hi, This is the log of the ftp connection to ftp site that accepts anonymous and login/pass (ftp://login:pass@ftpsite in url). Only Anonymous is used. Not my login / password. On a ftp site with anonymous login denied, user / password appear in log. - log of the ftp site with anonymous and login / pass authorized : 2011/12/16 13:46:53.474| ftp 220 FTP Server ready. 2011/12/16 13:46:53.474| ftp USER anonymous snip 2011/12/16 13:46:53.653| ftp 150 Opening ASCII mode data connection for file list 2011/12/16 13:46:53.744| ftp 226 Transfer complete 2011/12/16 13:46:53.744| ftp QUIT 2011/12/16 13:46:53.771| ftp 221 Goodbye. This is a successful transfer. The data got to Squid using anonymous access. There is no problem with auth here. Do you have a trace from this server when requesting something from the login-required area of the site? - log of the ftp site with login / pass authorized only : 2011/12/16 13:50:09.781| ftp 220 FTP 2011/12/16 13:50:09.781| ftp USER login I think there is some trace missing here. An earlier connect attempt to the FTP server using anon access, which fails. Either way, auth happened and the object was fetched. Again, no problem with auth here. Amos
[squid-users] Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based
Hi, This is the log of the ftp connection to ftp site that accepts anonymous and login/pass (ftp://login:pass@ftpsite in url). Only Anonymous is used. Not my login / password. On a ftp site with anonymous login denied, user / password appear in log. - log of the ftp site with anonymous and login / pass authorized : 2011/12/16 13:46:53.474| ftp 220 FTP Server ready. 2011/12/16 13:46:53.474| ftp USER anonymous 2011/12/16 13:46:53.500| ftp 331 Anonymous login ok, send your complete email address as your password 2011/12/16 13:46:53.500| ftp PASS Squid@ 2011/12/16 13:46:53.548| ftp 230 Anonymous login ok, restrictions apply. 2011/12/16 13:46:53.548| ftp TYPE A 2011/12/16 13:46:53.575| ftp 200 Type set to A 2011/12/16 13:46:53.575| ftp PASV 2011/12/16 13:46:53.601| ftp 227 Entering Passive Mode (86,66,22,5,238,97). 2011/12/16 13:46:53.627| ftp LIST 2011/12/16 13:46:53.653| ftp 150 Opening ASCII mode data connection for file list 2011/12/16 13:46:53.744| ftp 226 Transfer complete 2011/12/16 13:46:53.744| ftp QUIT 2011/12/16 13:46:53.771| ftp 221 Goodbye. - log of the ftp site with login / pass authorized only : 2011/12/16 13:50:09.781| ftp 220 FTP 2011/12/16 13:50:09.781| ftp USER login 2011/12/16 13:50:09.810| ftp 331 Password required for login 2011/12/16 13:50:09.810| ftp PASS password 2011/12/16 13:50:09.871| ftp 230 User login logged in 2011/12/16 13:50:09.871| ftp TYPE A 2011/12/16 13:50:09.906| ftp 200 Type set to A 2011/12/16 13:50:09.906| ftp PASV 2011/12/16 13:50:09.933| ftp 227 Entering Passive Mode (86,65,55,2,183,40). 2011/12/16 13:50:09.963| ftp LIST 2011/12/16 13:50:09.990| ftp 150 Opening ASCII mode data connection for file list 2011/12/16 13:50:10.024| ftp 226 Transfer complete 2011/12/16 13:50:10.024| ftp QUIT 2011/12/16 13:50:10.055| ftp 221 Goodbye. Regards, Guillaume - Mail original - De : Amos Jeffries squ...@treenet.co.nz À : squid-users@squid-cache.org Cc : Envoyé le : Vendredi 16 Décembre 2011 10h22 Objet : Re: [squid-users] Re : [squid-users] Anonymous FTP and login pass url based On 16/12/2011 10:15 p.m., Al Batard wrote: Hi Amos, Thanks for your answer. My problem is if a ftp site use both default anonymous and login/password, squid not send login/password and only use anonymous. I tried without Squid proxy and login/password in url based is ok for this ftp site. Guillaume Ah. Thanks. Can you provide an FTP protocol sequence displaying the error? You can get a cache.log trace of FTP with debugs_options 9,2 in any of the recent Squid releases. Amos