On Sun, 16 Nov 2003, David F. Severski wrote: > When going to a FTP site that does not accept anonymous FTP connections > (ftp://nac-client.na-corp.com/), my commercial (HTTP/1.1) proxies respond > with '401 Authentication Required' after the initial anonymous login fails. > Squid, however, responds with 403 Forbidden.
Yes. > The 401 is the desired response as Netscape and Mozilla helpfully pop up > a prompt for the user credentials for the FTP site in response to a 401. > Receiving the 403 back stops this from occurring and results in an error > message to the end user. There is several technical difficulties of doing this at the protocol level. The most apparent is that the user will not be able to reach the anonymoust-ftp section of the FTP server after logging in without first quitting his browser. > Is there a way to cause Squid to generate the desired 401 code in > response to an initial anonymous FTP login failing? Having users rewrite > the URL to the familiar ftp://user:[EMAIL PROTECTED]/ syntax is not a very > palatable option. With some coding this is fully possible. Thinking here... changing the code to challenge for authentication on failed login is not hard, but it needs to be investigated if this can be done in a manner not breaking anonymous access. > not reveal any hits for this particular behavior. For that matter, I am > unable to easily locate an RFC spec for just how FTP-over-HTTP is > supposed to work, so perhaps this is a nebulous area all-together. FTP-over-HTTP is specified by cross-reading two RFCs a) The URL specification on the meaning of ftp:// URLs (where ftp://host/ is clearly defined as anonymous FTP only) b) The HTTP RFCs on how the proxy is allowed to act to the client. The procol used by the client when requesting ftp:// URLs via a proxy is HTTP, not FTP. The proxy then acts sort of like a virtual web server to the client, providing access to the ftp:// objects named by the client. Unfortunately this leaves a great deal of the fine details unspecified, such as if it is allowed to use HTTP authentication if the credentials provided in the URL is not sufficient etc. For convenience most proxies does this in one way or another, but the only standard method is ftp://user:[EMAIL PROTECTED]/ Regards Henrik
