On 29/07/11 09:05, Scott Mace wrote:
I have a whitelist to allow users to access only sites required. We primarily
use it for ftp, either through a web browser or filezilla-like clients. The
browser based is flawless, but odd behavior with ftp clients.
acl whitelist dstdomain "/etc/squid3/whitelist"
http_access deny !whitelist
Whitelist contains (for testing):
gatekeeper.dec.com
Here is the result:
1311886691.258 21738 192.168.100.194 TCP_MISS/200 998 CONNECT
gatekeeper.dec.com:21 - DIRECT/192.6.29.21 -
1311886757.392 0 192.168.100.194 TCP_DENIED/403 1899 CONNECT
192.6.29.21:51967 - NONE/- text/html
As you can see, it changes from using hostname to IP address, which matches
nothing in the whitelist, and is denied. If I add the IP to the whitelist, it
works perfectly. How can I force it to always use the hostname?
You can't. It uses what the client is trying to use. So that malicious
clients can get denied.
As for the "change". This is how FTP works. With multiple channels
setup. Reason #1 why it cannot be relayed by Squid. Use a proxy designed
to relay FTP, such as frox, instead.
Squid only supports fetching FTP data and reformatting into HTTP
responses for clients. read-only via a web browser etc.
IP added to whitelist:
1311887068.133 17458 192.168.100.194 TCP_MISS/200 1919 CONNECT
gatekeeper.dec.com:21 - DIRECT/192.6.29.21 -
1311887072.841 124 192.168.100.194 TCP_MISS/200 0 CONNECT 192.6.29.21:51255
- DIRECT/192.6.29.21 -
The access permissions order is important:
http://wiki.squid-cache.org/SquidFaq/OrderIsImportant
You have also broken the basic security protections:
http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls#The_Safe_Ports_and_SSL_Ports_ACL
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.10
