Squid Proxy Server questions

Lemming

Hey Guys,

I've had Squid proxy forced upon me and been told to "fix" some configurations in it courtesy of the original guy refusing to do anything with it. This really sucks cause I didn't implement the proxy, but I'm taking all the heat for it


Anyway,

1. If I want to enable NNTP or FTP, do I do it in the ACL list?

Here's the config as stands:

......

acl LAN src 10.0.0.0/255.0.0.0

.....

acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 90          # multiling http
(USENET News Transfer Protocol)
acl CONNECT method CONNECT

.....

http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

FTP appears not to work, and if I insert a reference for NNTP (acl Safe_ports port 119) it still seems to do nothing.


2. IS there any configuration options that I should be paying attention to as regards speeding up the proxy. I notice it's quite slow and rather crap.

Typedef

The config looks fine, if http works, then there is 'no' reason I can see that ftp won't.

Have you checked your firewall and natting rules?

Lemming

Originally posted by Typedef
The config looks fine, if http works, then there is 'no' reason I can see that ftp won't.

Have you checked your firewall and natting rules?

Well, FTP and NNTP, and (insert service of choice) was working fine and dandy until the proxy was brought up yesterday evening (and everyone laid into me this morning )

And as I've just found out ... Nat has been disabled. ARGHHHHHHHHH.

I have a new satan ... it's name is Squid-Proxy

Jaden

Squid Rocks, Ask me nicely, and I'll send you my conf file.

Maybe we could post them (modified) here?

Lemming

Originally posted by Jaden
Squid Rocks, Ask me nicely, and I'll send you my conf file.

Maybe we could post them (modified) here?

please pretty purleeeassse ??

flamegrill

Have you tried passive ftp?? Tradionally ftp uses 2 ports when operating. 1) 21 for connections 2) 20 for data transfer.

As for nntp it should work.. :-)

Have you restarted squid? (hehe has to be asked though)

Paul

Lemming

Originally posted by flamegrill
Have you tried passive ftp?? Tradionally ftp uses 2 ports when operating. 1) 21 for connections 2) 20 for data transfer.

I wa wondering about that. Shall give it a look on monday morning.

As for nntp it should work.. :-)

TBH, this is my main concern at the moment because a LOT of my fellow developers use news groups heavily, eg. Borland, etc. etc. And having several irate programmers going through withdrawal is not a pleasant experience ... whislt going through ssh withdrawal symptons yerself

But on a serious note, if I try insterting an ACL line for port 119 for NNTP, it still doesn't work

Have you restarted squid? (hehe has to be asked though)

Yer askin for a beating man hehe

longword

Originally posted by Lemming
Well, FTP and NNTP, and (insert service of choice) was working fine and dandy until the proxy was brought up yesterday evening (and everyone laid into me this morning )

And as I've just found out ... Nat has been disabled. ARGHHHHHHHHH.

I have a new satan ... it's name is Squid-Proxy

Thou shalt not speak ill of the Squid!

Squid isn't a generic proxy, it's pretty much HTTP and FTP only - and FTP must to come in the form of a URL request so a standard FTP client won't work. It won't proxy NTTP or ssh. Running Squid won't in and of itself have disabled your NATing nor is it incompatible with the simultaneous use of NAT.

Typedef

Originally posted by longword
NATing nor is it incompatible with the simultaneous use of NAT.

hint hint... Lemming..... squid with ACL for the proles in your office....

Nat for you...

hint hint.

longword

Don't forget bandwidth management either. One kilobit for them, three for me. One kilobit for them...

Lemming

Originally posted by TypeDef

hint hint... Lemming..... squid with ACL for the proles in your office....

Nat for you...

hint hint.

I hope you're not suggesting that I set myself outside of the proxy so that the powers that be can't ip-account my ass?

Originally posted by longword

Don't forget bandwidth management either. One kilobit for them, three for me. One kilobit for them...

hehee .. I shall keep those wise words in mind


But seriously though, I'm not overly fussed abou the proxy for myself (cause I can subvert it anyway .. I wont say how) but it's for everyone else.

What I might end up doing is re-enabling NAT but placing rules so that only nntp or ftp traffic is allowed through the firewall that isn't coming or going via the proxy.

I dunno. I'm still reading up on Satan .. er.. I mean Squid

Lemming

Hmmm .. anyone got any recommendations for generic proxy servers?

longword

Originally posted by Lemming
Hmmm .. anyone got any recommendations for generic proxy servers?

If you want to go down the SOCKS route, try Dante. But I can't say I recommend that strategy. What's wrong with a web proxy and filtered NAT?

Lemming

Originally posted by longword
What's wrong with a web proxy and filtered NAT?

Oh, nothing wrong. Just looking at all possibilities.

TBH, I think the proxy/filtered NAT route is sounding appealing to me right now.

If anything, it's giving me a size-12 steel-toecapped boot up the arse to learn about Sata.... err .. Squid

Lemming

Ok, I can ftp (ftp://ftp.blah) via my web-browser, so squid IS allowing FTP now, but I still can't use ftp clients even when they have proxy capabilities. This is driving me insane

I'm using LeechFTP (Win Application) to try to connect to, say, ftp.esat.net and I can't.

I've got the File->Options->"HTTP" Tab->"HTTP Proxy": x.x.x.x: port

To no avail.

If I also set the File->Options->"Firewall Settings" Tab settings to any of the following:

1. Do not use
2. PASV Mode
3. USER@HOST (*)
4. User@HOST + Login (*)(**)


* requires proxy address/port
** requires User + Password

I still can't connect.

Any ideas?

flamegrill

Try TTF (http://dahomelands.net/ttf.exe) for ftp/ssh/nntp
you can basically forward any and all traffic outward using it via squid, i found squid to be a dream to tunnel accross :-)

of that url doesn't work pm me, im a lazy **** now so i wont check hehe...

Paul

longword

Originally posted by Lemming
Ok, I can ftp (ftp://ftp.blah) via my web-browser, so squid IS allowing FTP now, but I still can't use ftp clients even when they have proxy capabilities.

I'd guess it's the FTP client that's the problem here. Have a look at your Squid's access/cache logs. Maybe use ethreal/tcpdump to see if the FTP client is doing what you think it ought to be doing.

Lemming

Originally posted by longword
I'd guess it's the FTP client that's the problem here. Have a look at your Squid's access/cache logs.

Hmmm, after going through my access/cache .log files I can find no reference to the ftp client attempting to connect to the proxy server

Shouldn't there even be a reference that /something/ attempted to connect to the proxy though?


[EDIT]

O k a y y y y y ....

I downloaded Smart-FTP which seems to be recognising the proxy and attempting to connect to it.

Upon doing a grep on the squid access.log file I get the following:

1044441673.165 10 x.x.x.x TCP_DENIED/403 978 CONNECT ftp.redhat.com:21 - NONE/- -
1044441797.818 4 x.x.x.x TCP_DENIED/403 978 CONNECT ftp.redhat.com:21 - NONE/- -

Any ideas boys and girls?

longword

Originally posted by Lemming
Shouldn't there even be a reference that /something/ attempted to connect to the proxy though?

Yup. If it's not hitting the Squid at all, it's broken or misconfigured.

TCP_DENIED/403 978 CONNECT ftp.redhat.com:21 - NONE/- -
Any ideas boys and girls?

CONNECT method eh? Very naughty. CONNECT pretty much gives you a straight forwarded TCP connection to the remote site. Not what you want if you're trying to cache, control, or monitor what people are downloading. CONNECT is meant for use by https which requires an unmodified client-to-server stream. In keeping with that intent, if you look through your squid.conf you'll see these two lines (not necessarily together)...

acl SSL_ports port 443 563

http_access deny CONNECT !SSL_ports

If you're feeling extra loose and generous, you could add port 21 to the list of SSL_ports. Alternatively, for the same effect but neater, above that http_access deny CONNECT line you could add these two new lines:

acl FTP_port port 21
http_access allow CONNECT FTP_port

Note that if you allow this, you will be able to log when and what sites people are connecting to, but that's about it. Nothing about what files are being downloaded or how big. I'm not sure how FTP clients operate in 'CONNECT' proxy mode - you may need to allow more ports.

If you're serious about allowing FTP you're better off allowing NAT for it with a bit of logging. Don't forget to load the modules ip_nat_ftp and ip_conntrack_ftp.

Lemming

Cheers for that longword.

I put in an ACL entry for FTP_port port 21 with a http_access entry also, just as an interim solution on my way to getting nat+filtering up which would take care of both FTP _AND_ NNTP.

Anyway, it was all to no avail cause the FTP client decided to use the FEAT command whilst connecting, thus buggering up the connection and preventing me from seeing any contents of an ftp server :rolleyes:

I'm wasting far too much time on it.

longword

NAT is piss easy though. Assuming eth0 is your 'internal' private LAN interface and eth1 is the public internet interface...

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 119 -j ACCEPT
iptables -P FORWARD DROP
echo "1" >/proc/sys/net/ipv4/ip_forward

On a Red Hat style system you can save that off and make it load on boot with...

/sbin/service iptables save
/sbin/chkconfig iptables on

The above is decently secure as it stands, though I'm sure you'll still want to read up on it, maybe lock it down a bit more and add some logging rules.