Re: [squid-users] Question about accessing an FTP server from a browser

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 22 Jun 2012 19:11:55 +1200

On 22/06/2012 2:32 a.m., BERSIHAND Christophe wrote:
> Hello,
>
> Can you tell me the difference between those two configurations, both allowing me to access an FTP server from a browser.
>
> acl Safe_ports port 21 80 443 563 70 210 631 1025-65535
> http_access deny !Safe_ports

This configuration blocks all non-safe ports from being contacted. Those
are ports whose native protocol can be embeded within HTTP headers and
relayed via port 80 software. Usually used for attack purposes relayed
via unprotected "open" proxies.

FTP control port is one listed as safe to be used through Squid.

> and
>
> acl Safe_ports port 80 443 563 70 210 631 1025-65535
> acl FTP proto FTP
> http_access deny !Safe_ports !FTP

This second configuration permits anyone to open any unsafe destination
ports if they simply send ftp:// on the URL.

For example; someone wanting to relay spam email to example.com through
your proxy only has to send it a request for "ftp://example.com:25/"

Amos
Received on Fri Jun 22 2012 - 07:12:08 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 22 2012 - 12:00:03 MDT