Squid (proxy server) and FTP

Zingaro2002 · 11-05-2003, 09:42 AM

Hi guys!

I'm new to Squid so forgive me if I question is too simple for you...

I need in my LAN a proxyserver to filter my users requests.
All I want is that they can access ONLY two web-site and ONE ftp.

I configured SQUID to achieve the first goal in this way:
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow localhost

acl our_network1 src 192.168.0.1/24
acl Sites dstdom_regex "/etc/allowed_sites.txt"
http_access allow our_network1 Sites

acl our_network2 src 192.168.9.1/24
#acl Sites dstdom_regex "/etc/allowed_sites.txt"
http_access allow our_network2 Sites

# And finally deny all other access to this proxy
http_access deny all

***************************************
where allowed_sites.txt is

www.firstsite.com
www.secondsite.com
www.ftpsite.com
80.xx.zz.33
85.vv.hh.22
92.aa.bb.11

where www.ftpsite.com and 92.aa.bb.11 are respectively the name and ip address of the ftp server my users can access (in their InternetExplorer they write ftp://www.ftpsite.com/directoryname or ftp://92.aa.bb.11/directoryname).

The problem is that in this way they are correctly restricted for http, BUT they have NO restriction for ftp (they can enter ANY ftp server!!!).

What's the problem?
How should I configure Squid to let my users access ONLY the ftp server ftp://www.ftpsite.com/directoryname ?

Thanks in advance!