Hi Folks,

After a scary process started looking at our databases we decided it was time to put all our servers behind a web gateway. I've setup Squid and it is working fantastically, except FTP doesn't work from FTP clients. Going to the FTP site from internet explorer works fine. Looking at the logs it seems to be using FTP over HTTP for IE. I've read that wget also uses FTP over HTTP, but I get no love when I try (and I'm skeptical it uses FTP over HTTP anyway). I'm also not seeing any DENIES in the squid log, which makes me think it's either a problem with my config, or worse, it just can't handle what I'm doing.

The following is the environmental variable I set up for wget:

set ftp_proxy=ftp://<web proxy IP address>:8888

Here's the Squid 3 config

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443 21 # added 21 for ftp
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 42022 # allow sftp server
acl CONNECT method CONNECT
acl ftp proto FTP # create new ACL for ftp
acl whitelist dstdomain "/etc/squid3/sites.whitelist"
http_access allow whitelist
http_access allow ftp
http_access deny all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 8888
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
visible_hostname proxy

Logs when FTP works through IE.

1394465089.588 6267 192.168.4.68 TCP_MISS/401 3869 GET ftp://ftp.redacted.com/ - DIRECT/10.182.197.128 text/html
1394465104.591 30 192.168.4.68 TCP_MISS/200 1856 GET ftp://derp@ftp.redacted.com/ - DIRECT/10.182.197.128 text/html

Output from Wget when trying to use Proxy.

C:\Program Files (x86)\GnuWin32\bin>wget.exe -np -nc -nd ftp://derp:Password
!@ftp.redacted.com/*.*
SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc
--2014-03-10 11:52:19-- ftp://derp:*password*@ftp.redacted.com/*.*
=> `.listing'
Connecting to 192.168.96.181:8888... connected.
Logging in as derp ...
Error in server response, closing control connection.
Retrying.

Do I need to find a different FTP proxy solution? I've spent the last couple days banging my head on this one. Any help is very much appreciated.

I figured out what I was doing wrong. The following command needed to be changed.

set ftp_proxy=http://<web proxy IP address>:8888

Wget was then able to GET files from the ftp server. Unfortunately, this won't work with wildcards, so now to troubleshoot that issue.

Sorry if this was posted on the wrong board.