Article delegate-en/4022 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4020@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Testing the HTTP/HTTPS and FTP Delegate proxy
29 Jul 2008 13:08:00 GMT "Jean Aumont" <pvahqbdyi-ry4zqcicjzvr.ml@ml.delegate.org>



Hi Yukata,

Thanks again for your response.

My goal is to create a configuration file for the Delegate ftp proxy 
server that can support 3 requirements:

1)  Acess a specific FTP server without UID/PWD on the Delegate proxy
2)  Acces a specific FTP server with  a UID/PWD on the Delegate proxy
3)  Access any       FTP server with  a UID/PWD on the Delegate proxy

I all cases the destination FTP server has a UID and PASSWORD.
(including anonymous/password)

Here is an exemple of my configuration file based on you exemple from
your previous email.

# more ftp2.cfg
SERVER="ftp"
REMITTABLE="ftp"
-P2021

# =========================================================================
# Requirements 1 - Access a specific FTP server without UID & PWD
# =========================================================================
AUTHORIZER="-none:ftp:ftp.openbsd.org:10.*.*.*"
PERMIT="ftp:ftp.openbsd.org:*"

# =========================================================================
# Requirements 2 & 3 - User List that need authentification to acces proxy
# =========================================================================
AUTHORIZER="-list{uid1:pwd1,uid2:pwd2,uid3:pwd3,uid4:pwd4}:ftp:*:10.*.*..*"

# =========================================================================
# Requirements 2 - Access a specific URL with a UID & PWD
# =========================================================================
PERMIT="ftp:ftp.sun.com:-a/uid1@*"
PERMIT="ftp:ftp.freebsd.com:-a/uid2@*"
PERMIT="ftp:ftp.netbsd.org:-a/uid3@*"

# =========================================================================
# Requirements 3 - Access ANY URL with a UID & PWD
# =========================================================================
PERMIT="ftp:*:-a/uid4@*"

# =========================================================================
# Deny All Others
# =========================================================================
AUTHORIZER="-never"


Everything work except for Requirement #1, where I log to 
the Delegate proxy without password using the "-n" option 
of the FTP client which restrains ftp from attempting 
``auto-login'' upon initial connection.

Here is an ouput of the connection:

# ftp -n 10.3.2.111 2021
Connected to 10.3.2.111.
220- 10.3.2.111 PROXY-FTP server (DeleGate/9.8.2-pre47) ready.
220-   @ @
220-  ( - ) { DeleGate/9.8.2-pre47 (July 9, 2008) }
220- AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165, H18PRO-443
220- Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
220- Copyright (c) 2001-2008 National Institute of Advanced Industrial Science and Technology (AIST)
220- WWW: http://www.delegate.org/delegate/
220- --
220- You can connect to a SERVER by `user' command:
220-    ftp> user username@SERVER
220- or by `cd' command (after logged in as an anonymous user):
220-    ftp> cd //SERVER
220- Cache is enabled by default and can be disabled by `cd .' (toggle)
220- This (proxy) service is maintained by 'hsmessages@mediagrif..'
220- 
220-extended FTP [MODE XDC][XDC/BASE64]
220  
ftp> user anonymous@openbsd..
331 [Proxy] Password required for anonymous@openbsd..
Password: 
530 [Proxy] Login failed.
Login failed.
ftp> quit
221 Goodbye.
jaumont@DEV235 ~
#

The password entered is valid but no access to "ftp.openbsd.org" is granted.

Here are the log of the Delegate proxy:

07/29 03:35:38.14 [9340] 1+0: AcceptByMain: start polling(15000)[10]...
07/29 03:35:53.14 [9340] 1+0: AcceptByMain: TIMEOUT(children=1, timeout=15)
07/29 03:35:53.14 [9340] 1+0: MAX_DELEGATEP -1 (1)32 64 >>> 32
07/29 03:35:53.14 [9340] 1+0: MAX_DELEGATEP -1 (1)32 64 >>> 32
07/29 03:35:53.14 [9340] 1+0: dirfopen(/var/spool/delegate-nobody/act/restart/_2021_,r): 0 [-1]
07/29 03:35:53.14 [9340] 1+0: AcceptByMain: start polling(100)[10]...
07/29 03:35:53.25 [9340] 1+0: AcceptByMain: start polling(15000)[10]...
07/29 03:36:02.98 [9341] 1+0/2: CLIENT-SAYS: USER anonymous@openbsd..^M
07/29 03:36:08.24 [9340] 1+0: MAX_DELEGATEP -1 (1)32 64 >>> 32
07/29 03:36:08.24 [9340] 1+0: MAX_DELEGATEP -1 (1)32 64 >>> 32
07/29 03:36:08.25 [9340] 1+0: dirfopen(/var/spool/delegate-nobody/act/restart/_2021_,r): 0 [-1]
07/29 03:36:08.25 [9340] 1+0: AcceptByMain: start polling(100)[10]...
07/29 03:36:08.35 [9340] 1+0: AcceptByMain: start polling(15000)[10]...
07/29 03:36:10.85 [9341] 1+0/3: CLIENT-SAYS: PASS ********
07/29 03:36:10.85 [9341] 1+0/3: gethostbyname(-) unknown[0.00s] 
(UNIX) 02:36:10.848 [9341] -- RES update error (-) -
07/29 03:36:10.85 [9341] 1+0/3: login ERROR (anonymous@openbsd..)
07/29 03:36:13.30 [9341] 1+0/4: CLIENT-SAYS: QUIT^M
07/29 03:36:13.30 [9341] 1+0/4: dirfopen(/var/spool/delegate-nobody/act/clients/10/10.3.1.219:dev235.dev.mediagrif.com,r+): 93d4668 [21]
07/29 03:36:13.30 [9341] 1+0/4: disconnected [21] -@[10.3.1.219]dev235.dev.mediagrif.com:1577 (35.259s)(0)
07/29 03:36:23.35 [9340] 1+0: (0) process [9341] dead
07/29 03:36:23.35 [9340] 1+0: MAX_DELEGATEP -1 (1)32 64 >>> 32
07/29 03:36:23.35 [9340] 1+0: MAX_DELEGATEP -1 (1)32 64 >>> 32
07/29 03:36:23.35 [9340] 1+0: dirfopen(/var/spool/delegate-nobody/act/restart/_2021_,r): 0 [-1]
07/29 03:36:23.35 [9340] 1+0: AcceptByMain: start polling(100)[10]...
07/29 03:36:23.45 [9340] 1+0: AcceptByMain: start polling(15000)[10]...

Do you think that this requirement can be meet.

Thanks again for you great help.

Jean Aumont





-----Original Message-----
From: Yutaka Sato [mailto:feedback@delegate.org] 
Sent: Tuesday, July 29, 2008 3:32 AM
To: feedback@delegate.org
Cc: Jean Aumont
Subject: Re: [DeleGate-En] Testing the HTTP/HTTPS and FTP Delegate proxy

Hi,

In message <_A4018@delegate-en.ML_> on 07/28/08(21:54:09)
you "Jean Aumont" <pvahqbdyi-ry4zqcicjzvr.ml@ml.delegate.org> wrote:
 |Hi Yutaka,
 |
 |Thanks for your prompt response on Question 1.
 |It is exactly what I was looking for.
 |
 |I wish you would had answer the second Question also.
 |You probably just missed it since my email was so long.
 |Here is the question again, can you take a look at it ???
 |
 |---------------------------------------------------------------------
 |Question 2 - Ftp proxy
 |---------------------------------------------------------------------
 |# more ftp.cfg
 |SERVER="ftp"
 |REMITTABLE="ftp"
 |-P2021
 |# ============
 |# Section ftp
 |# ============
 |AUTHORIZER="-none:ftp:ftp.openbsd.org:10.*.*.*"
 |AUTHORIZER="-list{uid1:pwd1,uid2:pwd2}:ftp:ftp.sun.com:10.*.*.*"
 |AUTHORIZER="-list{uid3:pwd3}:ftp:ftp.freebsd.com:10.*.*.*"
 |AUTHORIZER="-list{uid1:pwd1}:ftp:*:10.*.*.*"
 |
 |
 |With this configuration, I could never login to the Delegate FTP proxy 
 |with the user id "uid2" or "uid3", the only user id allow is "uid1" with
 |password "pwd1". 
 |This seems to be a bug in version 9.8.2-pre47.

You are asking somewhat unsupported or unspecified feature rathar than a bug.
The AUTHORIZER parameter, if not used as a MOUNT option, is for a DeleGate
as an origin FTP server not as a FTP proxy.

And I'm not sure how you can know which is the destination server when you
are trying to login, or how you will specify the destination server later.

 |Also, is there a way to give access to a certain destination 
 |without any authentification on the FTP proxy. 

Most of FTP client program ask the user the authentication before connecting
to the server, regardless wheter or not the information is used.
There is nothing to do by DeleGate to suppress it.

 |This is what I was trying to accomplish with the line: 
 |    AUTHORIZER="-none:ftp:ftp.openbsd.org:10.*.*.*"
 |
 |But I do not see a way to initiate the connection to the FTP 
 |Proxy without being prompt for a user and password.

Which FTP client program are you using?

Your usage might be realized extending FTP proxy so that is apply
authentication information as:
USER user@server + PASS pass >>> AUTHORIZER="-list{user:pass}:*:server"
Or by using DeleGate as a origin FTP server or a reverse FTP proxy.
Another solution is using NAT by iptables on Linux and use DeleGate
on it as a transparent FTP proxy.

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V