SFTP through Proxy

m.traeumner · March 11, 2021, 11:55am

NethServer Version: 7.9.2009
Module: Squid

I tried to connect via WinSCP through our proxy to an external server. Without proxy it works.
At WinSCP I set the proxy as HTTP proxy and get the following error:

Proxy Error 403 Forbidden

access.log recognized this (I replaced the IP):

[Thu Mar 11 12:46:44 2021] 0 Source_IP TCP_DENIED/403 3863 CONNECT Destination_IP:22 - HIER_NONE/- text/html

After that I tried to bypass the proxy. I created a firewall object with the destination IP and configured squid to use this object for bypass a specific destination, but this didn’t change anything.

Site information:
The proxy is manual without authentication.

Thanks in advance

Andy_Wismer · March 11, 2021, 1:52pm

@m.traeumner

Hi Michael

Squid Proxy, no matter if in NethServer or elsewhere, has a VERY limited list of ports which it will handle. Port 22 is NOT among the defaults!

Two NethServer classics will NOT work without a “fix”: Ports 980 and 9090…

Here are a few “tips” from my personal “Squid Cheat List”…

————————————————————
Squid Proxy
————————————————————

Safe Ports

config setprop squid SafePorts 443,8089,8489,8443,8080,10000,10010,5001,5000,3000,980,9090,8083,8084,8085,9001,1880,8006,8007

signal-event nethserver-squid-save

Excluded Sites:

config setprop squid NoCache www.nethserver.org,www.google.com

signal-event nethserver-squid-save

Hope this helps!

My 2 cents
Andy

m.traeumner · March 11, 2021, 1:58pm

Hi Andy,
thanks for your message, I’ve forgotten to write, I also made Port 22 to a safe SSL_Port. I did it with a custom template.
config shows:

acl SSL_ports port 22           # SFTP

Andy_Wismer · March 11, 2021, 2:02pm

Easier to use the built in command / template…

Squid SHOULD be able to handle SFTP (Not SSH as such), but i’m not sure about this.
I personally bypass my Proxy at home for SSH / SFTP access to my clients.

This should help:

My 2 cents
Andy

m.traeumner · March 11, 2021, 8:09pm

Thanks again Andi,
bypass for SFTP would be ok for me, but it didn’t work. How do you realize it?

Thanks Michael

Andy_Wismer · March 11, 2021, 8:15pm

@m.traeumner

Hi Michael

For me, it’s very simple. SSH does not go through my Proxy, it goes directly out via Firewall.
Truth is, I am practically the only person at my clients using SSH…

Both my IT Partners DO use SSH (one more, one less), but both don’t really know how to use Port forwarding over SSH, even though I’ve showed them more than once…
(And I’m not that bad a tutor/teacher!)…

I just got the first of my new server hardware today, so now I have to replace my older Proxmox…
Loads of work!

As soon as my network is ready again, I will be attempting using SSH Passthru on Squid/OPNsense and Squid/NethServer…

My 2 cents
Andy

m.traeumner · March 12, 2021, 11:00am

Thanks Andy,
I found the hint at this documentation. I had to make two entries at my config:

acl SSL_ports port 22           # SFTP
acl safe_ports port 22          # SFTP

I thought SSL_ports would be enough, but the other one is necessary too.

Michael