Crushftp Behind HaProxy

Percoz1978 · January 18, 2021, 4:07pm

Hi.

I’m tryng to set ftp (with explocit tls), ftps (implicit tls) and sftp with crushftp java software Behind HaProxy

Here is my haproxy configuration

frontend ftp
        bind *:2121
        bind *:20000-20998
        mode tcp
        option tcplog
        default_backend share-ftp

frontend ftps
        bind *:2990
        bind *:30000-30998
        mode tcp
        option tcplog
        default_backend share-ftps

frontend sftp
        bind *:2122
        mode tcp
        option tcplog
        default_backend share-sftp

backend share-ftp
        mode tcp
        server rzv-app01-ftp rzv-app01-ftp.rozzano.diennea.lan check send-proxy-v2 port 2121

backend share-ftps
        mode tcp
        server rzv-app01-ftp rzv-app01-ftp.rozzano.diennea.lan check send-proxy-v2 port 2990

backend share-sftp
        mode tcp
        server rzv-app01-ftp rzv-app01-ftp.rozzano.diennea.lan check send-proxy-v2 port 2122

port 21 and 990 ar forwarded to 2121 and 2990, respectively, via iptables.

On the ftp server i’ve setup passive port ranges matching the haproxy configuration for ftp and ftps, and external ip address.

i’ve even enabled support for proxy protocol.

What Works:

sftp
plain ftp if i connect to port 2121

what dosen’t work:

ftp if i connect to port 21
ftp with explicit tls
ftps implicit tls

Someone can give mi a hint?

lukastribus · January 18, 2021, 9:22pm

You need to remove port 2990 from the backend server.

Haproxy needs to connect the same port from the frontend to the backend server (30000 on the frontend needs to go to 30000 on the backend, not be forced to port 2121 or 2990, which is control plane, not the data plane).

Also I’m not convinced that your backend servers actually support the proxy protocol. How can you be certain that the support the binary v2 proxy protocol on both control and data plane ports?

Percoz1978 · January 19, 2021, 6:56am

Hi.

But from the documentation i’ve understood that port 2990 here is only for checks, rzv-app01-ftp.rozzano.diennea.lan:2990 would instead cause a redirection.

Anyway i’m sure that the backend support proxy protocol because is declared in teh documentation, and there are some opzion to enable it, so if it dosen’t work i definitely a bug, an this is a possibility.

Anyway…as said plain ftp on 2121 works well, this points me in the direction that the probelm is in my setup.

lukastribus · January 20, 2021, 9:32pm

You are right, I confused this.

Not really:

https://www.crushftp.com/crush9wiki/Wiki.jsp?page=CrushBalance

Proxy protocol v1 support to tell the backend server your real IP (CrushFTP supports this).

V1 is supported, but you are forcing V2 on haproxy, which CrushFTP does not support.

I suggest you use send-proxy instead of send-proxy-v2.

Percoz1978 · January 21, 2021, 7:10am

Hi.

I’ve already tried using send-proxy (v1) protocol, but with no luck

lukastribus · January 21, 2021, 7:01pm

Maybe the proxy protocol is only supposed to be enabled for the control protocol, not the data plane?

Maybe there is no issue with haproxy and crushftp at all and clear text FTP is the only protocol that works because a NAT helper is actually able to help out, while this is obviously not possible for FTP with TLS.

Topic		Replies	Views
Ftp connexion trough haproxy Help!	1	532	April 3, 2019
Ftp transfert in active mode Help!	1	3736	March 24, 2017
Haproxy listener ftps(s) no connection establishment Help!	3	429	March 6, 2023
New guy ... drowning Help!	1	969	March 21, 2016
How can I make FTP Connection? Help!	5	7677	April 10, 2018

Crushftp Behind HaProxy

Related topics