Haproxy listener ftps(s) no connection establishment

Hi there,
Have a problem here with haproxy and ftp(s) which i do not understand.

listen FTPVIP
        bind *:21 ssl crt /etc/haproxy/git-03.test.local.crt ssl-min-ver TLSv1.2
        bind *:60000-65535 ssl crt /etc/haproxy/git-03.test.local.crt ssl-min-ver TLSv1.2
        mode tcp
        option tcplog
        option tcpka
        # balance leastconn
        # stick on src
        # stick-table type ip size 10240k expire 30m
        # server WinFTPServer2016FTP1 172.16.34.63:2121 check port 2121 ssl verify none check send-proxy-v2
        server WinFTPServer2016FTP1 172.16.34.63:2121 check port 2121 ssl verify none

A test with curl ftp fails because there is no communication.

curl -vv --user test:test --ftp-ssl --ftp-ssl-reqd --ftp-pasv ftp://git-03.test.local:21/upload/

But curl https at port 21 at least an ssl/tls key exchange takes place.

curl  -vv --user test:Serr https://git-03.test.local:21
*   Trying 172.16.34.63:21...
* Connected to git-03.feltengroup.local (172.16.34.63) port 21 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

similar problem with ftp unencrypted, no communication to port 21 is established. It seems that there is a general problem with the FTP protocol already with the listener.

Thanks for any help.

What you want to achieve cannot be accomplished with haproxy.

Port 21 is not implicit, but explicit SSL and therefore can’t be provided with haproxy, as haproxy does not specifically support FTP, but just TCP. Also you can’t just put SSL on the data ports, FTP is way more complicated than that.

Hi Lukas,
i see, but that’s a pity, because i thought with haproxy i had found an “all in one” solution.

Definitely not for FTP, no.