How can I make FTP Connection?


#1

Hello

How can I make FTP Connection?

This is conf file:

global
	log 127.0.0.1   local0
log 127.0.0.1   local1 notice
	#log loghost    local0 info
	maxconn 4096
	chroot /var/lib/haproxy
	user haproxy
	group haproxy
	daemon
	#debug
	#quiet
	stats socket /var/lib/haproxy/stats
 
defaults
	log     global
	mode    http
	option  httplog
	option  dontlognull
	retries 3
	redispatch
	maxconn 2000
	contimeout      5000
	clitimeout      50000
	srvtimeout      50000
 
listen stats
	bind *:8080
        mode http
        option forwardfor
        option httpclose
        stats enable
        stats show-legends
        stats refresh 5s
        stats uri /stats
        stats realm Haproxy\ Statistics
        stats auth loadbalancer:loadbalancer
        stats admin if TRUE 
  
frontend MAIN 
	bind *:21 
	bind *:80 
	bind *:143 
	bind *:443 
	bind *:993 
	mode http
	
    acl domain1_URL hdr_dom(host) -i domain1.com
    acl domain2_URL hdr_dom(host) -i domain2.com
    acl domain3_URL hdr_dom(host) -i domain3.com 
  
    use_backend domain1 if domain1_URL
    use_backend domain2 if domain2_URL
    use_backend domain3 if domain3_URL  
 
backend domain1
    mode http
    server web-first 192.168.1.124:80
     
backend domain2
    mode http
    server web-second 192.168.1.197:80
     
backend domain3
    mode http
    server web-third 192.168.1.197:80

#2

Stop using mode http first of all. You cannot tell haproxy to use HTTP mode when actually you are using FTP, IMAP and everything but HTTP.

Use mode tcp instead. This will break your host header matching (host header matching can only work with HTTP of course).

Also you need to configure a port range for passive transfers and forward that port range as well.

You probably want to explain what it is that you are trying to achieve here, especially with all the other protocols like IMAP, etc.


#3

I changed, mode tcp with mode http and I added this:

listen FTP  
bind *:21,:10000-10250
    mode tcp 
    server ftp01 192.168.1.197 check port 21

FileZilla Log:

[FTP]

|Status:|Connecting to PUBLIC IP:21...|
|---|---|
|Status:|Connection established, waiting for welcome message...|
|Status:|Initializing TLS...|
|Status:|Verifying certificate...|
|Status:|TLS connection established.|
|Status:|Server does not support non-ASCII characters.|
|Status:|Logged in|
|Status:|Retrieving directory listing...|
|Status:|Server sent passive reply with unroutable address. Using server address instead.|
|Command:|MLSD|
|Error:|The data connection could not be established: ECONNREFUSED - Connection refused by server|

[SFTP]

|Status:|Connecting to PUBLIC IP...|
|---|---|
|Response:|fzSftp started, protocol_version=8|
|Command:|open "Username@PUBLIC IP" 22|
|Command:|Pass: ******************|
|Error:|Authentication failed.|
|Error:|Critical error: Could not connect to server|

HAproxy Status:

[root@rp ~]# systemctl status haproxy.service
● haproxy.service - SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments.
   Loaded: loaded (/etc/rc.d/init.d/haproxy; bad; vendor preset: disabled)
   Active: active (running) since Mon 2018-04-09 20:07:58 UTC; 15s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 12586 ExecStop=/etc/rc.d/init.d/haproxy stop (code=exited, status=0/SUCCESS)
  Process: 12594 ExecStart=/etc/rc.d/init.d/haproxy start (code=exited, status=0/SUCCESS)
 Main PID: 12603 (haproxy)
   CGroup: /system.slice/haproxy.service
           └─12603 /usr/sbin/haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid

Apr 09 20:07:58 rp.domain.com systemd[1]: Starting SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments....
Apr 09 20:07:58 rp.domain.com haproxy[12594]: Starting haproxy: [WARNING] 098/200758 (12602) : parsing [/etc/haproxy/haproxy.cfg:17] : 'option httplog' not usable with proxy 'FTP' (needs 'mode http'). Falling back to 'option tcplog'.
Apr 09 20:07:58 rp.domain.com haproxy[12594]: [WARNING] 098/200758 (12602) : config : 'option forwardfor' ignored for proxy 'FTP' as it requires HTTP mode.
Apr 09 20:07:58 rp.domain.com haproxy[12594]: [WARNING] 098/200758 (12602) : [/usr/sbin/haproxy.main()] Cannot raise FD limit to 100291, limit is 4096.
Apr 09 20:07:58 rp.domain.com haproxy[12594]: [WARNING] 098/200758 (12602) : [/usr/sbin/haproxy.main()] FD limit (4096) too low for maxconn=50000/maxsock=100291. Please raise 'ulimit-n' to 100291 or more to avoid any trouble.
Apr 09 20:07:58 rp.domain.com haproxy[12594]: [  OK  ]
Apr 09 20:07:58 rp.domain.com systemd[1]: Started SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments..

#4

Regarding the FTP issue:

you need to enable “Show detailed log” in Filezilla, otherwise the output is useless. Also, you need to make sure that the server is actually listening and accepting those ports, as well as using the correct public IP in the FTP announcement (as opposed to its on local and private IP, as seen in the log). Also you probably wanna share the entire haproxy configuration you are using right now.

Regarding the SFTP issue:

The authentication fails, probably because your are hitting the SSH server of the haproxy box, NOT your backend SSH server, because the SSH server is already listening on port 22 of your haproxy box. Decide whether you want to move the local sshd server port or the haproxy port to somewhere else. Also remember to actually configure port 22 forwarding in haproxy (you just showed a configuration forwarding port 21 and the passive range only).


#5

Do I need to install FTP software in Haproxy? or do I need to change settings on other server?

HAprox Conf. last version of the file:

https://pastebin.com/iNrPbykd

Detailed Log:

FTP

Status: Connecting to PUBLIC IP:21…
Status: Connection established, waiting for welcome message…
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 2 of 50 allowed.
Response: 220-Local time is now 09:06. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS…
Status: Verifying certificate…
Status: TLS connection established.
Command: USER myUserName
Response: 331 User myUserName OK. Password required
Command: PASS ******************
Response: 230 OK. Current restricted directory is /
Status: Server does not support non-ASCII characters.
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 200 Data protection level set to “private”
Status: Logged in
Status: Retrieving directory listing…
Command: PWD
Response: 257 “/” is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,197,62,55)
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server

SFTP

Status: Connecting to PUBLIC IP…
Response: fzSftp started, protocol_version=8
Command: open “myUserName@PUBLIC IP” 22
Command: Pass: ******************
Error: Authentication failed.
Error: Critical error: Could not connect to server
Status: Disconnected from server
Status: Selected port usually in use by a different protocol.
Status: Connecting to PUBLIC IP:21…
Response: fzSftp started, protocol_version=8
Command: open “myUserName@PUBLIC IP” 21
Error: Server unexpectedly closed network connection
Error: Could not connect to server

HAproxy Status

[root@rp ~]# systemctl status haproxy.service
● haproxy.service - SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments.
   Loaded: loaded (/etc/rc.d/init.d/haproxy; bad; vendor preset: disabled)
   Active: active (running) since Tue 2018-04-10 06:11:04 UTC; 6min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 406 ExecStop=/etc/rc.d/init.d/haproxy stop (code=exited, status=0/SUCCESS)
  Process: 415 ExecStart=/etc/rc.d/init.d/haproxy start (code=exited, status=0/SUCCESS)
 Main PID: 424 (haproxy)
   CGroup: /system.slice/haproxy.service
           └─424 /usr/sbin/haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid

Apr 10 06:11:04 rp.domain.com systemd[1]: Starting SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments....
Apr 10 06:11:04 rp.domain.com haproxy[415]: Starting haproxy: [WARNING] 099/061104 (423) : parsing [/etc/haproxy/haproxy.cfg:25] : 'option httplog' not usable with proxy...on tcplog'.
Apr 10 06:11:04 rp.domain.com haproxy[415]: [WARNING] 099/061104 (423) : config : 'option forwardfor' ignored for proxy 'FTP' as it requires HTTP mode.
Apr 10 06:11:04 rp.domain.com haproxy[415]: [WARNING] 099/061104 (423) : [/usr/sbin/haproxy.main()] Cannot raise FD limit to 100295, limit is 4096.
Apr 10 06:11:04 rp.domain.com haproxy[415]: [WARNING] 099/061104 (423) : [/usr/sbin/haproxy.main()] FD limit (4096) too low for maxconn=50000/maxsock=100295. Please rais...ny trouble.
Apr 10 06:11:04 rp.domain.com haproxy[415]: [  OK  ]
Apr 10 06:11:04 rp.domain.com systemd[1]: Started SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments..
Hint: Some lines were ellipsized, use -l to show in full.

#6

First of all, drop all those port bindings from frontend MAIN, you cannot bind port 21 in that frontend and then bind it later on again, in the listen section.

As a matter of fact, drop all non HTTP ports including 443 from the frontend MAIN. You are just piling lots and lots of completely wrong configuration on each other causing a huge mess.

You need the adjust the settings on the FTP server I talked about earlier. However note that setting up FTP server behind a TCP reverse proxy is complicated and requires proper knowledge of how FTP works.

Regarding SFTP, I explained what happens here but from your tests I can see that you did not understand a single word of it. So let me elaborate: SFTP has nothing todo with FTP. Nothing at all. SFTP is based on SSH and allows transferring files through a SSH connection (port 22). Read more about SSH_File_Transfer_Protocol.