Source IP is missing in FTP log even with forwardfor

Require the source IP in all the FTP server log that is being proxied. But in spite of following the documentation on ‘option forwardfor’ in liste, frontend, backend I am not getting the source IP instead I see only the local proxy IP in all the FTP server logs. Please let me know whether I am missing something or kindly point me to any other faults that is causing this.

My config is as below

    log local0 info
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    maxconn 2000

    log global
    mode tcp
    option tcplog
    retries 3
    # todo : fix this appropriately.
    timeout connect 60000
    timeout check   5000
    timeout client  60000
    timeout server  60000

# This sets up the admin page for HA Proxy at port 55002.
listen stats
    bind *:55002
    mode tcp
    option forwardfor
    stats enable
    stats realm haproxystats
    stats auth myadmin:mypass
    stats uri /ftpha

# This is for the initial connection and control traffic
frontend fe_ftp_control
    bind *:21
    option forwardfor
    default_backend ftp_server_pool

# Each of these frontends represent a server and its corresponding PASV ports we set
frontend fe_ftp_01
    bind *:70101-70300
    option forwardfor
    default_backend be_ftp_01

frontend fe_ftp_02
    bind *:70301-70600
    option forwardfor
    default_backend be_ftp_02

# Global backend for the ftp control traffic to find a server
backend ftp_server_pool
    option forwardfor if-none
    server ftp_01 check port 3331 inter 10s rise 1 fall 2
    server ftp_02 check port 3331 inter 10s rise 1 fall 2

# Backends for each of our FTP servers
backend be_ftp_01
    option forwardfor if-none
    server ftp_01 check port 3331 inter 10s rise 1 fall 2

backend be_ftp_02
    option forwardfor if-none
    server ftp_02 check port 3331 inter 10s rise 1 fall 2

Forward For is a HTTP header, it therefore only works when using haproxy in HTTP mode (for HTTP traffic).
You can’t do the same with FTP.

The proxy protocol could be used in theory, but this requires support in the ftp server (and I’m not sure this was every implemented by any FTP server software).

The other way is to make haproxy the default gateway and configure it in transparent mode. This is very complicated and requires iptables configurations etc, as such I’d avoid it.

Thanks Lukas for taking time.

I am using java apacheFTP Mina (FTP Server). I have the source and be able to do some minimal changes if you could help at a high level (Not overconfident and also I understand the other risks here).

I saw in this example also they have referred to forwardfor hence I was thinking it would work.

You can find the protocol documentation here, proxy protocol V1 is ASCII based, while V2 is binary encoded. Both will do the job:

I’m not sure that would be a “minimal change” though.

Thanks. Let me check this to see whether I can attempt this.

If I understand it correct, when it is configured for forwardfor - httpserver handles them. FTP Server doesn’t handle it though the information is forwarded as part of the header from the proxy to the nodes. Please confirm whether this understanding is correct?

Do you know of any sample/reference Java implementation (HTTPServer)?


ForwardFor is a HTTP header, more specifically X-Forwarded-For

It’s added to the HTTP requests so the the backend server knows the IP address.

The proxy protocol of haproxy on the other works with all protocols, but needs specific implementation, because it is unrelated to the actual protocol (FTP in this case) ; it simple sends the IP informations (among others) before the real protocol begins.