Require the source IP in all the FTP server log that is being proxied. But in spite of following the documentation on ‘option forwardfor’ in liste, frontend, backend I am not getting the source IP instead I see only the local proxy IP in all the FTP server logs. Please let me know whether I am missing something or kindly point me to any other faults that is causing this.
My config is as below
global
log 127.0.0.1 local0 info
chroot /var/lib/haproxy
user haproxy
group haproxy
maxconn 2000
defaults
log global
mode tcp
option tcplog
retries 3
# todo : fix this appropriately.
timeout connect 60000
timeout check 5000
timeout client 60000
timeout server 60000
#
# This sets up the admin page for HA Proxy at port 55002.
#
listen stats
bind *:55002
mode tcp
option forwardfor
stats enable
stats realm haproxystats
stats auth myadmin:mypass
stats uri /ftpha
# This is for the initial connection and control traffic
frontend fe_ftp_control
bind *:21
option forwardfor
default_backend ftp_server_pool
# Each of these frontends represent a server and its corresponding PASV ports we set
frontend fe_ftp_01
bind *:70101-70300
option forwardfor
default_backend be_ftp_01
frontend fe_ftp_02
bind *:70301-70600
option forwardfor
default_backend be_ftp_02
# Global backend for the ftp control traffic to find a server
backend ftp_server_pool
option forwardfor if-none
server ftp_01 10.10.10.111:3331 check port 3331 inter 10s rise 1 fall 2
server ftp_02 10.10.10.222:3331 check port 3331 inter 10s rise 1 fall 2
# Backends for each of our FTP servers
backend be_ftp_01
option forwardfor if-none
server ftp_01 10.10.10.111 check port 3331 inter 10s rise 1 fall 2
backend be_ftp_02
option forwardfor if-none
server ftp_02 10.10.10.222 check port 3331 inter 10s rise 1 fall 2
Forward For is a HTTP header, it therefore only works when using haproxy in HTTP mode (for HTTP traffic).
You can’t do the same with FTP.
The proxy protocol could be used in theory, but this requires support in the ftp server (and I’m not sure this was every implemented by any FTP server software).
The other way is to make haproxy the default gateway and configure it in transparent mode. This is very complicated and requires iptables configurations etc, as such I’d avoid it.
I am using java apacheFTP Mina (FTP Server). I have the source and be able to do some minimal changes if you could help at a high level (Not overconfident and also I understand the other risks here).
I saw in this example also they have referred to forwardfor hence I was thinking it would work.
Thanks. Let me check this to see whether I can attempt this.
If I understand it correct, when it is configured for forwardfor - httpserver handles them. FTP Server doesn’t handle it though the information is forwarded as part of the header from the proxy to the nodes. Please confirm whether this understanding is correct?
Do you know of any sample/reference Java implementation (HTTPServer)?
ForwardFor is a HTTP header, more specifically X-Forwarded-For
It’s added to the HTTP requests so the the backend server knows the IP address.
The proxy protocol of haproxy on the other works with all protocols, but needs specific implementation, because it is unrelated to the actual protocol (FTP in this case) ; it simple sends the IP informations (among others) before the real protocol begins.