> Le samedi 28 mai 2011 08:05:59, Jirapong Kijkiat a écrit : >> Dear. w...@1wt.eu, haproxy@formilux.org >> >> How i can config haproxy for load balance my ftp server. now my >> haproxy.cnf
FTP is not easy to load balance. Here is the solution I use. 1. HAProxy machine is the NAT gateway for FTP servers. 2. HAProxy load balances only the control connection (port 21). The hard part is the data connection. The FTP protocol works by opening a control channel which exchanges commands and responses. Whenever data needs to be transfered another connection (a data channel) is opened. Files, directory listings and similar bulk data is transfer over the data channel. In this way, FTP allows simultaneous transfer of multiple files. Rather than multiplex channels on a single connection, FTP uses a connection per channel. The data channel works in two modes. 1. Active mode (the default) means that the server will connect to the client. When a data channel is needed, the client and server negotiate a TCP address and port for the server to connect to the client on. The client opens this port and awaits the connection. Usually NAT routers and firewall on the client end rely on packet inspection to observe this negotiation, they then allow this connection to take place. Often they will modify the negotiation to inject the public IP address in place of the private (RFC 1918) address of the client. The exception to this when SSL is used. SSL prevents packet inspection and breaks active mode. 2. Passive mode means that the client will open an additional connection to the server. Generally this works better as the FTP server admin can open the port range that will be used for passive connections. Most NAT routers and firewalls allow any outbound traffic, so they will not stand in the way of a passive connection. This allows connections to work without packet inspection even with SSL. So, once HAProxy is load balancing the control channel, you have to work out how to allow both active and passive connections to work. -- Allowing active mode to work -- 1. You must SNAT the FTP server's (private) address to the same address that accepted the control channel connection (HAProxy bind address). Otherwise the client machine will sometimes balk at a connection from an address other than the server's (the one it opened the command channel to). Also, without this SNAT rule in place, any NAT router or firewall will expect the connection to come from the server, and will block it if it does not. -- Allowing passive mode to work -- 1. You must allocate a unique port range for each backend FTP server, and DNAT each range to the various servers. You must also configure each server to use it's own unique port space for passive connections. Most FTP servers allow you to specify the passive port range. If you are using proftpd, here is how you configure the passive port range. http://www.proftpd.org/docs/directives/linked/config_ref_PassivePorts.html Example: DNAT rule/passive range -> backend server. 2048-4096 -> Server A. 4097-6145 -> Server B. This way, any client connected to server A will connect to it's dedicated passive port range and be forwarded by NAT to the correct backend server (which is awaiting it's connection). 2. You must also configure the FTP server to masquerade as the same address used for making the control connection (the IP address HAProxy is listening on port 21 on). This is so that passive connections hit the NAT server and are correctly forwarded. Bypassing NAT by directing the client to connect to the backend server directly does not work in all FTP clients, so it is best to simply masquerade as the main FTP service IP address. Most FTP servers allow you to configure a masquerade or public IP address to use in passive connection negotiations with clients. If you are using proftpd, here is how you configure the masquerade address: http://www.proftpd.org/docs/directives/linked/config_ref_MasqueradeAddress.html -- Client IP address -- * At this point you have a working setup, the next section is about fine-tuning it. I would get to this point before tackling the next steps... The last issue is that now FTP works great, but the FTP server sees all connections coming from the proxy machine's IP address instead of the client's address. To solve this you have two options. 1. Use TPROXY kernel support to perform transparent proxying. 2. Use the PROXY protocol and write a plugin for your FTP server to accept the PROXY protocol. http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt I personally use open 2 as I prefer a user-space solution to a kernel solution. Also, it is much easier to set up my FTP servers without a custom kernel package that I have to maintain (instead of a simple "yum update"), let upstream do that for you.
