On 16.07.2014 10:39, Nicolas Zedde wrote: > Hi everyone, > > I use HAProxy to publish my websites for months now and it works like a > charm. Thank you for that. > Today, I have to setup FTP access through HAProxy and I face the hideous > protocol caveats with the data channel. > I want all FTP traffic to be NATed to HAProxy through my firewall, then > distributed to the different FTP Servers through hdr(host) ACLs. > > From what I read, my HAProxy config seems fine but I need to add NAT rules to > the HAProxy server in order to forward data channel packets, and set HAProxy > as the default gateway on the FTP Servers. > I can't figure out how to configure these rules in iptables. > Could someone show an example iptables configuration for that ? > > HAProxy config : > frontend ftp > bind *:21 transparent > mode tcp > option tcplog > acl host_ftp1 hdr(host) -i ftp1.domain.tld > acl host_ftp2 hdr(host) -i ftp2.domain.tld > use_backend ftp1 if host_ftp1 > use_backend ftp2 if host_ftp2 > > backend ftp1 > server node1 10.10.10.2:21 check > backend ftp2 > server node1 10.10.10.3:21 check > > Thank you for your help, > > Nicolas ZEDDE >
Have you considered using SFTP instead? It's more secure and doesn't suffer from the data channel issue so its easier to handle and most if not all FTP GUI clients out there (Filezilla, WinSCP, etc.) on the various platforms also support SFTP out of the box. If you are using ProFTPd on the server its fairly trivial to setup including key support in addition to passwords and chroot. FTP still seems to be the default these days even though as a protocol its...problematic. In 99% of case when someone asks for FTP access I recommend SFTP instead and this works fine for people. FTP really should be retired. Regards, Dennis
