On 5/8/2015 8:39 AM, Ben Timby wrote: > With some iptables rules you can use FTP active and passive mode via > haproxy. > > The key is to assign unique passive port ranges to each backend then > port forward those ranges. You must be able to configure each FTP server > daemon with it's own range. > > You must also be able to configure your FTP daemon to maquerade as the > load balancer so that it sends the proper address for port commands etc. > Most FTP servers support the necessary optiona.
The FTP servers are ncftpd. If we configure it this way, then we will ONLY be able to access passive FTP through haproxy, whereas currently (with the old software) we can access it by going direct to the back end server *or* through the VIP. If this is the only way I can get it working, I'll do it, but I don't like losing functionality. I'm very curious why I can't simply use the kernel load balancer in 3.13 like I can in 2.6.18, and have it handle passive FTP with the ip_vs_ftp module. I've filed an ubuntu bug against the kernel: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/145318 I am starting to get the impression that I will need to enable the Linux firewall for either haproxy or LVS ... if that's the case, I will need instructions specific to ubuntu, so it will work properly with ufw. Thanks, Shawn
