On 5/9/2015 2:04 AM, Malcolm Turnbull wrote: > LVS with FTP works fine in the current kernels but does need the > correct firewall modules loaded + conntrack enabled.
I was really hoping to avoid that, but the more I've read, the more I've dreaded that the firewall would be required. Setting it up in haproxy would allow me to drop dependence on the kernel load balancer, which would be really nice. > You can do active and passive FTP with HAProxy. > Active needs TPROXY so the server can see the client IP address, it > also needs iptables rules on the FTP servers to make sure they reply > on the right address. > > Passive is simpler but requires a bit of fiddling on the FTP server, > we have several examples in our manual here (page 168): > http://pdfs.loadbalancer.org/loadbalanceradministrationv7.pdf After a quick glance, this is probably good, but there's a hiccup ... these instructions use a GUI to configure haproxy and "iptables" commands to configure the firewall. I don't have this GUI, and I'm on ubuntu, which uses ufw to configure the firewall. Therefore I need actual haproxy config and firewall config that is specific to ufw, preferably something I can drop into the /etc/ufw/applications.d directory. > The world would be a much nicer place if every one used SSH/SCP/SFTP > and FTP was never invented :-). I totally agree. Not sure what the original author was smoking, having the server make a separate connection directly to the client. Passive mode is a slight improvement, except that now there are two different ways of doing it, and you never know which method will be available to your users. Unfortunately FTP is extremely widespread and grasped by customers, and it can be difficult to secure SFTP properly on the server side. Thanks, Shawn
