On 09.05.2015 16:15, Shawn Heisey wrote: > On 5/9/2015 2:04 AM, Malcolm Turnbull wrote: >> LVS with FTP works fine in the current kernels but does need the >> correct firewall modules loaded + conntrack enabled. > > I was really hoping to avoid that, but the more I've read, the more I've > dreaded that the firewall would be required. Setting it up in haproxy > would allow me to drop dependence on the kernel load balancer, which > would be really nice. > >> You can do active and passive FTP with HAProxy. >> Active needs TPROXY so the server can see the client IP address, it >> also needs iptables rules on the FTP servers to make sure they reply >> on the right address. >> >> Passive is simpler but requires a bit of fiddling on the FTP server, >> we have several examples in our manual here (page 168): >> http://pdfs.loadbalancer.org/loadbalanceradministrationv7.pdf > > After a quick glance, this is probably good, but there's a hiccup ... > these instructions use a GUI to configure haproxy and "iptables" > commands to configure the firewall. I don't have this GUI, and I'm on > ubuntu, which uses ufw to configure the firewall. Therefore I need > actual haproxy config and firewall config that is specific to ufw, > preferably something I can drop into the /etc/ufw/applications.d directory. > >> The world would be a much nicer place if every one used SSH/SCP/SFTP >> and FTP was never invented :-). > > I totally agree. Not sure what the original author was smoking, having > the server make a separate connection directly to the client. Passive > mode is a slight improvement, except that now there are two different > ways of doing it, and you never know which method will be available to > your users. Unfortunately FTP is extremely widespread and grasped by > customers, and it can be difficult to secure SFTP properly on the server > side.
Most FTP clients these days support SFTP as well and if you use say proftpd+mod_sftp then handling SFTP on the server side become pretty much identical to handling FTP (except all that active/passive nonsense goes away an nobody can simply sniff passwords on the wire). Regards, Dennis
