[
https://issues.apache.org/jira/browse/NET-738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18030014#comment-18030014
]
Mehmet Can Cömert commented on NET-738:
---------------------------------------
I have created a pull request for this problem, which is only trying to resolve
the IP address of the remove host if there is no Proxy involved.
In our test environment we could see that it is solving the connection issue.
Currently FTP Client tries to resolve the IP address of the remove host for the
Passive Connection.
However this attempt can never work if the FTP Server is running behind a proxy
outside of the network, therefore if there is a Proxy Configured in between, it
is better to rely on the address delivered by the Server.
Can you accept this pull request or do you have any other sollution suggestions?
> Ftp Client is no longer working with HTTP Proxies
> -------------------------------------------------
>
> Key: NET-738
> URL: https://issues.apache.org/jira/browse/NET-738
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 3.11.1
> Reporter: Mehmet Can Cömert
> Priority: Major
>
> Hello,
> we have following setup for the FTP Server communication:
> FTP Client is installed in a machine where direct Internet access is
> prohibited.
> We need to connect to a FTP Server which is only accesable via HTTP PROXY.
> When FTP Client creates the command connection, it can succesfully
> communicate with the FTP Server.
> Afterwards, requesting of a directory listing (MLSD) is also communicated
> over Http PROXY.
> However, as FTP Client tries to open the data connection, it gets the IP
> address and high port for the PASSIVE mode in the reply.
> During parsing the reply, FTP Client tries to resolve the IP Address of the
> FTP Server by utilizing the socket, which is behind a PROXY and therefore
> returns the IP address of the PROXY.
> https://github.com/apache/commons-net/blob/master/src/main/java/org/apache/commons/net/ftp/FTPClient.java#L883
> Finally we get a data connection attempt to PROXY with: IP address of the
> PROXY + high port from FTP Server.
> instead of IP address of the FTP Server + high port from FTP Server
> (opening command connection over PROXY was working with: hostname of the FTP
> Server + port 21)
> Which results with Unable to tunnel through proxy. Proxy returns "HTTP/1.1
> 403 Forbidden"
> 2025-10-01T11:22:30.424Z ERROR Unable to tunnel through proxy. Proxy returns
> "HTTP/1.1 403 Forbidden"
> java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1
> 403 Forbidden"
> at
> java.base/sun.net.www.protocol.http.HttpURLConnection.doTunneling0(HttpURLConnection.java:2312)
> at
> java.base/sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2182)
> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:569)
> at
> java.base/java.net.HttpConnectSocketImpl.doTunneling(HttpConnectSocketImpl.java:206)
> at
> java.base/java.net.HttpConnectSocketImpl.doTunnel(HttpConnectSocketImpl.java:195)
> at
> java.base/java.net.HttpConnectSocketImpl$2.run(HttpConnectSocketImpl.java:175)
> at
> java.base/java.net.HttpConnectSocketImpl$2.run(HttpConnectSocketImpl.java:173)
> at
> java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
> at
> java.base/java.net.HttpConnectSocketImpl.privilegedDoTunnel(HttpConnectSocketImpl.java:172)
> at
> java.base/java.net.HttpConnectSocketImpl.connect(HttpConnectSocketImpl.java:119)
> at java.base/java.net.Socket.connect(Socket.java:633)
> at
> org.apache.commons.net.ftp.FTPClient._openDataConnection_(FTPClient.java:785)
> at
> org.apache.commons.net.ftp.FTPClient._openDataConnection_(FTPClient.java:664)
> at
> org.apache.commons.net.ftp.FTPClient.initiateMListParsing(FTPClient.java:2103)
> at org.apache.commons.net.ftp.FTPClient.mlistDir(FTPClient.java:2557)
> at org.apache.commons.net.ftp.FTPClient.mlistDir(FTPClient.java:2545)
>
> We assume if a PROXY is used there should be no attempt to resolve the IP
> Address on the FTP Client side and response from the Server should be used.
> We have seen that, because of NAT considirations, FTP Client is replacing the
> reported FTP Server IP Address from the PASV response with the IP Address of
> the Socket. This is fine without PROXY.
> However in a situation where PROXY is present, FTP Client instruct the PROXY
> to connect to itself for the data connection, which only works if the PROXY
> is running on the same host as the FTP Server :)
> Do you have any other use case that may require FTP Client to resolve IP
> Address of a FTP Server accesable behind a PROXY?
> If not, can the FTP Client changed to respect the PASV response from the FTP
> Server when a PROXY is utilized?
> We are avare that this approach would not work if both PROXY is utilized and
> the FTP Server is behind NAT and FTP Server is reporting its internal IP
> Address in the PASV response.
> However we do not see any way to mitigate that as in this constallation the
> external IP Address of the FTP Server remains unknown to FTP Client. Such a
> setup does not look like a resolvable problem :(
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
