Castaglia / proftpd-mod_proxy

FTP proxy support for ProFTPD
http://www.proftpd.org
38 stars 18 forks source link

Trying to setup reverse proxy for FTPS service #188

Open jhallerdk opened 3 years ago

jhallerdk commented 3 years ago

I'm trying to to use mod_proxy to get support for TLS1.0 for a FTP service that only supports TLS1.2.

So the way it should go is:

Client -----[TLS1.0]----->proftpd/mod_proxy -------[TLS1.2]------>FTPS server.

I've gotten the conect to proftpd to work (custom compiled with mod_proxy and mod_tls), but it like it fails the TLS connections to the backend FTPS server.

The error i get is:

2021-01-14 16:28:31,172 mod_proxy/0.7[18986]: TLSv1.2 connection created, using cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
2021-01-14 16:28:31,174 mod_proxy/0.7[18986]: proxy session running as UID 0, GID 0, restricted to '/var/lib/ftp/proxytable/empty'
2021-01-14 16:28:34,137 mod_proxy/0.7[18986]: Entering Passive Mode (XX,XXX,XXX,XXX,198,48).
2021-01-14 16:28:34,186 mod_proxy/0.7[18986]: starting TLS negotiation on data connection
2021-01-14 16:28:34,217 mod_proxy/0.7[18986]: unable to connect using TLS: system call error: [104] Connection reset by peer
2021-01-14 16:28:34,217 mod_proxy/0.7[18986]: unable to open data connection to upload.ftpserver.com: TLS negotiation failed
2021-01-14 16:28:34,217 mod_proxy/0.7[18986]: postopen error for backend data connection output stream: Operation not permitted

Any hits of how to set it up appreciated, or even how i get to test this. I've verified that with Filezilla the backend server is responsive.

jhallerdk commented 3 years ago

To follow up, everything works fine for the client to connect to proftpd, with TLS 1.0, but in the trace just before it stops i get the following:

2021-01-19 15:06:51,572 [18069] <proxy.tls:9>: requesting stapled OCSP response
2021-01-19 15:06:51,572 [18069] <proxy.tls:17>: WANT_READ encountered while connecting on fd 16, waiting to read data

This is now with the latest code from the gitrepo of proftpd and mod_proxy

Castaglia commented 3 years ago

These messages:

2021-01-14 16:28:34,186 mod_proxy/0.7[18986]: starting TLS negotiation on data connection
2021-01-14 16:28:34,217 mod_proxy/0.7[18986]: unable to connect using TLS: system call error: [104] Connection reset by peer
2021-01-14 16:28:34,217 mod_proxy/0.7[18986]: unable to open data connection to upload.ftpserver.com: TLS negotiation failed

suggest that the backend FTPS server is failing the data transfer TLS handshake for some reason. Are there any logs from that backend server that might provide some clues/details?

Can you provide the configuration you're currently using for the mod_proxy part? In addition, what will help to debug the mod_proxy -> backend server interactions will be some detailed trace logging, using a configuration like so for the proxy:

TraceLog /path/to/proftpd/proxy.log

<IfModule mod_tls.c>
  TLSLog /path/to/proftpd/proxy.log
  TLSOptions EnableDiags
  ...
</IfModule>

</IfModule mod_proxy.c>
  ProxyLog /path/to/proftpd/proxy.log
  ProxyTLSOptions EnableDiags

  Trace \
    proxy:30 \
    proxy.conn:30 \
    proxy.ftp.conn:30 \
    proxy.ftp.ctrl:30 \
    proxy.ftp.data:30 \
    proxy.ftp.msg:30 \
    proxy.ftp.sess:30 \
    proxy.ftp.xfer:30 \
    proxy.inet:30 \
    proxy.netio:30 \
    proxy.reverse:30 \
    proxy.session:30 \
    proxy.tls:30 \
    proxy.uri:30 \
    tls:30
    ...
</IfModule>

Here, we configure a TraceLog with many trace channels enabled, and we point the module-specific TLS and proxy logs at the same log file, to capture all the relevant log messages in a single file. It will be a large log file, but hopefully you can provide that log file, so we can see what might be happening.