PhDLeToanThang commented 2 months ago

haproxy /sample_FTP_haproxy.cfg

7

I want to use haproxy to deploy one ftp proxy server. Here's scene:

ftp client <---> ftp-proxy-server(ip:10.0.1.1) <---> ftp-server(ip:172.126.1.1)

ftp server listen on port 21 for control command, data port range [20100-20199]

I had haproxy config on ftp-proxy-server:

listen ftp-proxy-server 10.0.1.1:21 mode tcp server ftp-server 172.126.1.1:21

listen ftp-proxy-server 10.0.1.1:20100-20199 mode tcp server ftp-server 172.126.1.1:20100-20199

PhDLeToanThang commented 2 months ago

You have to remove the port range from the server definition. The haproxy documentation shows that the same port from the source is used for the destination.

listen ftp-proxy-server 10.0.1.1:20100-20199 mode tcp server ftp-server 172.126.1.1

PhDLeToanThang commented 2 months ago

1

For haproxy 1.5 on centos,

listen web *:8080-8090 mode tcp server worker1 10.0.0.1 server worker2 10.0.0.2 For haproxy 1.7 on debian,

listen web bind *:8080-8090 mode tcp server worker1 10.0.0.1 server worker2 10.0.0.2

PhDLeToanThang commented 2 months ago

Certainly! To configure HAProxy for an FTP server service with a port range, follow these steps:

Edit the HAProxy configuration file (/etc/haproxy/haproxy.cfg):

Add the following lines to configure the FTP service:

listen FTP_Default *:21
server ftp01 192.168.122.152 check port 21 inter 10s rise 1 fall 2

listen FTP_Range *:10000-10250
server ftp01 192.168.122.152 check port 21 inter 10s rise 1 fall 2

Replace 192.168.122.152 with the actual IP address of your FTP server¹.

Configure the passive FTP port range on the FTP server:
- Set the passive FTP port range on your FTP server. For example, you might use the port range 50000-500[1](https://serverfault.com/questions/441721/ftp-through-haproxy)0 or a larger range. Be cautious to limit the port range to prevent file descriptor exhaustion².
Update the HAProxy frontend section:
- In your HAProxy configuration, update the frontend section to handle FTP traffic. You can set the proxy mode to either HTTP (layer 7) or TCP (layer 4). For FTP, use TCP mode.
- Example frontend configuration:
```
frontend ftp_frontend
 mode tcp
 bind *:[2](https://www.haproxy.com/documentation/haproxy-configuration-tutorials/load-balancing/passive-ftp/)1
 default_backend ftp_backend
```

Remember to adjust the IP addresses, port ranges, and other settings according to your specific environment. If you have any further questions, feel free to ask! 😊

Source: Conversation with Bing, 23/4/2024 (1) FTP through HAProxy - Server Fault. https://serverfault.com/questions/441721/ftp-through-haproxy. (2) Passive FTP | HAProxy config tutorials. https://www.haproxy.com/documentation/haproxy-configuration-tutorials/load-balancing/passive-ftp/. (3) Frontends | HAProxy config tutorials. https://www.haproxy.com/documentation/haproxy-configuration-tutorials/core-concepts/frontends/. (4) How to configure haproxy port range to range one by one?. https://stackoverflow.com/questions/26794547/how-to-configure-haproxy-port-range-to-range-one-by-one. (5) Binding TCP port ranges to backend port ranges - Help! - HAProxy community. https://discourse.haproxy.org/t/binding-tcp-port-ranges-to-backend-port-ranges/6893.

PhDLeToanThang commented 2 months ago

Sửa lại Sample FTP with Haproxy 2.9:

Author: PhD. Le Toan Thang

============================================================================

H A P r o x y 2.9 - FTP, FTPs/ WebDav public via Haproxy 2.9

============================================================================

ref: https://docs.haproxy.org/2.9/configuration.html

Here's scene:

ftp client <---> ftp-proxy-server(ip:10.0.1.1) <---> ftp-server(ip:172.126.1.1)

ftp server listen on port 21 for control command, data port range [20100-20199]

I had haproxy config on ftp-proxy-server:

listen ftp-proxy-server 10.0.1.1:21

mode tcp

server ftp-server 172.126.1.1:21

listen ftp-proxy-server 10.0.1.1:20100-20199

mode tcp

server ftp-server 172.126.1.1:20100-20199

Here's the question, I can successfully login ftp service from ftp-client, but failed to execute ls command which output "connection refused" message.

I guess the reason is port mapping from ftp-proxy-server to ftp-server is random. So when ftp-client get a reserved port（e.g. 20101),

but ftp-proxy-server may map it to another port(e.g. 20109)， which is not the port ftp-server assigned to ftp-client.

I am think of one solution that configured 100 listens, one listen to one port, but it's complex to write the configure file.

Is'there a simply configuration option to map port one by one? Just like 10.0.1.1:20001 -> 172.126.1.1:20001, 10.0.1.1:20002 -> 172.126.1.1:20002

####################################3

In HAProxy, the port mapping between the proxy server and the FTP server can indeed be a bit tricky, especially when dealing with random port assignments.

However, there is a way to achieve the desired mapping using HAProxy's "source" directive.

To map ports one by one, you can modify your HAProxy configuration like this:

--------------------------------------- Nếu chúng ta lại còn có Firewall gateway ở tầng WAN trước khi đẩy vào Haproxy

cho phép forward FTP server "nghĩa là FWGateway bỏ cấu hình NAT proxy tới máy chủ haproxy hoặc tới FTP server

FWGateway chỉ có 1 Rule trên NAT proxy là forward toàn bộ TCP/UDP từ port 1 - 65500 tới thẳng Haproxy ip

thì cấu hình Haproxy cho FTP server sẽ bị thay đổi như sau:

frontend ftp-proxy-server bind *:21 mode tcp default_backend ftp-backend

backend ftp-backend mode tcp server ftp-server 172.126.1.1:21

frontend ftp-data-proxy bind *:20001 mode tcp default_backend ftp-data-backend-20001

backend ftp-data-backend-20001 mode tcp balance source server ftp-data-server 172.126.1.1:20001

frontend ftp-data-proxy-20100 bind *:20100 mode tcp default_backend ftp-data-backend-20100

backend ftp-data-backend-20100 mode tcp balance source server ftp-data-server 172.126.1.1:20100

Cấu hình này cho thấy FWGW sẽ phải bỏ qua kiểm tra head content và trên Haproxy configure để bind là :21 hoặc :20001

Và haproxy 2.9 là bắt kiểm tra từng port, không được cấu hình Port range mà phải cấu hình mở từng port do cấu hình FTP

server đã không có port SSL/TLS ví dụ không có mở port 990 (SSL/TLS) chỉ có port 21 và passive mode port.

In this configuration, we have separated the control command (port 21) from the data ports (20001-20100).

The "balance source" directive ensures that connections are always mapped to the same backend server based on the source IP and port.

This way, the port mapping will remain consistent for each client.

By using the "bind" directive with a range of ports, you can easily map them from the proxy server to the FTP server.

In this example, 10.0.1.1:20001 will be mapped to 172.126.1.1:20001, 10.0.1.1:20002 to 172.126.1.1:20002, and so on.

PhDLeToanThang / Web3.0

How to configure haproxy port range to range one by one on FTP server TCP port range #3

Author: PhD. Le Toan Thang

============================================================================

H A P r o x y 2.9 - FTP, FTPs/ WebDav public via Haproxy 2.9

============================================================================

ref: https://docs.haproxy.org/2.9/configuration.html

Here's scene:

ftp client <---> ftp-proxy-server(ip:10.0.1.1) <---> ftp-server(ip:172.126.1.1)

ftp server listen on port 21 for control command, data port range [20100-20199]

I had haproxy config on ftp-proxy-server:

listen ftp-proxy-server 10.0.1.1:21

mode tcp

server ftp-server 172.126.1.1:21

listen ftp-proxy-server 10.0.1.1:20100-20199

mode tcp

server ftp-server 172.126.1.1:20100-20199

Here's the question, I can successfully login ftp service from ftp-client, but failed to execute ls command which output "connection refused" message.

I guess the reason is port mapping from ftp-proxy-server to ftp-server is random. So when ftp-client get a reserved port（e.g. 20101),

but ftp-proxy-server may map it to another port(e.g. 20109)， which is not the port ftp-server assigned to ftp-client.

I am think of one solution that configured 100 listens, one listen to one port, but it's complex to write the configure file.

Is'there a simply configuration option to map port one by one? Just like 10.0.1.1:20001 -> 172.126.1.1:20001, 10.0.1.1:20002 -> 172.126.1.1:20002

In HAProxy, the port mapping between the proxy server and the FTP server can indeed be a bit tricky, especially when dealing with random port assignments.

However, there is a way to achieve the desired mapping using HAProxy's "source" directive.

To map ports one by one, you can modify your HAProxy configuration like this:

--------------------------------------- Nếu chúng ta lại còn có Firewall gateway ở tầng WAN trước khi đẩy vào Haproxy

cho phép forward FTP server "nghĩa là FWGateway bỏ cấu hình NAT proxy tới máy chủ haproxy hoặc tới FTP server

FWGateway chỉ có 1 Rule trên NAT proxy là forward toàn bộ TCP/UDP từ port 1 - 65500 tới thẳng Haproxy ip

thì cấu hình Haproxy cho FTP server sẽ bị thay đổi như sau:

Cấu hình này cho thấy FWGW sẽ phải bỏ qua kiểm tra head content và trên Haproxy configure để bind là :21 hoặc :20001

Và haproxy 2.9 là bắt kiểm tra từng port, không được cấu hình Port range mà phải cấu hình mở từng port do cấu hình FTP

server đã không có port SSL/TLS ví dụ không có mở port 990 (SSL/TLS) chỉ có port 21 và passive mode port.

In this configuration, we have separated the control command (port 21) from the data ports (20001-20100).

The "balance source" directive ensures that connections are always mapped to the same backend server based on the source IP and port.

This way, the port mapping will remain consistent for each client.

By using the "bind" directive with a range of ports, you can easily map them from the proxy server to the FTP server.

In this example, 10.0.1.1:20001 will be mapped to 172.126.1.1:20001, 10.0.1.1:20002 to 172.126.1.1:20002, and so on.