ftp proxy using FQDN's

Question

I have two servers behind a Watchguard, one is a linux server, one is a windows server. The watch guard forwards http and ftp requests (ports 80, and 21) to a proxy server.

I have configured apache on the proxy server so I can proxy the http requests to either server based on domain names as below

<VirtualHost *:80>
  ServerName        mysite.com.au
  ProxyPreserveHost On
  ProxyPass         "/" "http://10.0.2.21/"
  ProxyPassReverse  "/" "http://10.0.2.21/"
</VirtualHost>

<VirtualHost *:80>
    ServerName        mysite.net.au
    ProxyPreserveHost On
    ProxyPass         "/" "http://10.0.2.31/"
    ProxyPassReverse  "/" "http://10.0.2.31/"
</VirtualHost>

So .com.au goes to 10.0.2.21, and .net.au goes to 10.0.2.31. These are both internal servers.

I want to do the same type of forwarding for ftp (port 21).

So if I try to ftp to a site hosted on the windows server, the proxy will know it is hosted on the windows server (10.0.2.31) and forward the ftp requests to the correct server.

What i want to do is employ a proxy that listens on port 21 and forwards the traffic to the appropriate ftp server based on the dns name requested. I have the proxy and it is already working for http but I need to know how to do the same for ftp.

no. ftp is not host based. Tip: don't set up ftp server in 2016, it's so XX. century. — Ipor Sircer, Aug 18 '16 at 07:59
I dont want to use host based proxy for the ftp, i just want a similar type of proxying — Rob Salmon, Aug 18 '16 at 08:01
Please read up and understand how FTP works better before continuing. You're going to be quite unhappy once you get logged in via port 21 and realize you still can't transfer any files. You can start with this stackoverflow post. You'll thank everyone that's telling you to stop later. — , Aug 18 '16 at 08:59

score 0 · Answer 1 · edited Oct 07 '21 at 08:14

0

As already commented, no you can't.

Unless the FTP server for each FQDN listens on its own ip-address (or a different port) you can't do with FTP what you do with HTTP.

When a web browser makes a request to a webserver it includes the hostname, the FQDN in every request with the Host: header. That Host: header is what allows a reverse proxy to route the requests to different back-ends.

FTP never had such provision. An FTP client just made a TCP/IP connection and then waits for a server response code before transmitting a FTP client command such as for instance authentication details. Nowhere in the session does the FTP client transmit to which server it expects to connect. Therefore you can't route FTP connections to different back-ends based on the FQDN.

Edit: thanks to the comment below: RFC 7151 introduced the HOST command in 2014, but client support is still quite immature, and therefore not something to rely on.

edited Oct 07 '21 at 08:14

Community

1

answered Aug 18 '16 at 08:50

HBruijn

80,330
24
138
209

2

That's not 100% correct. See Do the SSH or FTP protocols tell the server to which domain I am trying to connect?. – Martin Prikryl Aug 18 '16 at 08:58
@MartinPrikryl: Thanks! You can tell I don't regularly do FTP anymore, I wasn't aware of that. – HBruijn Aug 18 '16 at 09:05
OK, so if I make each FTP server for each FQDN listen on its own port how do configure that on a proxy server. – Rob Salmon Aug 18 '16 at 09:31
Since your watchguard does the port forwarding; there. port 21 --> 1 server21, alternate port e.g. 2121 --> server31 (and set up rules to enable the second port FTP requires) – HBruijn Aug 18 '16 at 10:22
In hindsight the answer was obvious, use the watchguard and route different ports as@HBruijn stated. Now I just need a solution to route mail (ports 25 and 110) using FQDN's – Rob Salmon Aug 18 '16 at 21:11

score 0 · Answer 2 · answered Sep 22 '17 at 14:10

0

There is a solution based on the mod_proxy module for ProFTPD: https://stackoverflow.com/a/35020052/226278

Still relying on the quite new HOST command.

answered Sep 22 '17 at 14:10

sc911

335
3
15

ftp proxy using FQDN's

2 Answers2