OK, first off, the FTP SITE command is reserved for specific FTP server extensions. It is commonly used for banning IP addresses. So that the user can, via their FTP client issue a command such as:
SITE ADDIP XXX.XXX.XXX.XXX The server knows what to do with this IP address because it has an extension loaded that stores the provided IP into a ban list. This is of course implementation specific, some servers will handle this extension, some don't. SITE Command description: http://www.nsftools.com/tips/RawFTP.htm#SITE Apache FTP Server SITE command: http://incubator.terra-intl.com/projects/ftpserver/site_cmd.html Relevant RFC: http://www.faqs.org/rfcs/rfc959.html -- SITE PARAMETERS (SITE) This command is used by the server to provide services specific to his system that are essential to file transfer but not sufficiently universal to be included as commands in the protocol. The nature of these services and the specification of their syntax can be stated in a reply to the HELP SITE command. -- With that in mind, the sequence I am thinking of would be: Client HAProxy Backend *------------------------------------------------* connect --------> | | connect ---------->| | SITE <IP> ------>| | <----------250 OK | *===========================* USER ----------->| | USER ------------->| | <----------250 OK | <---------250 OK | *------------------------------------------------* Everything below the horizontal (==) line is as usual, HAProxy just sends an initial SITE command to the backend FTP server to let it know the client's real IP address. It then starts shoveling data from the client to the backend as usual. The fly in the ointment is that the backend FTP server will need to be able to handle this SITE command. I maintain my own FTP server daemon, so mine will of course support this. I will contribute patches back to the community for it. Other FTP daemons like proftpd can easily support this SITE extension using add-on modules. The module simply looks for the client IP provided by the SITE command, then overwrites the variable containing the remote IP address so that the server can make active FTP connections to the right place. Also the logs would then contain the correct client IP address. It is kinda like the X-Forwarded-For header on HTTP, but using the SITE command on FTP (which is the right place for this according to the RFCs involved). I am investigating the feasibility and interest in a feature such as this at this point.
