On Sat, Feb 26, 2011 at 09:11:42AM -0500, Ben Timby wrote: > OK, first off, the FTP SITE command is reserved for specific FTP > server extensions. It is commonly used for banning IP addresses. So > that the user can, via their FTP client issue a command such as: > > SITE ADDIP XXX.XXX.XXX.XXX > > The server knows what to do with this IP address because it has an > extension loaded that stores the provided IP into a ban list. This is > of course implementation specific, some servers will handle this > extension, some don't.
It looks like the command is only accepted for users with sufficient privileges. In my case, vsftpd rejects the SITE command before the user authenticates, which seems to be in line with Apache's description. (...) > -- > > With that in mind, the sequence I am thinking of would be: > > Client HAProxy Backend > *------------------------------------------------* > connect --------> | > | connect ---------->| > | SITE <IP> ------>| > | <----------250 OK | > *===========================* > USER ----------->| > | USER ------------->| > | <----------250 OK | > <---------250 OK | > *------------------------------------------------* > > Everything below the horizontal (==) line is as usual, HAProxy just > sends an initial SITE command to the backend FTP server to let it know > the client's real IP address. It then starts shoveling data from the > client to the backend as usual. That looks close to the way we make the PROXY protocol work, except haproxy here will have to consume one response line. What happens if the client issues a SITE IP command here ? It looks dangerous to me to let him change its apparent IP address. Or the server will have to ensure it accepts the SITE command only once, but that's dangerous. > The fly in the ointment is that the backend FTP server will need to be > able to handle this SITE command. I maintain my own FTP server daemon, > so mine will of course support this. I will contribute patches back to > the community for it. If you maintain your own servers, wouldn't you be interested in making them support the proxy protocol we've added between stunnel and haproxy ? It provides the server with a first line containing the protocol (TCPv4, TCPv6), source and destination addresses and ports, and does not require a state to consume a response. Also since by definition it can only appear on the first line of the connection, there is no risk a client would send it. It would work like this : > Client HAProxy Backend > *------------------------------------------------* > connect --------> | > | connect ------------->| > | PROXY TCP4 <IP> ...-->| > *===========================* > | <---------- 220 Ready | > USER -----------> | > | USER ---------------> | > | <-------------250 OK | > <---------250 OK | > *------------------------------------------------* I'm just checking how we could implement something simple, reliable and durable. Regards, Wlily
