[
https://issues.apache.org/jira/browse/NET-738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18033817#comment-18033817
]
Gary D. Gregory commented on NET-738:
-------------------------------------
[~mcancomert]
The fix version will be assigned once the issue is resolved.
> Ftp Client is no longer working with HTTP Proxies
> -------------------------------------------------
>
> Key: NET-738
> URL: https://issues.apache.org/jira/browse/NET-738
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 3.11.1
> Reporter: Mehmet Can Cömert
> Priority: Major
>
> Hello,
> we have following setup for the FTP Server communication:
> FTP Client is installed in a machine where direct Internet access is
> prohibited.
> We need to connect to a FTP Server which is only accesable via HTTP PROXY.
> When FTP Client creates the command connection, it can succesfully
> communicate with the FTP Server.
> Afterwards, requesting of a directory listing (MLSD) is also communicated
> over Http PROXY.
> However, as FTP Client tries to open the data connection, it gets the IP
> address and high port for the PASSIVE mode in the reply.
> During parsing the reply, FTP Client tries to resolve the IP Address of the
> FTP Server by utilizing the socket, which is behind a PROXY and therefore
> returns the IP address of the PROXY.
> https://github.com/apache/commons-net/blob/master/src/main/java/org/apache/commons/net/ftp/FTPClient.java#L883
> Finally we get a data connection attempt to PROXY with: IP address of the
> PROXY + high port from FTP Server.
> instead of IP address of the FTP Server + high port from FTP Server
> (opening command connection over PROXY was working with: hostname of the FTP
> Server + port 21)
> Which results with Unable to tunnel through proxy. Proxy returns "HTTP/1.1
> 403 Forbidden"
> 2025-10-01T11:22:30.424Z ERROR Unable to tunnel through proxy. Proxy returns
> "HTTP/1.1 403 Forbidden"
> java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1
> 403 Forbidden"
> at
> java.base/sun.net.www.protocol.http.HttpURLConnection.doTunneling0(HttpURLConnection.java:2312)
> at
> java.base/sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2182)
> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:569)
> at
> java.base/java.net.HttpConnectSocketImpl.doTunneling(HttpConnectSocketImpl.java:206)
> at
> java.base/java.net.HttpConnectSocketImpl.doTunnel(HttpConnectSocketImpl.java:195)
> at
> java.base/java.net.HttpConnectSocketImpl$2.run(HttpConnectSocketImpl.java:175)
> at
> java.base/java.net.HttpConnectSocketImpl$2.run(HttpConnectSocketImpl.java:173)
> at
> java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
> at
> java.base/java.net.HttpConnectSocketImpl.privilegedDoTunnel(HttpConnectSocketImpl.java:172)
> at
> java.base/java.net.HttpConnectSocketImpl.connect(HttpConnectSocketImpl.java:119)
> at java.base/java.net.Socket.connect(Socket.java:633)
> at
> org.apache.commons.net.ftp.FTPClient._openDataConnection_(FTPClient.java:785)
> at
> org.apache.commons.net.ftp.FTPClient._openDataConnection_(FTPClient.java:664)
> at
> org.apache.commons.net.ftp.FTPClient.initiateMListParsing(FTPClient.java:2103)
> at org.apache.commons.net.ftp.FTPClient.mlistDir(FTPClient.java:2557)
> at org.apache.commons.net.ftp.FTPClient.mlistDir(FTPClient.java:2545)
>
> We assume if a PROXY is used there should be no attempt to resolve the IP
> Address on the FTP Client side and response from the Server should be used.
> We have seen that, because of NAT considirations, FTP Client is replacing the
> reported FTP Server IP Address from the PASV response with the IP Address of
> the Socket. This is fine without PROXY.
> However in a situation where PROXY is present, FTP Client instruct the PROXY
> to connect to itself for the data connection, which only works if the PROXY
> is running on the same host as the FTP Server :)
> Do you have any other use case that may require FTP Client to resolve IP
> Address of a FTP Server accesable behind a PROXY?
> If not, can the FTP Client changed to respect the PASV response from the FTP
> Server when a PROXY is utilized?
> We are avare that this approach would not work if both PROXY is utilized and
> the FTP Server is behind NAT and FTP Server is reporting its internal IP
> Address in the PASV response.
> However we do not see any way to mitigate that as in this constallation the
> external IP Address of the FTP Server remains unknown to FTP Client. Such a
> setup does not look like a resolvable problem :(
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
