Re: Is FTP through haproxy at all viable?
> > I consider openssh for sftp pretty much unusable for clients/customers. I wouldn’t say that. Certainly true if they don’t actually know what they’re doing. As for the setup: yes, the first directory users can write to in a chroot-setup is a subdirectory of the home directory (because $HOME needs to be owned by root). But everything else is pretty simple. You don’t need any special devices or other stuff in the chroot itself. It basically just works in my experience. If you want to chroot a full, interactive shell, though, you’re jumping into a world of pain… Doesn’t have much to do with haproxy, though. Personally, I’m not sure if load-balancing FTP is worth the effort. Also, it looks like it’s quite „fragile“ and as such the load-balancing might break more often than a single-server without load-balancing.
Re: Is FTP through haproxy at all viable?
On 09.05.2015 21:50, Shawn Heisey wrote: > On 5/9/2015 11:43 AM, Dennis Jacobfeuerborn wrote: >> Most FTP clients these days support SFTP as well and if you use say >> proftpd+mod_sftp then handling SFTP on the server side become pretty >> much identical to handling FTP (except all that active/passive nonsense >> goes away an nobody can simply sniff passwords on the wire). > > There are dozens of clients out there among our customer base, many of > which have been using the same software for the last ten years or more, > and most of that old software is probably written by an internal > developer that quit years ago, not an off-the-shelf FTP/SFTP client. > > When we finally manage to get a server for SFTP installed, we can ask > our clients to switch, but I'm sure many of them will think we're insane. Yes with these kinds of legacy clients there is little one can do since their requirements are their requirements and that's that. I've seen plenty of admins who still hand out FTP accounts simply because "that's how it has always been done" thus keeping these outdated protocols alive artificially. When I talk to customers and they ask for FTP I simply offer them SFTP instead which is more secure and the usually accept it right away. > I will look into the sftp module for proftpd. Hopefully that will be > easier to secure than openssh. It can be tricky to make sure clients > don't get shell access and are chrooted into their home directory when > using openssh. It's not impossible, just challenging. I consider openssh for sftp pretty much unusable for clients/customers. Since I setup 99% of account with chroots the mere fact that one has to create a proper jail and then confine a user to a sub-directory of their home directory for security reason makes this way to much of a pain in the behind. With mod_sftp you create an empty home directory for that user and then tell proftpd to chroot users to their home directory and you are done. No building of jails and thus *way* easier to deal with. Regards, Dennis
Re: Is FTP through haproxy at all viable?
On 5/9/2015 11:43 AM, Dennis Jacobfeuerborn wrote: > Most FTP clients these days support SFTP as well and if you use say > proftpd+mod_sftp then handling SFTP on the server side become pretty > much identical to handling FTP (except all that active/passive nonsense > goes away an nobody can simply sniff passwords on the wire). There are dozens of clients out there among our customer base, many of which have been using the same software for the last ten years or more, and most of that old software is probably written by an internal developer that quit years ago, not an off-the-shelf FTP/SFTP client. When we finally manage to get a server for SFTP installed, we can ask our clients to switch, but I'm sure many of them will think we're insane. I will look into the sftp module for proftpd. Hopefully that will be easier to secure than openssh. It can be tricky to make sure clients don't get shell access and are chrooted into their home directory when using openssh. It's not impossible, just challenging. Thanks, Shawn
Re: Is FTP through haproxy at all viable?
On 09.05.2015 16:15, Shawn Heisey wrote: > On 5/9/2015 2:04 AM, Malcolm Turnbull wrote: >> LVS with FTP works fine in the current kernels but does need the >> correct firewall modules loaded + conntrack enabled. > > I was really hoping to avoid that, but the more I've read, the more I've > dreaded that the firewall would be required. Setting it up in haproxy > would allow me to drop dependence on the kernel load balancer, which > would be really nice. > >> You can do active and passive FTP with HAProxy. >> Active needs TPROXY so the server can see the client IP address, it >> also needs iptables rules on the FTP servers to make sure they reply >> on the right address. >> >> Passive is simpler but requires a bit of fiddling on the FTP server, >> we have several examples in our manual here (page 168): >> http://pdfs.loadbalancer.org/loadbalanceradministrationv7.pdf > > After a quick glance, this is probably good, but there's a hiccup ... > these instructions use a GUI to configure haproxy and "iptables" > commands to configure the firewall. I don't have this GUI, and I'm on > ubuntu, which uses ufw to configure the firewall. Therefore I need > actual haproxy config and firewall config that is specific to ufw, > preferably something I can drop into the /etc/ufw/applications.d directory. > >> The world would be a much nicer place if every one used SSH/SCP/SFTP >> and FTP was never invented :-). > > I totally agree. Not sure what the original author was smoking, having > the server make a separate connection directly to the client. Passive > mode is a slight improvement, except that now there are two different > ways of doing it, and you never know which method will be available to > your users. Unfortunately FTP is extremely widespread and grasped by > customers, and it can be difficult to secure SFTP properly on the server > side. Most FTP clients these days support SFTP as well and if you use say proftpd+mod_sftp then handling SFTP on the server side become pretty much identical to handling FTP (except all that active/passive nonsense goes away an nobody can simply sniff passwords on the wire). Regards, Dennis
Re: Is FTP through haproxy at all viable?
On 5/9/2015 2:04 AM, Malcolm Turnbull wrote: > LVS with FTP works fine in the current kernels but does need the > correct firewall modules loaded + conntrack enabled. I was really hoping to avoid that, but the more I've read, the more I've dreaded that the firewall would be required. Setting it up in haproxy would allow me to drop dependence on the kernel load balancer, which would be really nice. > You can do active and passive FTP with HAProxy. > Active needs TPROXY so the server can see the client IP address, it > also needs iptables rules on the FTP servers to make sure they reply > on the right address. > > Passive is simpler but requires a bit of fiddling on the FTP server, > we have several examples in our manual here (page 168): > http://pdfs.loadbalancer.org/loadbalanceradministrationv7.pdf After a quick glance, this is probably good, but there's a hiccup ... these instructions use a GUI to configure haproxy and "iptables" commands to configure the firewall. I don't have this GUI, and I'm on ubuntu, which uses ufw to configure the firewall. Therefore I need actual haproxy config and firewall config that is specific to ufw, preferably something I can drop into the /etc/ufw/applications.d directory. > The world would be a much nicer place if every one used SSH/SCP/SFTP > and FTP was never invented :-). I totally agree. Not sure what the original author was smoking, having the server make a separate connection directly to the client. Passive mode is a slight improvement, except that now there are two different ways of doing it, and you never know which method will be available to your users. Unfortunately FTP is extremely widespread and grasped by customers, and it can be difficult to secure SFTP properly on the server side. Thanks, Shawn
Re: Is FTP through haproxy at all viable?
On 5/8/2015 8:39 AM, Ben Timby wrote: > With some iptables rules you can use FTP active and passive mode via > haproxy. > > The key is to assign unique passive port ranges to each backend then > port forward those ranges. You must be able to configure each FTP server > daemon with it's own range. > > You must also be able to configure your FTP daemon to maquerade as the > load balancer so that it sends the proper address for port commands etc. > Most FTP servers support the necessary optiona. The FTP servers are ncftpd. If we configure it this way, then we will ONLY be able to access passive FTP through haproxy, whereas currently (with the old software) we can access it by going direct to the back end server *or* through the VIP. If this is the only way I can get it working, I'll do it, but I don't like losing functionality. I'm very curious why I can't simply use the kernel load balancer in 3.13 like I can in 2.6.18, and have it handle passive FTP with the ip_vs_ftp module. I've filed an ubuntu bug against the kernel: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/145318 I am starting to get the impression that I will need to enable the Linux firewall for either haproxy or LVS ... if that's the case, I will need instructions specific to ubuntu, so it will work properly with ufw. Thanks, Shawn
Re: Is FTP through haproxy at all viable?
With some iptables rules you can use FTP active and passive mode via haproxy. The key is to assign unique passive port ranges to each backend then port forward those ranges. You must be able to configure each FTP server daemon with it's own range. You must also be able to configure your FTP daemon to maquerade as the load balancer so that it sends the proper address for port commands etc. Most FTP servers support the necessary optiona. On May 8, 2015 10:20 AM, "Baptiste" wrote: > On Fri, May 8, 2015 at 4:02 PM, Shawn Heisey wrote: > > I have a load balancer setup with both haproxy and LVS-NAT. The LVS-NAT > > is giving us high availability for FTP. > > > > When I tried migrating everything from CentOS 5, where it all works, to > > Ubuntu 14 (for the newer kernel and because I find debian-based systems > > far easier to use), everything worked except passive FTP. > > > > Is there a viable solution for FTP through haproxy? The machine has > > public IP addresses on one side and private on the other, and is > > configured with ip forwarding turned on, so the redundant pair acts as > > the default gateway for the backend machines. Everything is behind a > > Cisco firewall, so I have disabled the ufw firewall that Ubuntu includes. > > > > Alternatively, if someone can help me make passive FTP work through > > LVS-NAT like it does on CentOS, I am fine with that. I've asked for > > help on that here: > > > > > http://askubuntu.com/questions/620853/lvs-nat-doesnt-work-with-passive-ftp-active-ftp-is-fine > > > > Thanks, > > Shawn > > > > > Hi Shawn, > > Well, FTP can work in active mode only. > To configure it, you must open port 21 and the active ports where you > FTP server expects the user to get connected to. > > Baptiste > >
Re: Is FTP through haproxy at all viable?
On Fri, May 8, 2015 at 4:02 PM, Shawn Heisey wrote: > I have a load balancer setup with both haproxy and LVS-NAT. The LVS-NAT > is giving us high availability for FTP. > > When I tried migrating everything from CentOS 5, where it all works, to > Ubuntu 14 (for the newer kernel and because I find debian-based systems > far easier to use), everything worked except passive FTP. > > Is there a viable solution for FTP through haproxy? The machine has > public IP addresses on one side and private on the other, and is > configured with ip forwarding turned on, so the redundant pair acts as > the default gateway for the backend machines. Everything is behind a > Cisco firewall, so I have disabled the ufw firewall that Ubuntu includes. > > Alternatively, if someone can help me make passive FTP work through > LVS-NAT like it does on CentOS, I am fine with that. I've asked for > help on that here: > > http://askubuntu.com/questions/620853/lvs-nat-doesnt-work-with-passive-ftp-active-ftp-is-fine > > Thanks, > Shawn > Hi Shawn, Well, FTP can work in active mode only. To configure it, you must open port 21 and the active ports where you FTP server expects the user to get connected to. Baptiste
Is FTP through haproxy at all viable?
I have a load balancer setup with both haproxy and LVS-NAT. The LVS-NAT is giving us high availability for FTP. When I tried migrating everything from CentOS 5, where it all works, to Ubuntu 14 (for the newer kernel and because I find debian-based systems far easier to use), everything worked except passive FTP. Is there a viable solution for FTP through haproxy? The machine has public IP addresses on one side and private on the other, and is configured with ip forwarding turned on, so the redundant pair acts as the default gateway for the backend machines. Everything is behind a Cisco firewall, so I have disabled the ufw firewall that Ubuntu includes. Alternatively, if someone can help me make passive FTP work through LVS-NAT like it does on CentOS, I am fine with that. I've asked for help on that here: http://askubuntu.com/questions/620853/lvs-nat-doesnt-work-with-passive-ftp-active-ftp-is-fine Thanks, Shawn