Re: [EXT] FTP Server in passive mode with HAProxy Frontend and Backend nodes

2022-04-17 Thread Roberto Carna 
Dear all, thank you so much for your help.

So I'll define my backends without the port 21, in order to hit the port
that was defined in the frontend connection as Erwan said.

But viewing my graph:

Internet IP -- HAProxy Frontend IP -- HAProxy Backend IP -- FTP server IP

What IP do I have to define in the Filezilla server? Should I use the
HAProxy backend IP which is in front of the FTP server???

Regards!!!

El vie, 15 abr 2022 a las 5:15, Erwan Le Pape (<
haproxy-ml-3ff0f...@erwanlepape.com>) escribió:

>  Hi Marno & Roberto,
>
> You can simply redirect to the matching frontend port by not specifying a
> port in the backend, it will automatically hit the same port that was used
> in the front-end connection. That should make for a much cleaner
> configuration 
>
> It's documented in section 2.5
> 
> if you want to read up on it.
>
> So simply using the following backend should work :
> backend HAProxy_BE
> mode tcp
> server HAProxy-Node-2 172.17.17.1 check port 21
>
> Cheers,
>
> Erwan
> On 15/04/2022 09:10, Marno Krahmer wrote:
>
>
>
> Hey Roberto,
>
> Yes, there is a misconfiguration in both config snippets that you sent:
>
> frontend Frontend_FTP
>
>bind *:21
>bind *:2-20010
>mode tcp
>option tcplog
>timeout client 1h
>default_backend HAProxy_BE
>
> backend HAProxy_BE
>
> mode tcp
> server HAProxy-Node-2 172.17.17.1:21check port 21
>
> In your frontend, you are accepting connections on Port 21 and 2-20010
>
> But in your backends, you forward all connections to Port 21, even the
> data connections.
> I don’t know if you can configure HAProxy in a way to dynamically use the
> same port to the backend, that was used in the frontend.
> But I am not aware of such a feature.
>
> You could explicitly create all listeners for the data ports you use and
> explicitly forward them to the same port.
>
> Would not be beautiful config, but would work.
>
> Cheers
> Marno
>
> Am 15.04.2022 um 02:39 schrieb Roberto Carna 
> :
>
> 
> Dear all, I have to put to work an FTP server (Filezilla) in my backend
> network, as this:
>
> Internet -- Firewall -- HAProxy Frontend -- HAProxy Backend -- FTP server
> (passive mode)
>
> This is my configuration in my HAProxy FE:
>
> frontend Frontend_FTP
>
>bind *:21
>bind *:2-20010
>mode tcp
>option tcplog
>timeout client 1h
>default_backend HAProxy_BE
>
> backend HAProxy_BE
>
> mode tcp
> server HAProxy-Node-2 172.17.17.1:21 check port 21
>
> This is my configuration in my HAProxy BE:
>
> frontend Backend_FTP
>
>bind *:21
>bind *:2-20010
>mode tcp
>option tcplog
>timeout client 1h
>default_backend FTP_Server
>
> backend FTP_Server
>
> mode tcp
> server HOST-FTP 10.12.1.4:21 check port 21
>
> The FTP control session works OK, but the data session fails.
>
> Is there any error in the HAProxy configuration files from Frontend and
> Backend?
>
> Special thanks, regards!!!
>
>
>
>
>

Re: [EXT] FTP Server in passive mode with HAProxy Frontend and Backend nodes

2022-04-15 Thread Erwan Le Pape 

 Hi Marno & Roberto,

You can simply redirect to the matching frontend port by not specifying 
a port in the backend, it will automatically hit the same port that was 
used in the front-end connection. That should make for a much cleaner 
configuration 


It's documented in section 2.5 
 
if you want to read up on it.


So simply using the following backend should work :
backend HAProxy_BE
    mode tcp
    server HAProxy-Node-2 172.17.17.1 check port 21

Cheers,

Erwan

On 15/04/2022 09:10, Marno Krahmer wrote:



Hey Roberto,

Yes, there is a misconfiguration in both config snippets that you sent:

frontend Frontend_FTP

   bind *:21
   bind *:2-20010
   mode tcp
   option tcplog
   timeout client 1h
   default_backend HAProxy_BE

backend HAProxy_BE

        mode tcp
        server HAProxy-Node-2 172.17.17.1:21 
check port 21


In your frontend, you are accepting connections on Port 21 and 2-20010

But in your backends, you forward all connections to Port 21, even the 
data connections.
I don’t know if you can configure HAProxy in a way to dynamically use 
the same port to the backend, that was used in the frontend.

But I am not aware of such a feature.

You could explicitly create all listeners for the data ports you use 
and explicitly forward them to the same port.


Would not be beautiful config, but would work.

Cheers
Marno


Am 15.04.2022 um 02:39 schrieb Roberto Carna :


Dear all, I have to put to work an FTP server (Filezilla) in my 
backend network, as this:


Internet -- Firewall -- HAProxy Frontend -- HAProxy Backend -- FTP 
server (passive mode)


This is my configuration in my HAProxy FE:

frontend Frontend_FTP

   bind *:21
   bind *:2-20010
   mode tcp
   option tcplog
   timeout client 1h
   default_backend HAProxy_BE

backend HAProxy_BE

        mode tcp
        server HAProxy-Node-2 172.17.17.1:21  
check port 21


This is my configuration in my HAProxy BE:

frontend Backend_FTP

   bind *:21
   bind *:2-20010
   mode tcp
   option tcplog
   timeout client 1h
   default_backend FTP_Server

backend FTP_Server

        mode tcp
        server HOST-FTP 10.12.1.4:21  check port 21

The FTP control session works OK, but the data session fails.

Is there any error in the HAProxy configuration files from Frontend 
and Backend?


Special thanks, regards!!!

Re: [EXT] FTP Server in passive mode with HAProxy Frontend and Backend nodes

2022-04-15 Thread Marno Krahmer 


Hey Roberto,

Yes, there is a misconfiguration in both config snippets that you sent:

frontend Frontend_FTP

   bind *:21
   bind *:2-20010
   mode tcp
   option tcplog
   timeout client 1h
   default_backend HAProxy_BE

backend HAProxy_BE

mode tcp
server HAProxy-Node-2 172.17.17.1:21check port 
21

In your frontend, you are accepting connections on Port 21 and 2-20010

But in your backends, you forward all connections to Port 21, even the data 
connections.
I don’t know if you can configure HAProxy in a way to dynamically use the same 
port to the backend, that was used in the frontend.
But I am not aware of such a feature.

You could explicitly create all listeners for the data ports you use and 
explicitly forward them to the same port.

Would not be beautiful config, but would work.

Cheers
Marno

Am 15.04.2022 um 02:39 schrieb Roberto Carna :


Dear all, I have to put to work an FTP server (Filezilla) in my backend 
network, as this:

Internet -- Firewall -- HAProxy Frontend -- HAProxy Backend -- FTP server 
(passive mode)

This is my configuration in my HAProxy FE:

frontend Frontend_FTP

   bind *:21
   bind *:2-20010
   mode tcp
   option tcplog
   timeout client 1h
   default_backend HAProxy_BE

backend HAProxy_BE

mode tcp
server HAProxy-Node-2 172.17.17.1:21 check port 
21

This is my configuration in my HAProxy BE:

frontend Backend_FTP

   bind *:21
   bind *:2-20010
   mode tcp
   option tcplog
   timeout client 1h
   default_backend FTP_Server

backend FTP_Server

mode tcp
server HOST-FTP 10.12.1.4:21 check port 21

The FTP control session works OK, but the data session fails.

Is there any error in the HAProxy configuration files from Frontend and Backend?

Special thanks, regards!!!