HAProxy ALOHA Documentation 15.5

Passive FTP

In passive mode FTP, the client initiates all connections to the server, making it compatible with intermediary proxies and firewalls that would block connections from the server. For this reason, passive FTP is recommended over active FTP.

For passive File Transfer Protocol (FTP) service, use the layer 7 load balancer found in the LB Layer7 tab.

The passive configuration documented on this page supports not only FTP but also FTPS. It does not support SFTP.

Unlike the active FTP configuration, this solution does not require NAT or the Flow manager.

Configure load balancer

  1. Click the LB Layer7 tab.

  2. Erase the default configuration in the text box.

  3. Copy the following configuration and paste it into the configuration text box.

    ######## Default values for all entries until next defaults section
        option  dontlognull        # Do not log connections with no requests
        option  contstats          # Enable continuous traffic statistics updates
        retries 3                  # Try to connect up to 3 times in case of failure
        timeout connect 5s         # 5 seconds max to connect or to stay in queue
        timeout http-keep-alive 1s # 1 second max for the client to post next request
        timeout http-request 15s   # 15 seconds max for the client to send a request
        timeout queue 30s          # 30 seconds max queued on load balancer
        backlog 10000              # Size of SYN backlog queue
    frontend ftp_fe
        bind <VIP>:21 name ftp-control
        ## Limit the port range to prevent file descriptor exhaustion.
        ## Make sure the FTP server is configured with the following options:
        ##  * Passive mode
        ##  * Passive IP address MUST match advertised FTP site IP (VIP)
        ##  * Passive port range MUST match port range indicated in bind directive
        bind <VIP>:<port-range> name ftp-data
        mode tcp
        option tcplog
        log global
        default_backend ftp_be21
    backend ftp_be21
        balance leastconn
        # stick on src routes a client to the same server for both control and data. Also provides support for FTPS.
        stick on src
        stick-table type ip size 100k expire 1h          # Stick table needed to support stick on src
        server ftp-server1 <server1-IP> check port 21
        server ftp-server2 <server2-IP> check port 21
  4. In the defaults section, modify directives as needed.

  5. In the frontend section:

    • In the bind directives, modify the IP addresses (<VIP>) to match the advertised FTP site IP.

    • In the second bind directive, enter the port range used by your FTP servers for data connections. Minimize the range to avoid exhausting file descriptors.

    FTP site is at Ports 50000-50010 are reserved for FTP data connections.

    frontend ftp_fe
      bind name ftp-control
      bind name ftp-data
  6. In the backend section server directives, enter FTP server IP addresses.

    FTP servers are at and

    backend ftp_be21
        server ftp-server1 check port 21
        server ftp-server2 check port 21
  7. Click OK and then Apply.

  8. On the Setup tab, in the Configuration section, click Save.

Configure FTP servers

Perform these steps on the FTP servers. Consult the documentation for your FTP server.

  1. The FTP server must be configured to return the VIP of the FTP service in the layer 7 payload sent back to the client.

    For a vsftpd FTP server, set the pasv_address variable to the VIP for the FTP service.

    pasv_address=  # IP of ftp.example.com
  2. Configure the passive FTP port range on the FTP server to match what you have set in the layer 7 load balancer configuration. In the preceding example, the port range was 50000-50010.

Next up