HAProxy ALOHA Documentation 15.5

Passive FTP

In passive mode FTP, the client initiates all connections to the server, making it compatible with intermediary proxies and firewalls that would block connections from the server. For this reason, passive FTP is recommended over active FTP.

For passive File Transfer Protocol (FTP) service, use the layer 7 load balancer found in the LB Layer7 tab.

The passive configuration documented on this page supports not only FTP but also FTPS. It does not support SFTP.

Unlike the active FTP configuration, this solution does not require NAT or the Flow manager.

Configure load balancer

Click the LB Layer7 tab.
Erase the default configuration in the text box.

Copy the following configuration and paste it into the configuration text box.

######## Default values for all entries until next defaults section
defaults
    option  dontlognull        # Do not log connections with no requests
    option  contstats          # Enable continuous traffic statistics updates
    retries 3                  # Try to connect up to 3 times in case of failure
    timeout connect 5s         # 5 seconds max to connect or to stay in queue
    timeout http-keep-alive 1s # 1 second max for the client to post next request
    timeout http-request 15s   # 15 seconds max for the client to send a request
    timeout queue 30s          # 30 seconds max queued on load balancer
    backlog 10000              # Size of SYN backlog queue

frontend ftp_fe
    bind <VIP>:21 name ftp-control
    ## Limit the port range to prevent file descriptor exhaustion.
    ## Make sure the FTP server is configured with the following options:
    ##
    ##  * Passive mode
    ##  * Passive IP address MUST match advertised FTP site IP (VIP)
    ##  * Passive port range MUST match port range indicated in bind directive
    ##
    bind <VIP>:<port-range> name ftp-data
    mode tcp
    option tcplog
    log global
    default_backend ftp_be21

backend ftp_be21
    balance leastconn
    # stick on src routes a client to the same server for both control and data. Also provides support for FTPS.
    stick on src
    stick-table type ip size 100k expire 1h          # Stick table needed to support stick on src
    server ftp-server1 <server1-IP> check port 21
    server ftp-server2 <server2-IP> check port 21

In the defaults section, modify directives as needed.
In the frontend section:
- In the bind directives, modify the IP addresses (<VIP>) to match the advertised FTP site IP.
- In the second bind directive, enter the port range used by your FTP servers for data connections. Minimize the range to avoid exhausting file descriptors.
FTP site is at 192.168.0.100. Ports 50000-50010 are reserved for FTP data connections.
```
frontend ftp_fe
  bind 192.168.0.100:21 name ftp-control
  bind 192.168.0.100:50000-50010 name ftp-data
```

In the backend section server directives, enter FTP server IP addresses.

FTP servers are at 192.168.1.10 and 192.168.1.11.

backend ftp_be21
    server ftp-server1 192.168.1.10 check port 21
    server ftp-server2 192.168.1.11 check port 21

Click OK and then Apply.
On the Setup tab, in the Configuration section, click Save.

Configure FTP servers

Perform these steps on the FTP servers. Consult the documentation for your FTP server.

The FTP server must be configured to return the VIP of the FTP service in the layer 7 payload sent back to the client.

Note

This part of the configuration cannot be performed using NAT, which acts at layer 3. It must be configured in the FTP server.
For a vsftpd FTP server, set the pasv_address variable to the VIP for the FTP service.
```
pasv_address=192.168.0.100  # IP of ftp.example.com
```
Configure the passive FTP port range on the FTP server to match what you have set in the layer 7 load balancer configuration. In the preceding example, the port range was 50000-50010.

Next up

HTTP

More Versions

HAProxy Products Documentation

Passive FTP

Configure load balancer

Configure FTP servers

Your feedback is important to us!