When Alfresco FTP server sits behind a load balancer (e.g HA proxy in front of any alfresco cluster), and when the client asks to communicate using the Passive FTP Modde (i.e it sends a PASV ftp command), the server needs to send to the client an IP and a port to connect to to transfer data.
Presently (Alfresco 5.1) there is no flexibility in the FTP server configuration, and the server seems to always respond to with the IP of the interface it boinds to.
The ascii art below shows the current situation:
Customer would like we implement a feature commonly implemented in other main FTP servers, that allows the alfresco nodes to announce they are behind a proxy, and thus send to the client the IP of the proxy:
1) the URL below presents clearly the issue with the solutions:
It lists three solutions:
Solution 1: The network administrator of the server network can give each slave server a valid externally accessible IP address. The external IP address of the load balancer could be used as the preferred address, but having each slave server have its own external IP address would allow PASV data connections to connect directly to the slave server without requiring traffic from slaves to pass through the load balancer. It also means that the load balancer does not need to do any special automatic handling of FTP.
Solution 2: The network administrator of the server network can consult the load balancing router vendor's documentation to see if FTP connections can be handled automatically so that the PASV reply is dynamically rewritten to contain the external IP address of the load balancer.
Solution 3: If the routing device isn't intelligent enough to take special care of FTP sessions, but has the ability to always forward traffic from the same remote client IP address to the same internal server IP address, then the network administrator of the server network may be able to configure the FTP server software to spoof the address it uses for PASV replies.
Solution 1) is rather ugly as it requires client to bypass the load balancer for data.
Solution 2) depends on the proxy and it abaility to modify responses to PASV commands. HA Proxy does not support this, see note 2)
Solution 3) is what the customer is asking for, i.e. a feature, FTP server side.
That page disappeared but can be found in cache at:
(also attached here ben.timby.com_page210.html for the records)
This page clearly states one needs to use a ftp server feature for PASV mode, see phrase
As an example, ProFTPd can be configured as required using the MasqueradeAddress and PassivePorts directives.
3) here is a list of the parameter name used by the major FTP servers showing they all have this feature implemented:
pasv_address: Use this option to override the IP address that vsftpd will advertise in response to the PASV command. Provide a numeric IP address, unless pasv_addr_resolve is enabled, in which case you can provide a hostname which will be DNS resolved for you at startup.
MasqueradeAddress – Configure the server address presented to clients
4) the use of HA Proxy is documented at several places in our docs (for SSL and for CIFS)
This seems to indicate that it's not a proxy that is "too" basic to be used in an alfresco Entreprise setup.