Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-16433

Alfresco FTP server and Passive Mode clients

    Details

    • Type: Feature
    • Status: Closed (View Workflow)
    • Resolution: Fixed
    • Affects Version/s: 5.1
    • Fix Version/s: 6.0
    • Component/s: FTP
    • Labels:
    • Environment:
      any alfresco FTP server behind a basic load balancer or proxy like HA Proxy
    • Bug Priority:
      Category 3
    • ACT Numbers:

      00667930

    • Premier Customer:
      Yes

      Description

      When Alfresco FTP server sits behind a load balancer (e.g HA proxy in front of any alfresco cluster), and when the client asks to communicate using the Passive FTP Modde (i.e it sends a PASV ftp command), the server needs to send to the client an IP and a port to connect to to transfer data.

      Presently (Alfresco 5.1) there is no flexibility in the FTP server configuration, and the server seems to always respond to with the IP of the interface it boinds to.

      The ascii art below shows the current situation:

      FTP client
           |
      (sends a PASV command)
           |
           V
      HA Proxy
        ^
        | 227 Entering Passive Mode (IP of node1)
      
       alf     alf
      Node1   Node2
      

      Customer would like we implement a feature commonly implemented in other main FTP servers, that allows the alfresco nodes to announce they are behind a proxy, and thus send to the client the IP of the proxy:

      FTP client
           |
      (sends a PASV command)
           |
           V
      HA Proxy
        ^
        | 227 Entering Passive Mode (IP of HA proxy as seen by the client)
      
       alf     alf
      Node1   Node2
      

      Notes:

      1) the URL below presents clearly the issue with the solutions:
      http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html#PASVLBProblems

      It lists three solutions:

      Solution 1: The network administrator of the server network can give each slave server a valid externally accessible IP address. The external IP address of the load balancer could be used as the preferred address, but having each slave server have its own external IP address would allow PASV data connections to connect directly to the slave server without requiring traffic from slaves to pass through the load balancer. It also means that the load balancer does not need to do any special automatic handling of FTP.

      Solution 2: The network administrator of the server network can consult the load balancing router vendor's documentation to see if FTP connections can be handled automatically so that the PASV reply is dynamically rewritten to contain the external IP address of the load balancer.

      Solution 3: If the routing device isn't intelligent enough to take special care of FTP sessions, but has the ability to always forward traffic from the same remote client IP address to the same internal server IP address, then the network administrator of the server network may be able to configure the FTP server software to spoof the address it uses for PASV replies.

      Solution 1) is rather ugly as it requires client to bypass the load balancer for data.
      Solution 2) depends on the proxy and it abaility to modify responses to PASV commands. HA Proxy does not support this, see note 2)
      Solution 3) is what the customer is asking for, i.e. a feature, FTP server side.

      2) HA Proxy cannot detect and modify responses to PASV commands, this is documented at the page
      http://ben.timby.com/?page_id=210
      linked for the HA Proxy home Page: http://www.haproxy.org/

      That page disappeared but can be found in cache at:
      https://web.archive.org/web/20121121061728/http://ben.timby.com/?page_id=210
      (also attached here ben.timby.com_page210.html for the records)

      This page clearly states one needs to use a ftp server feature for PASV mode, see phrase
      As an example, ProFTPd can be configured as required using the MasqueradeAddress and PassivePorts directives.

      3) here is a list of the parameter name used by the major FTP servers showing they all have this feature implemented:

      a) ncftp:
      http://www.ncftp.com/ncftpd/doc/config/g/passive-ip.html
      example:

          passive-ip=192.168.33.44
          passive-ip=10.1.2.3
      

      b) vsftpd:
      http://vsftpd.beasts.org/vsftpd_conf.html
      pasv_address: Use this option to override the IP address that vsftpd will advertise in response to the PASV command. Provide a numeric IP address, unless pasv_addr_resolve is enabled, in which case you can provide a hostname which will be DNS resolved for you at startup.

      example:

      vsftpd.conf
      
      pasv_address=217.130.100.62
      

      c) proftpd:
      http://www.proftpd.org/docs/directives/linked/config_ref_MasqueradeAddress.html
      MasqueradeAddress – Configure the server address presented to clients

      example:

      MasqueradeAddress 2.2.2.2
      PassivePorts 1025 2048
      

      4) the use of HA Proxy is documented at several places in our docs (for SSL and for CIFS)

      http://docs.alfresco.com/5.1/tasks/cifs-clustering.html
      http://docs.alfresco.com/5.1/tasks/configure-ssl-test.html

      This seems to indicate that it's not a proxy that is "too" basic to be used in an alfresco Entreprise setup.

        Attachments

        1. alfresco-repository.patch
          4 kB
        2. ben.timby.com_page210.html
          30 kB
        3. FTP_fake_external_proxy.JPG
          FTP_fake_external_proxy.JPG
          399 kB
        4. FTP_no_external_proxy.JPG
          FTP_no_external_proxy.JPG
          375 kB
        5. jlan.patch
          5 kB
        6. ncftp_loadbalancing_article.html
          37 kB

          Structure

            Activity

              People

              • Assignee:
                closedbugs Closed Bugs
                Reporter:
                amadon Alex Madon [X] (Inactive)
              • Votes:
                2 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 10 minutes
                  10m

                    Structure Helper Panel