Problem with passive mode and TLS

[mflage]

I've just installed the mod_proxy_protocol module, but having problems getting this working.

I have been able to get the PROXY header parsing working and I can see that the control data stream is working fine, but the problem comes when I try the data part of it (listing, downloading and so on).

The first problem comes with plain-text ftp sessions, where the entering passive mode ip address needs to be rewritten. If I use masqueradeaddress and set this to the ip address of the proxy server, then my firewall blocks it on the way from the ftp server to the proxy. But if I don't set masqueradeaddress and then just let the private, non-routable ip be present in that packet, then my firewall blocks that on the outside interface.

So I then wanted to resort to using TLS to hide this information from the fw, so I configured up TLS and got to the same point. I can authenticate, but when I attempt to list anything, it stops. When looking at the tls.log I see the following:

2024-01-23 17:00:43,843 mod_tls/2.9[13584]: unable to accept TLS connection: protocol error: 
  (1) error:0A00010B:SSL routines::wrong version number
2024-01-23 17:00:43,843 mod_tls/2.9[13584]: unable to open data connection: TLS negotiation failed

If I connect directly to the server without using the proxy server, then tls works just fine, so it has to be the proxy thing messing things up.

Here's my relevant config:

haproxy:

listen ftp
    bind 0.0.0.0:21
    mode tcp
    balance source
    server new-ftp 10.100.5.17 send-proxy-v2

listen ftp-data
    bind :31000-32000
    mode tcp
    balance source
    server new-ftp 10.100.5.17 send-proxy-v2

Relevant proftpd configuration:

PassivePorts                  31000 32000

<IfModule mod_proxy_protocol.c>
      # Enable PROXY protocol support for clients in this class
      ProxyProtocolEngine on
      ProxyProtocolTimeout 3sec
      ProxyProtocolVersion haproxyV2

      # Necessary to allow data transfers from this class
      AllowForeignAddress on
</IfModule>

In modules.conf I have this at the bottom of the file:

# keep this module the last one
LoadModule mod_ifsession.c
# no, this should be the last one
LoadModule mod_proxy_protocol.c

Another note, I tried using the class and ifclass to restrict where to load the proxy or not and that seems to not stick at all. I'm not sure if I've missed something here. ifsession is loaded - here's the output of a common reload of the service:

2024-01-23 17:02:38,256 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_ctrls_admin'
2024-01-23 17:02:38,257 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_tls'
2024-01-23 17:02:38,259 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_radius'
2024-01-23 17:02:38,260 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_quotatab'
2024-01-23 17:02:38,260 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_quotatab_file'
2024-01-23 17:02:38,261 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_quotatab_radius'
2024-01-23 17:02:38,262 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_rewrite'
2024-01-23 17:02:38,262 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_load'
2024-01-23 17:02:38,262 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_ban'
2024-01-23 17:02:38,263 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_wrap2'
2024-01-23 17:02:38,263 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_wrap2_file'
2024-01-23 17:02:38,264 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_dynmasq'
2024-01-23 17:02:38,264 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_exec'
2024-01-23 17:02:38,265 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_shaper'
2024-01-23 17:02:38,265 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_ratio'
2024-01-23 17:02:38,265 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_site_misc'
2024-01-23 17:02:38,266 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_sftp'
2024-01-23 17:02:38,269 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_sftp_pam'
2024-01-23 17:02:38,269 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_facl'
2024-01-23 17:02:38,270 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_unique_id'
2024-01-23 17:02:38,270 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_copy'
2024-01-23 17:02:38,270 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_deflate'
2024-01-23 17:02:38,271 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_ifversion'
2024-01-23 17:02:38,271 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_memcache'
2024-01-23 17:02:38,271 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_readme'
2024-01-23 17:02:38,272 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_ifsession'
2024-01-23 17:02:38,272 [13598] <dso:5>: loading module '/usr/lib/proftpd/mod_proxy_protocol'
2024-01-23 17:02:38,337 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_ctrls_admin'
2024-01-23 17:02:38,338 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_tls'
2024-01-23 17:02:38,339 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_radius'
2024-01-23 17:02:38,340 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_quotatab'
2024-01-23 17:02:38,340 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_quotatab_file'
2024-01-23 17:02:38,341 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_quotatab_radius'
2024-01-23 17:02:38,341 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_rewrite'
2024-01-23 17:02:38,341 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_load'
2024-01-23 17:02:38,342 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_ban'
2024-01-23 17:02:38,342 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_wrap2'
2024-01-23 17:02:38,342 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_wrap2_file'
2024-01-23 17:02:38,343 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_dynmasq'
2024-01-23 17:02:38,343 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_exec'
2024-01-23 17:02:38,343 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_shaper'
2024-01-23 17:02:38,344 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_ratio'
2024-01-23 17:02:38,344 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_site_misc'
2024-01-23 17:02:38,344 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_sftp'
2024-01-23 17:02:38,346 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_sftp_pam'
2024-01-23 17:02:38,346 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_facl'
2024-01-23 17:02:38,346 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_unique_id'
2024-01-23 17:02:38,347 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_copy'
2024-01-23 17:02:38,347 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_deflate'
2024-01-23 17:02:38,348 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_ifversion'
2024-01-23 17:02:38,348 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_memcache'
2024-01-23 17:02:38,348 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_readme'
2024-01-23 17:02:38,349 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_ifsession'
2024-01-23 17:02:38,349 [13599] <dso:5>: loading module '/usr/lib/proftpd/mod_proxy_protocol'

What am I missing here?

[Castaglia]

The first issue, regarding data transfers, is covered in the FAQ section, at the end of the documentation, hopefully.

The second issue, regarding <IfClass>, pertains to the module ordering. You do want the mod_ifsession module to the be last module listed. The documentation isn't quite clear on this, since the module ordering depends on specific features/functionality provided by different modules; not all modules are the same.

In this particular case, I think your modules.conf should end with:

LoadModule mod_proxy_protocol.c
# keep this module the last one
LoadModule mod_ifsession.c

This way, mod_ifsession will be the first module to handle incoming connections -- and will apply/handle any <IfClass> sections because of that; this module does not read any data from the TCP connection. Next, mod_proxy_protocol would handle the connection event, would read the PROXY header, and do its thing.

Hope this helps!

[Castaglia]

Is there anything more to add to this ticket, or can it be closed? Thanks!