mod_proxy_protocol
The purpose of the mod_proxy_protocol module is to handle
protocols which are used by proxies, e.g. haproxy, for
conveying information about the real origin/client to the backend server.
Protocols like HTTP often have their own mechanism for doing so, via headers
such as "X-Forwarded-For". Unfortunately, FTP does not have such a
mechanism, nor does SSH.
However, there are protocols which an provide this information without
impacting FTP. HAproxy's PROXY protocol is one such mechanism. The
mod_proxy_protocol module uses these mechanisms to change the
information about the "remote" client so that it is the real client, not the
proxy, whose IP address/port are logged and used for e.g. network ACLs.
This module is contained in the mod_proxy_protocol.c file for
ProFTPD 1.3.x, and is not compiled by default. Installation
instructions are discussed here; detailed
notes on best practices for using this module are here.
The most current version of mod_proxy_protocol can be found at:
https://github.com/Castaglia/proftpd-mod_proxy_protocol.git
Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.
<VirtualHost>, <Global>
The ProxyProtocolEngine directive enables the expectation
and handling of protocols which provide information on proxied connections;
support for these protocols is provided by mod_proxy_protocol.
<VirtualHost>, <Global>
The ProxyProtocolIgnore directive determines whether the
mod_proxy_protocol module will use the information it
reads, in the PROXY protocol data that may be sent by a client.
This is useful for cases where clients may be sending/using the PROXY protocol,
but you may not want mod_proxy_protocol to use the data from some
clients. For example:
<Class untrusted-senders>
From 1.2.3.4
From 5.6.7.8
</Class>
<IfModule mod_proxy_protocol.c>
# We always to read PROXY protocol headers from clients...
ProxyProtocolEngine on
# ...but we don't always trust the senders
<IfClass untrusted-senders>
ProxyProtocolIgnore on
</IfClass>
</IfModule>
<VirtualHost>, <Global>
The ProxyProtocolOptions directive is used to configure various
optional behavior of mod_proxy_protocol. For example:
ProxyProtocolOptions UseProxiedServerAddress
The currently implemented options are:
UseProxiedServerAddress
The PROXY protocol sends both the original source (client)
IP address/port, and the original destination (server) address/port.
The mod_proxy_protocol module only uses the client IP
address/port in the PROXY protocol message by default. Use
this option to tell mod_proxy_protocol to use the provided
server address/port as well, by looking for any matching
<VirtualHost> configurations, and using them if found.
Note that if no matching <VirtualHost> configurations
are found, the proxied server address/port information will be ignored.
<VirtualHost>, <Global>
The ProxyProtocolTimeout directive is used to configure the
amount of time, in seconds, that mod_proxy_protocol will wait to
receive the full expected proxy information. If the full information is
not received within the given number of seconds, the connection to the client
is closed.
<VirtualHost>, <Global>
The ProxyProtocolVersion directive is used to configure the
protocol that mod_proxy_protocol expects to handle. The
currently supported values are:
haproxyV1
haproxyV2
Example Configuration
<IfModule mod_proxy_protocol.c>
ProxyProtocolEngine on
ProxyProtocolTimeout 3sec
# Necessary to allow data transfers
AllowForeignAddress on
</IfModule>
Module Load Order
In order for mod_proxy_protocol to work its magic, it must
the first module in line to handle the bytes coming in from the client.
If some other module (such as mod_sftp or mod_tls)
tries to handle the incoming bytes first, Bad Things will happen, since those
modules will expect different protocols than the PROXY protocol.
For mod_proxy_protocol to be the first module called, it must
the last module loaded. To do this as a static module, you would
use something like this when building proftpd:
# ./configure --with-modules=...:mod_proxy_protocolensuring that
mod_proxy_protocol is the last module in
your --with-modules list.
As a shared module, configuring mod_proxy_protocol to be the
last module loaded is much easier. Your configuration will have a list
of LoadModule directives; the last of which would be:
LoadModule mod_proxy_protocol.cNote that using
mod_proxy_protocol as a shared module
is required in cases where you want to use both
mod_proxy_protocol and mod_ifsession. For
example, perhaps you want to use mod_ifsession to change the
behavior of some module, e.g. mod_ban, based on the IP
address of the original client. This means that mod_proxy_protocol
would need to hande the connection first, so that it can decode the
PROXY protocol and set the correct client IP address.
However, the ProFTPD build system is hardcoded to ensure that the
mod_ifsession will always be first -- if using static
modules. By using shared modules, you can enforce the proper ordering
using the LoadModule directive, like so:
<IfModule mod_dso.c>
...
LoadModule mod_ifsession.c
LoadModule mod_proxy_protocol.c
</IfModule>
The last module loaded will be the first module called.
Trusting Senders of Proxy Data
Use of these proxy protocols means changes in audit trails and/or client
access permissions (e.g. different mod_wrap2 and/or
mod_geoip rules will apply). Unscrupulous senders may try to
actively lie to your server about the original client using these protocols.
Thus you must trust the upstream machines before enabling the
mod_proxy_protocol module.
Put another way: do not use the mod_proxy_protocol module
if your server handles connections from the open Internet. Doing so means
that any machine can use the proxy protocol to hide their activities, or
make it look like the connection is coming from someone else. Only accept
proxy information from trusted sources.
If you need to selectively support the PROXY protocol
from some IPs, but not others, then you can use classes, and the mod_ifsession module, like
this:
<Class expect-proxy-protocol>
From 192.168.18.33/24
From 192.168.33.2
From 10.0.0.0/8
</Class>
<IfClass expect-proxy-protocol>
<IfModule mod_proxy_protocol.c>
# Enable PROXY protocol support for clients in this class
ProxyProtocolEngine on
# Necessary to allow data transfers from this class
AllowForeignAddress expect-proxy-protocol
</IfModule>
</IfClass>
Note that per-user or per-group enabling of the PROXY protocol
cannot be done; we only know the user/group of the connection
after the PROXY protocol has been used.
Why AllowForeignAddress Is Needed
One of the consequences of allowing mod_proxy_protocol to change
the remote IP address is that security checks performed on data transfers
will cause problems. For active data transfers (i.e. for clients
which send the PORT or EPRT commands),
proftpd requires that the IP address sent in the command matches
the IP address of the client which sends the command. Otherwise, a message
like the following is logged:
Refused PORT 127,0,0,1,218,225 (address mismatch)and the command is rejected.
Similarly for passive data transfers (i.e. for clients which send the
PASV or EPSV commands), proftpd requires
that the remote IP address of the client which connects to the data transfer
address must match the remote IP address of the client on the control
connection. If the addresses do no match, then the following is logged:
SECURITY VIOLATION: Passive connection from 127.0.0.1 rejected.and the control connection is closed.
These security measures are done to prevent abuses of FTP data transfers
such as the FTP bounce
attack. However, the very fact that mod_proxy_protocol changes
the remote IP address means that to allow data transfers when using this module,
you need to use:
AllowForeignAddress onin the same virtual host section in which the
ProxyProtocolEngine
directive appears.
A more secure configuration for AllowForeignAddress is possible
when you use the <Class> and <IfClass>
configurations, where you can limit the scope of
AllowForeignAddress to just that class, using:
# Allow foreign addresses, but only from the "expect-proxy-protocol" class AllowForeignAddress expect-proxy-protocolrather than allowing any IP address to connect to the data sockets.
Session Notes
For those with an existing ProFTPD installation, you can use the
The mod_proxy_protocol module may provide the following session notes for e.g. PROXY protocol V2 Type-Length-Value (TLVs) as well:
These note variables are intended for informational purposes, e.g.
mod_proxy_protocol.alpn
mod_proxy_protocol.authority
mod_proxy_protocol.tls.cipher
mod_proxy_protocol.tls.version
mod_proxy_protocol.unique-id
ExtendedLog or SQLLog directives via the
%{note:...} syntax.
Installation
To install mod_proxy_protocol, copy the
mod_proxy_protocol.c file into:
proftpd-dir/contrib/
after unpacking the latest proftpd-1.3.x source code. For including
mod_proxy_protocol as a staticly linked module:
$ ./configure --with-modules=...:mod_proxy_protocol
To build mod_proxy_protocol as a DSO module:
$ ./configure --enable-dso --with-shared=...:mod_proxy_protocol
Then follow the usual steps:
$ make
$ make install
prxs tool to add mod_proxy_protocol, as a DSO module,
to your existing server:
$ prxs -c -i -d mod_proxy_protocol.c