File: NOTES.forward-proxy

package info (click to toggle)
proftpd-mod-proxy 0.9.2-1%2Bdeb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 4,972 kB
  • sloc: perl: 43,469; ansic: 43,171; sh: 3,479; makefile: 247
file content (96 lines) | stat: -rw-r--r-- 2,733 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 

Supported forward proxy method:

  USER user@dest-server[:port]
  PASS pass

Chilkatsoft.com ChilkatFtp2.ProxyMethod = 2

Net::Config:
  ftp_firewall_type 1
    USER user@remote.host[:port]
    PASS pass

Complications:

  '@' symbol in username?
    Avoidable if the USER argument is parsed from end-to-beginning

    What if no '@' symbol appears in USER argument?
    What if single '@' symbol appears in USER argument, as part of actual
      username?

  What if USER is not first command?  I.e. what if we see FEAT, SYST,
    etc?

  What if USER specifies a host that returns 5xx in the banner?  Should
  the client be allowed another USER?  If so, does that count against
  MaxLoginAttempts?

  IPv6 dest server?
    Support "USER user@[::1]:port".  Easy enough.

  FTPS?
    If USER command is received over SSL/TLS, then connection to dest
    server will use SSL/TLS.  Configurable?

      Connect, then send FEAT.  If "AUTH SSL" or "AUTH TLS" appears in
      FEAT, AND mod_proxy+mod_tls is available, then automatically try
      to do FTPS.  No "implicit" FTPS support?

  Connection to dest server opened later

Benefits:

  use mod_proxy in forward mode to add "IPv6" capability, i.e. talk to IPv6
  server, for IPv4-only client.

  use mod_proxy in forward mode to add SSL/TLS capability, i.e. to talk to
  FTPS server, for non-SSL/TLS clients?

Supporting this means not connecting to the real server until pre-USER time;
mod_proxy needs to be modified to deal with this case.  It's work needed
for USER-based backend selection in the reverse proxy case, anyway.

Client configuration:

  <li><code>proxyuser,user@host</code>
FZ:
  https://www3.trustwave.com/support/kb/article.aspx?id=13497
See <a href="https://winscp.net/eng/docs/ui_login_proxy">WinSCP</a>
this is what <code>lftp</code> calls "user" for its <code>ftp:proxy-auth-type</code> setting.
  </li>

  <li><code>proxyuser@host,user</code>
Chrome: uses system proxy settings (on Mac, at least?)
FF:
  http://www.wikihow.com/Enter-Proxy-Settings-in-Firefox
FZ:
  https://www3.trustwave.com/support/kb/article.aspx?id=13497
See <a href="https://winscp.net/eng/docs/ui_login_proxy">WinSCP</a>
this is what <code>lftp</code> calls "proxy-user@host" for its <code>ftp:proxy-auth-type</code> setting.


Future methods:

Net::Config:
  ftp_firewall_type 2
    USER proxy-user
    PASS proxy-pass
    USER user@remote.host[:port]
    PASS pass

  ftp_firewall_type 6
    USER proxy-user@remote.host[:port]
    PASS proxy-pass
    USER user
    PASS pass

See also this, which has *9* methods:
  http://www.mcknight.de/jftpgw/config.html#loginstyle


Limiting the proxied hosts:
  ProxyBlock:
    http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyblock