Linux – Reverse Proxy multiple internal FTP Servers

apache-2.2centosftplinuxPROXY

I have setup a reverse proxy for http using Apache mod_proxy like this:

Client > http:/abc.domain1.com > Reverse Proxy Server > 192.168.50.1 (Internal Server)
Client > http:/def.domain2.com/ > Reverse Proxy Server > 192.168.50.2 (another internal Server)

Now I want to acheive the same for FTP:

Client > ftp:/abc.domain1.com/ > Reverse Proxy Server > ftp:/192.168.50.1 (internal FTP Server)
Client > ftp:/def.domain2.com/ > Reverse Proxy Server > ftp:/192.168.50.2 (another internal FTP Server)

Both internal FTP Servers are running vsftpd. Please let me know the setup for Redhat/Centos.

Reason: I have only one public IP available.

Best Answer

There are two problems to set up what you are looking for:

unlike for http, reverse proxies for ftp are a pretty rare breed and those that exist (like the old Suse proxysuite) are - to remain polite - not really a joy to set up and work with.
unlike http 1.1, ftp has no provisions for virtual hosting, meaning that a server cannot see the hostname you want to talk to.

Here are two potential alternative solutions that are relatively easy to set up, each with its own advantages and limitations

serve the two backend server on different ports (eg ftp://abc.domain1.com/ and ftp://def.domain2.com:8021/. pretty easy to setup and no reverse proxy needed, just some extra ports to forward. Disadvantage: one of the domains will have to use the url including the port number, which may or may not be an issue for you.
CrushFTP is a commercial but reasonably priced server for ftp, sftp, etc that can easily be set up to front multiple backends in a number of ways:
1. as directories, which would lead to a setup like ftp://abc.domain1.com/abc and ftp://abc.domain1.com/def.
2. show a specific backend based on the user profile, so ftp://abc.domain1.com/ would look completely different depending on who logs in.

We chose option 2 because in daily operations it proved the most flexible and reliable. As an added bonus it allows you to use other protocols than ftp for the traffic to your backends, eg sftp.

They have a fully working demo version that you can download and test with (iirc it's limited to 5 concurrent connections).

Only potential downside: it's a Java program, so it's footprint (both disk and memory) are a size bigger than that of a regular ftp server.

Related Solutions

Ftp – vsftpd and apache web root directory ownership conflict

All that matters to apache is that it can read the files.
As long as the "other" group has read permissions on files and read+execute permissions on directories, apache will be able to serve the content.

As for the difference between FTP-ing a file and creating it as root - yes, obviously there is a difference, since you created it as root.

Don't do that, then.

Zimbra 7.2 reverse proxy to arbitrary internal website

Follow this link: http://www.maxxer.it/2010/linux/set-apache2-to-proxy-zimbra/

I've successfully proxied Zimbra using Apache2 for long time.

These commands work on Debian/Ubuntu servers.

At first, enable apache2′s modules:

a2enmod proxy
a2enmod proxy_html
a2enmod proxy_http

Make sure the use of mod_proxy is allowed, by changing /etc/apache2/mods_available/proxy.conf

Allow from all

In this case I want to proxy SSL, so before starting you will need to move Zimbra HTTPS away from port 443 (I moved to 444). Copy your Zimbra certificate files to a directory accessible by apache. I choose /etc/apache2/ssl.

To allow automatic redirect from / to /zimbra, as in your normal Zimbra install, add the following line to your main stanza:

RedirectMatch ^/$ /zimbra/
Then, edit you apache2 config file and add:

SSLProxyEngine on
SSLCertificateFile /etc/apache2/ssl/host.crt
SSLCertificateKeyFile /etc/apache2/ssl/host.key
SSLCACertificateFile /etc/apache2/ssl/ca_bundle.crt
ProxyRequests On
ProxyPreserveHost On
ProxyVia full
<Location "/service">
  ProxyPass https://your_zimbra_ip:444/service
  ProxyPassReverse https://your_zimbra_ip:444/service
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /service /service
</Location>

<Location "/zimbra">
  ProxyPass https://your_zimbra_ip:444/zimbra
  ProxyPassReverse https://your_zimbra_ip:444/zimbra
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /zimbra /zimbra
</Location>

<Location "/home">
  ProxyPass https://your_zimbra_ip:444/home
  ProxyPassReverse https://your_zimbra_ip:444/home
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /home /home
</Location>

# CalDAV
<Location "/principals">
  ProxyPass https://your_zimbra_ip:444/principals
  ProxyPassReverse https://your_zimbra_ip:444/principals
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /principals /principals
</Location>
# DAV
<Location "/dav">
  ProxyPass https://your_zimbra_ip:444/dav
  ProxyPassReverse https://your_zimbra_ip:444/dav
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /dav /dav
</Location>
#Printing and HTML interface
<Location "/h">
  ProxyPass https://your_zimbra_ip:444/h
  ProxyPassReverse https://your_zimbra_ip:444/h
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /h /h
</Location>

# img for mobile interface
<Location "/img">
  ProxyPass https://your_zimbra_ip:444/img
  ProxyPassReverse https://your_zimbra_ip:444/img
  ProxyPassReverse /
  ProxyHTMLExtended      On
  ProxyHTMLURLMap /img /img
</Location>

Restart your apache2, and you should be done! P.S. in case you wish to proxy https:

a2enmod ssl

Add the following to your /etc/apache2/sites-available/default-ssl

SSLProxyEngine on
ProxyRequests On
ProxyPreserveHost On
ProxyVia full

Best Answer

Related Solutions

Ftp – vsftpd and apache web root directory ownership conflict

Zimbra 7.2 reverse proxy to arbitrary internal website

Related Topic