ProFTPD module mod_proxy_protocol


The purpose of the mod_proxy_protocol module is to handle protocols which are used by proxies, e.g. haproxy, for conveying information about the real origin/client to the backend server. Protocols like HTTP often have their own mechanism for doing so, via headers such as "X-Forwarded-For". Unfortunately, FTP does not have such a mechanism, nor does SSH.

However, there are protocols which an provide this information without impacting FTP. HAproxy's PROXY protocol is one such mechanism. The mod_proxy_protocol module uses these mechanisms to change the information about the "remote" client so that it is the real client, not the proxy, whose IP address/port are logged and used for e.g. network ACLs.

This module is contained in the mod_proxy_protocol.c file for ProFTPD 1.3.x, and is not compiled by default. Installation instructions are discussed here; detailed notes on best practices for using this module are here.

The most current version of mod_proxy_protocol can be found at: 

  https://github.com/Castaglia/proftpd-mod_proxy_protocol.git

Author

Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.

Directives

ProxyProtocolEngine

Syntax: ProxyProtocolEngine on|off
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_proxy_protocol
Compatibility: 1.3.5rc4 and later

The ProxyProtocolEngine directive enables the expectation and handling of protocols which provide information on proxied connections; support for these protocols is provided by mod_proxy_protocol.

ProxyProtocolTimeout

Syntax: ProxyProtocolTimeout seconds
Default: 3sec
Context: server config, <VirtualHost>, <Global>
Module: mod_proxy_protocol
Compatibility: 1.3.5rc4 and later

The ProxyProtocolTimeout directive is used to configure the amount of time, in seconds, that mod_proxy_protocol will wait to receive the full expected proxy information. If the full information is not received within the given number of seconds, the connection to the client is closed.

ProxyProtocolVersion

Syntax: ProxyProtocolVersion protocolVersion
Default: haproxyV1
Context: server config, <VirtualHost>, <Global>
Module: mod_proxy_protocol
Compatibility: 1.3.5rc4 and later

The ProxyProtocolVersion directive is used to configure the protocol that mod_proxy_protocol expects to handle. The currently supported values are:

Usage

Example Configuration

  <IfModule mod_proxy_protocol.c>
    ProxyProtocolEngine on
    ProxyProtocolTimeout 3sec

    # Necessary to allow data transfers
    AllowForeignAddress on
  </IfModule>

Module Load Order
In order for mod_proxy_protocol to work its magic, it must the first module in line to handle the bytes coming in from the client. If some other module (such as mod_sftp or mod_tls) tries to handle the incoming bytes first, Bad Things will happen, since those modules will expect different protocols than the PROXY protocol.

For mod_proxy_protocol to be the first module called, it must the last module loaded. To do this as a static module, you would use something like this when building proftpd: 

  # ./configure --with-modules=...:mod_proxy_protocol
ensuring that mod_proxy_protocol is the last module in your --with-modules list.

As a shared module, configuring mod_proxy_protocol to be the last module loaded is much easier. Your configuration will have a list of LoadModule directives; the last of which would be: 

  LoadModule mod_proxy_protocol.c
Note that using mod_proxy_protocol as a shared module is required in cases where you want to use both mod_proxy_protocol and mod_ifsession. For example, perhaps you want to use mod_ifsession to change the behavior of some module, e.g. mod_ban, based on the IP address of the original client. This means that mod_proxy_protocol would need to hande the connection first, so that it can decode the PROXY protocol and set the correct client IP address. However, the ProFTPD build system is hardcoded to ensure that the mod_ifsession will always be first -- if using static modules. By using shared modules, you can enforce the proper ordering using the LoadModule directive, like so: 
  <IfModule mod_dso.c>
    ...
    LoadModule mod_ifsession.c
    LoadModule mod_proxy_protocol.c
  </IfModule>
The last module loaded will be the first module called.

Trusting Senders of Proxy Data
Use of these proxy protocols means changes in audit trails and/or client access permissions (e.g. different mod_wrap2 and/or mod_geoip rules will apply). Unscrupulous senders may try to actively lie to your server about the original client using these protocols. Thus you must trust the upstream machines before enabling the mod_proxy_protocol module.

Put another way: do not use the mod_proxy_protocol module if your server handles connections from the open Internet. Doing so means that any machine can use the proxy protocol to hide their activities, or make it look like the connection is coming from someone else. Only accept proxy information from trusted sources.

Why AllowForeignAddress Is Needed
One of the consequences of allowing mod_proxy_protocol to change the remote IP address is that security checks performed on data transfers will cause problems. For active data transfers (i.e. for clients which send the PORT or EPRT commands), proftpd requires that the IP address sent in the command matches the IP address of the client which sends the command. Otherwise, a message like the following is logged: 

  Refused PORT 127,0,0,1,218,225 (address mismatch)
and the command is rejected.

Similarly for passive data transfers (i.e. for clients which send the PASV or EPSV commands), proftpd requires that the remote IP address of the client which connects to the data transfer address must match the remote IP address of the client on the control connection. If the addresses do no match, then the following is logged: 

  SECURITY VIOLATION: Passive connection from 127.0.0.1 rejected.
and the control connection is closed.

These security measures are done to prevent abuses of FTP data transfers such as the FTP bounce attack. However, the very fact that mod_proxy_protocol changes the remote IP address means that to allow data transfers when using this module, you need to use: 

  AllowForeignAddress on
in the same virtual host section in which the ProxyProtocolEngine directive appears.

Installation

To install mod_proxy_protocol, copy the mod_proxy_protocol.c file into: 
  proftpd-dir/contrib/
after unpacking the latest proftpd-1.3.x source code. For including mod_proxy_protocol as a staticly linked module: 
  $ ./configure --with-modules=...:mod_proxy_protocol
To build mod_proxy_protocol as a DSO module: 
  $ ./configure --enable-dso --with-shared=...:mod_proxy_protocol
Then follow the usual steps: 
  $ make
  $ make install

For those with an existing ProFTPD installation, you can use the prxs tool to add mod_proxy_protocol, as a DSO module, to your existing server: 

  $ prxs -c -i -d mod_proxy_protocol.c

© Copyright 2013-2019 TJ Saunders
All Rights Reserved