You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by de...@orange-ftgroup.com on 2010/11/08 11:56:12 UTC

[users@httpd] How to proxy FTP protocol with WinSCP client ?

Hello,
 
I encounter a problem to proxy FTP protocol with my WinSCP client
(strong constraint) ! The first control connection (HTTP CONNECT on port
21) with the FTP server is well established but the second one (data
connection : HTTP CONNECT on dynamic port provided by the server) is
refused from apache mod-proxy (403 forbidden), here is my proxy.conf
file :
 
<IfModule mod_proxy.c>
        ProxyRequests On
 
       AllowCONNECT 443 21
                
        <Proxy *>
                AddDefaultCharset off
                Order deny,allow
                Deny from all
                Allow from all
        </Proxy>
 
        # Enable/disable the handling of HTTP/1.1 "Via:" headers.
        # ("Full" adds the server version; "Block" removes all outgoing
Via: headers)
        # Set to one of: Off | On | Full | Block
 
        ProxyVia On
</IfModule>
 
Enabled modules : proxy, proxy_ftp, proxy_http, ssl, cache, ...
 
The AlllowCONNECT directive permits only to use static ports, and I
didn't find other directives to solve my problem !
The same configuration with WinSCP client works fine with "squid", but I
prefer to use apache for other reasons, so can you help me to solve this
problem ? For information, when I use another client like IE, it works
fine also but the HTTP method used is GET and not CONNECT...
Thanks.
 

Barbaron Denis
FT/RD/SIRP/ASF
Expert Senior - Architectures clusters & logiciel libre
Tel:  +33 2 96 05 03 57
Fax: +33 2 96 05 13 02 
denis.barbaron@orange-ftgroup.com
<ma...@orange-ftgroup.com>

RE: [users@httpd] How to proxy FTP protocol with WinSCP client ?

Posted by de...@orange-ftgroup.com.

Hi Krist,

Yes of course, my WinSCP client use passive FTP and apache listen on the control port (21) !

When the FTP server send back the port to connect to for DATA, the client attempts to open the connection using this dynamic port, but the apache proxy refused to forward the HTTP CONNECT to the FTP server and send back to the client a 403 Forbidden response.

See the small attached dump file which illustrate the problem : 
192.168.1.1 : the client
192.168.3.2 : apache proxy
10.194.124.173 : the FTP server

It works fine with other FTP proxy like "squid" or "netcache", it should be possible to configure apache to do that also ?
Thanks. 

-----Message d'origine-----
De : Krist van Besien [mailto:krist.vanbesien@gmail.com] 
Envoyé : lundi 8 novembre 2010 13:01
À : users@httpd.apache.org
Objet : Re: [users@httpd] How to proxy FTP protocol with WinSCP client ?

On Mon, Nov 8, 2010 at 11:56 AM,  <de...@orange-ftgroup.com> wrote:

> The AlllowCONNECT directive permits only to use static ports, and I 
> didn't find other directives to solve my problem !
> The same configuration with WinSCP client works fine with "squid", but 
> I prefer to use apache for other reasons, so can you help me to solve 
> this problem ? For information, when I use another client like IE, it 
> works fine also but the HTTP method used is GET and not CONNECT...

The solution is to use passive FTP in your ftp client. For CONNECT to a dynamic port to work it would be necessary for apache to listen in on the FTPO control connection to know what port the client will attempt to use.

Krist

--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to proxy FTP protocol with WinSCP client ?

Posted by Krist van Besien <kr...@gmail.com>.

On Mon, Nov 8, 2010 at 11:56 AM,  <de...@orange-ftgroup.com> wrote:

> The AlllowCONNECT directive permits only to use static ports, and I didn't
> find other directives to solve my problem !
> The same configuration with WinSCP client works fine with "squid", but I
> prefer to use apache for other reasons, so can you help me to solve this
> problem ? For information, when I use another client like IE, it works fine
> also but the HTTP method used is GET and not CONNECT...

The solution is to use passive FTP in your ftp client. For CONNECT to
a dynamic port to work it would be necessary for apache to listen in
on the FTPO control connection to know what port the client will
attempt to use.

Krist

-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org