mod_proxy.html

<!DOCTYPE html>
<html>
<head>
<title>ProFTPD module mod_proxy</title>
</head>

<body bgcolor=white>

<hr>
<center>
<h2><b>ProFTPD module <code>mod_proxy</code></b></h2>
</center>
<hr><br>

<p>
The purpose of the <code>mod_proxy</code> module is to provide FTP proxying
capabilities in <code>proftpd</code>, both <em>reverse</em> (or "gateway")
proxying and <em>forward</em> proxying.

<p>
Installation instructions are discussed <a href="#Installation">here</a>.
<b>Note</b> that <code>mod_proxy</code> requires ProFTPD 1.3.6rc2 or later.
Detailed notes on best practices for using this module are
<a href="#Usage">here</a>.

<p>
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

<p>
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

<p>
The most current version of <code>mod_proxy</code> can be found at:
<pre>
  <a href="https://github.com/Castaglia/proftpd-mod_proxy.git">https://github.com/Castaglia/proftpd-mod_proxy.git</a>
</pre>

<h2>Author</h2>
<p>
Please contact TJ Saunders &lt;tj <i>at</i> castaglia.org&gt; with any
questions, concerns, or suggestions regarding this module.

<h2>Thanks</h2>
<p>
<i>2015-08-24</i>: Thanks to Michael Toth &lt;mtoth <i>at</i> queldor.net&gt;
for helping test multiple iterations of <code>mod_proxy</code> with IIS
servers.

<h2>Directives</h2>
<ul>
  <li><a href="#ProxyDataTransferPolicy">ProxyDataTransferPolicy</a>
  <li><a href="#ProxyDatastore">ProxyDatastore</a>
  <li><a href="#ProxyEngine">ProxyEngine</a>
  <li><a href="#ProxyForwardEnabled">ProxyForwardEnabled</a>
  <li><a href="#ProxyForwardMethod">ProxyForwardMethod</a>
  <li><a href="#ProxyForwardTo">ProxyForwardTo</a>
  <li><a href="#ProxyLog">ProxyLog</a>
  <li><a href="#ProxyOptions">ProxyOptions</a>
  <li><a href="#ProxyReverseConnectPolicy">ProxyReverseConnectPolicy</a>
  <li><a href="#ProxyReverseServers">ProxyReverseServers</a>
  <li><a href="#ProxyRetryCount">ProxyRetryCount</a>
  <li><a href="#ProxyRole">ProxyRole</a>
  <li><a href="#ProxySourceAddress">ProxySourceAddress</a>
  <li><a href="#ProxyTables">ProxyTables</a>
  <li><a href="#ProxyTimeoutConnect">ProxyTimeoutConnect</a>
  <li><a href="#ProxyTimeoutLinger">ProxyTimeoutLinger</a>
  <li><a href="#ProxyTLSCACertificateFile">ProxyTLSCACertificateFile</a>
  <li><a href="#ProxyTLSCACertificatePath">ProxyTLSCACertificatePath</a>
  <li><a href="#ProxyTLSCARevocationFile">ProxyTLSCARevocationFile</a>
  <li><a href="#ProxyTLSCARevocationPath">ProxyTLSCARevocationPath</a>
  <li><a href="#ProxyTLSCertificateFile">ProxyTLSCertificateFile</a>
  <li><a href="#ProxyTLSCertificateKeyFile">ProxyTLSCertificateKeyFile</a>
  <li><a href="#ProxyTLSCipherSuite">ProxyTLSCipherSuite</a>
  <li><a href="#ProxyTLSEngine">ProxyTLSEngine</a>
  <li><a href="#ProxyTLSOptions">ProxyTLSOptions</a>
  <li><a href="#ProxyTLSPreSharedKey">ProxyTLSPreSharedKey</a>
  <li><a href="#ProxyTLSProtocol">ProxyTLSProtocol</a>
  <li><a href="#ProxyTLSTimeoutHandshake">ProxyTLSTimeoutHandshake</a>
  <li><a href="#ProxyTLSTransferProtectionPolicy">ProxyTLSTransferProtectionPolicy</a>
  <li><a href="#ProxyTLSVerifyServer">ProxyTLSVerifyServer</a>
</ul>

<p>
<hr>
<h3><a name="ProxyDataTransferPolicy">ProxyDataTransferPolicy</a></h3>
<strong>Syntax:</strong> ProxyDataTransferPolicy <em>client|active|passive|pasv|epsv|port|eprt</em><br>
<strong>Default:</strong> ProxyDataTransferPolicy client<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyDataTransferPolicy</code> directive configures the data
transfer <em>policy</em> that <code>mod_proxy</code> uses when performing
data transfers (<i>e.g.</i> file uploads/downloads, directory listings) with
the backend/destination server.

<p>
The currently supported policies are:
<ul>
  <li><code>client</code>
    <p>
    This policy indicates that <code>mod_proxy</code> will use whatever
    the connected client uses.  Thus if the client sends <code>PORT</code>,
    <code>mod_proxy</code> will send <code>PORT</code> to the
    backend/destination server.

    <p>
    This is the <em>recommended policy</em> in most cases.
  </li>

  <p>
  <li><code>active</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <em>active</em> data transfers (<i>i.e.</i> using
    <code>PORT</code> commands) with the backend/destination server.
  </li>

  <p>
  <li><code>passive</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <em>passive</em> data transfers (<i>i.e.</i> using
    <code>PASV</code> commands) with the backend/destination server.
  </li>

  <p>
  <li><code>PASV</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <code>PASV</code> commands with the backend/destination
    server.
  </li>

  <p>
  <li><code>PORT</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <code>PORT</code> commands with the backend/destination
    server.
  </li>

  <p>
  <li><code>EPSV</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <code>EPSV</code> commands with the backend/destination
    server.
  </li>

  <p>
  <li><code>EPRT</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <code>EPRT</code> commands with the backend/destination
    server.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyDatastore">ProxyDatastore</a></h3>
<strong>Syntax:</strong> ProxyDatastore <em>type [info]</em><br>
<strong>Default:</strong> ProxyDatastore SQLite<br>
<strong>Context:</strong> server config<br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyDatastore</code> directive configures the <em>type</em> of
datastore that <code>mod_proxy</code> uses for persistence.  The currently
supported datastore <em>types</em> are:
<ul>
  <li>Redis
  <li>SQLite
</ul>

<p>
<b>Note</b> that the Redis <em>type</em> also requires the <em>info</em>
paramter, namely a prefix for all of the Redis keys.  This prefix <b>must</b>
be different/unique among all of your <code>mod_proxy</code> servers using
that Redis server/cluster; the prefix is used to keep all of the data
<i>for this server</i> separate from all other servers.  For example:
<pre>
  &lt;IfModule mod_proxy.c&gt;

    ...
    &lt;IfModule mod_redis.c&gt;
      # Use our IP address as our prefix
      ProxyDatastore Redis 1.2.3.4.
    &lt;/IfModule&gt;
  &lt;/IfModule&gt;
</pre>

<p>
<hr>
<h3><a name="ProxyEngine">ProxyEngine</a></h3>
<strong>Syntax:</strong> ProxyEngine <em>on|off</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyEngine</code> directive toggles the support for proxying by
<code>mod_proxy</code>.  This is usually used inside a
<code>&lt;VirtualHost&gt;</code> section to enable proxying of FTP sessions for
a particular virtual host. By default <code>mod_proxy</code> is disabled for
both the main server and all configured virtual hosts.

<p>
<hr>
<h3><a name="ProxyForwardEnabled">ProxyForwardEnabled</a></h3>
<strong>Syntax:</strong> ProxyForwardEnabled <em>on|off</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> <code>&lt;Class&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyForwardEnabled</code> directive determines whether a client
can use <code>mod_proxy</code> for forward proxying, based on that client's
<a href="http://www.proftpd.org/docs/howto/Classes.html">class</a>.

<p>
By default, <code>mod_proxy</code> rejects any forward proxy request from
<b>any</b> client, with the exception of clients connecting from
<a href="http://www.faqs.org/rfcs/rfc1918.html">RFC 1918</a> addresses:
<pre>
  192.168.0.0/16
  172.16.0.0/12
  10.0.0.0/8
</pre>
This is done as a security measure: <b>open/unrestricted proxy servers are
dangerous both to your network and to the Internet at large</b>.  Thus to make
it possible for clients to use your server for forward proxying, they <b>must
be explicitly</b> enabled to do so.

<p>
Example:
<pre>
  &lt;Class forward-proxy&gt;
    From 1.2.3.4/12

    # Allow clients from this class to use FTP forward proxying
    ProxyForwardEnabled on
  &lt;/Class&gt;
</pre>

<p>
See also: <a href="#ProxyForwardTo"><code>ProxyForwardTo</code></a>

<p>
<hr>
<h3><a name="ProxyForwardMethod">ProxyForwardMethod</a></h3>
<strong>Syntax:</strong> ProxyForwardMethod <em>method</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyForwardMethod</code> directive configures the <em>method</em>
that clients can use for requesting forward proxying.  Some methods require
that the client authenticate <em>to the proxy first</em>, and then separately
authenticate to the destination server; these methods differ on just when
the client specifies the destination server.  Other methods do not require
proxy authentication.  There are many variations on a theme with these methods.

<p>
The currently supported methods are:
<ul>
  <li><code>proxyuser,user@host</code>
    <p>
    This method indicates that proxy authentication is <b>required</b>.  The
    client first authenticates to the proxy via <code>USER/PASS</code> commands:
<pre>
  USER <em>proxy-user</em>
  PASS <em>proxy-passwd</em>
</pre>
    Then the client authenticates <i>again</i>, this time including the
    address (and optionally port) of the destination server as part of the
    second <code>USER</code> command:
<pre>
  USER <em>real-user</em>@ftp.example.com
  PASS <em>real-passwd</em>
</pre>
    The <code>mod_proxy</code> module will remove the destination address
    portion of the second <code>USER</code> command before proxying it to
    the destination server.
  </li>

  <p>
  <li><code>proxyuser@host,user</code>
    <p>
    This method indicates that proxy authentication is <b>required</b>.  The
    client first authenticates to the proxy via <code>USER/PASS</code> commands;
    note that the destination address (and optionally port) is included as part
    of the first <code>USER</code> command:
<pre>
  USER <em>proxy-user</em>@ftp.example.com
  PASS <em>proxy-passwd</em>
</pre>
    Then the client authenticates <i>again</i>, this time sending the
    <code>USER/PASS</code> commands to authenticate to the destination server:
<pre>
  USER <em>real-user</em>
  PASS <em>real-passwd</em>
</pre>
  </li>

  <p>
  <li><code>user@host</code>
    <p>
    This methods indicates that <i>no proxy authentication</i> is used.  The
    client indicates the destination address (and optionally port) of the
    server as part of the <code>USER</code> command:
<pre>
  USER <em>real-user</em>@ftp.example.com
  PASS <em>real-passwd</em>
</pre>
    The <code>mod_proxy</code> module will remove the destination address
    portion of the <code>USER</code> command before proxying it to the
    destination server.
  </li>
</ul>

<p>
Configuring the FTP client's proxy settings to match the above methods varies
greatly, depending on the FTP client.

<p>
<hr>
<h3><a name="ProxyForwardTo">ProxyForwardTo</a></h3>
<strong>Syntax:</strong> ProxyForwardTo <em>[!]pattern [flags]</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyForwardTo</code> directive is used to restrict which
hosts/domains can be requested for forward proxying.  The destination host/port
for forward proxying <b>must</b> match the configured <em>pattern</em>
regular expression, or the forward proxying request will fail.

<p>
The optional <em>flags</em> parameter, if present, modifies how the given
<em>pattern</em> will be evaludated.  The supported flags are:
<ul>
  <li><b>nocase|NC</b> (<b>n</b>o <b>c</b>ase)<br>
      This makes the <em>pattern</em> case-insensitive, <i>i.e.</i> there is
      no difference between 'A-Z' and 'a-z' when <em>pattern</em> is matched
      against the path
  </li>
</ul>

<p>
<code>ProxyForwardTo</code> limits the destination hosts <b>to</b> which
clients can request forward proxying; by contrast,
<a href="#ProxyForwardEnabled"><code>ProxyForwardEnabled</code></a> controls
forward proxying based on where clients connect <b>from</b>.

<p>
<hr>
<h3><a name="ProxyLog">ProxyLog</a></h3>
<strong>Syntax:</strong> ProxyLog <em>path|"none"</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyLog</code> directive is used to specify a log file for
<code>mod_proxy</code>'s reporting on a per-server basis.  The <em>path</em>
parameter given must be the full path to the file to use for logging.

<p>
Note that this path must <b>not</b> be to a world-writable directory and,
unless <code>AllowLogSymlinks</code> is explicitly set to <em>on</em>
(generally a bad idea), the path must <b>not</b> be a symbolic link.

<p>
<hr>
<h3><a name="ProxyOptions">ProxyOptions</a></h3>
<strong>Syntax:</strong> ProxyOptions <em>opt1 ...</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyOptions</code> directive is used to configure various optional
behavior of <code>mod_proxy</code>.  For example:
<pre>
  ProxyOptions UseProxyProtocol
</pre>

<p>
The currently implemented options are:
<ul>
  <li><code>ShowFeatures</code><br>
    <p>
    When reverse proxing, <code>mod_proxy</code> defaults to not responding to
    the FTP <code>FEAT</code> command, which is used to determine the supported
    features/capabilities of the FTP server; this is done to prevent leaking
    of information about internal FTP servers to the outside world.  However,
    some clients rely on the <code>FEAT</code> data.  For such clients/use
    cases, use this option to tell <code>mod_proxy</code> to proxy the
    <code>FEAT</code> command/response to the backend server.
  </li>

  <p>
  <li><code>UseDirectDataTransfers</code><br>
    <p>
    The <code>mod_proxy</code> module will, by default, proxy all data transfers
    through the proxy server.  Some sites may wish to have the FTP data
    transfers occur directly between the frontend client and the backend server,
    to avoid the latency/overhead of the proxying.  Use this option to
    enable these direct data transfers (akin to <b>D</b>irect <b>S</b>erver
    <b>R</b>eturn, or DSR), for both forward and reverse proxy roles:
    <pre>
  # Enable data transfers directly from frontend client to/from backend server
  ProxyOptions UseDirectDataTransfers
    </pre>
  </li>

  <p>
  <li><code>UseProxyProtocol</code><br>
    <p>
    When <code>mod_proxy</code> connects to the backend/destination server,
    use the <a href="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt"><code>PROXY</code></a> protocol, sending the human-readable <code>PROXY</code>
    command to the destination server.  This allows backend servers to implement
    access controls/logging, based on the IP address of the connecting client.
    The <a href="https://github.com/Castaglia/proftpd-mod_proxy_protocol"><code>mod_proxy_protocol</code></a>
    ProFTPD module can be used to handle the <code>PROXY</code> command on
    the receiving side, <i>i.e.</i> when using <code>proftpd</code> as the
    backend/destination server.

    <p>
    <b>Note</b>: do <b>not</b> use this option unless the backend server
    <em>does</em> support the <code>PROXY</code> protocol.  Otherwise, the
    <code>PROXY</code> protocol message will only confuse the backend server,
    possibly leading to connection/login failures.
  </li>

  <p>
  <li><code>UseReverseProxyAuth</code><br>
    <p>
    When reverse proxying, <code>mod_proxy</code> delegates user authentication
    to the selected backend server.  However, there are some sites which need
    to centralize user authentication in the proxy; use this option to require
    proxy authentication for such cases.  <b>Note</b> that this option
    <b>only</b> pertains to reverse proxy connections; proxy authentication
    when forward proxying is determined by the <code>ProxyForwardMethod</code>
    directive.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyRetryCount">ProxyRetryCount</a></h3>
<strong>Syntax:</strong> ProxyRetryCount <em>count</em><br>
<strong>Default:</strong> ProxyRetryCount 5<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyRetryCount</code> directive configures the number of times
<code>mod_proxy</code> will attempt to connect to the backend/destination
server.  The default is <em>5</em> attempts.

<p>
<hr>
<h3><a name="ProxyReverseConnectPolicy">ProxyReverseConnectPolicy</a></h3>
<strong>Syntax:</strong> ProxyReverseConnectPolicy <em>policy</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyReverseConnectPolicy</code> directive configures the
<em>policy</em> that <code>mod_proxy</code> will use for selecting the backend
server when reverse proxying.

<p>
The currently supported policies are:
<ul>
  <li><code>LeastConns</code>
    <p>
    Select the backend server with the lowest number of proxied connections.
  </li>

  <p>
  <li><code>LeastResponseTime</code>
    <p>
    Select the backend server with the least response time; this is determined
    based on the connect time to the backend server, and its number of
    current connections.
  </li>

  <p>
  <li><code>PerGroup</code>
    <p>
    Select a backend server based on the primary group of the authenticated
    <code>USER</code> name used by the connecting client; any future
    connections using that same <code>USER</code> name will be routed to the
    same backend server.

    <p>
    <b>Note</b>: use of this <code>ProxyReverseConnectPolicy</code> also
    <b>requires</b> use of the <code>UseReverseProxyAuth</code>
    <code>ProxyOption</code>, as authenticating the given <code>USER</code>
    name is required for discovering the primary group of that user.
  </li>

  <p>
  <li><code>PerHost</code>
    <p>
    Select a backend server based on the IP address of the connecting client;
    any future connections from that IP address will be routed to the same
    backend server.
  </li>

  <p>
  <li><code>PerUser</code>
    <p>
    Select a backend server based on the <code>USER</code> name used by the
    connecting client; any future connections using that same <code>USER</code>
    name will be routed to the same backend server.
  </li>

  <p>
  <li><code>Random</code>
    <p>
    Randomly select any of the backend servers.
  </li>

  <p>
  <li><code>RoundRobin</code>
    <p>
    Select the next backend server in the list.
  </li>

  <p>
  <li><code>Shuffle</code>
    <p>
    Similar to the <code>Random</code> policy, except the selection happens
    from the not-yet-chosed backend servers.  This means that <b>all</b>
    backend servers will eventually be used evenly, just in a random order.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyReverseServers">ProxyReverseServers</a></h3>
<strong>Syntax:</strong> ProxyReverseServers <em>servers</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyReverseServers</code> directive configures the list of servers
to be used as the backend servers for reverse proxying.

<p>
Each server <b>must</b> be configured as a <i>URL</i>.  Only the "ftp" scheme
is currently supported.  If not specified, the port will be 21.  IPv6 addresses
<b>must</b> be enclosed within square brackets.  Thus, for example, the
following are all valid URLs:
<pre>
  ftp://<em>ftp1.example.com:2121</em>
  ftp://<em>1.2.3.4</em>
  ftp://<em>[::ffff:6.7.8.9]:2121</em>
</pre>
And using them all in the configuration would look like:
<pre>
  ProxyReverseServers ftp://ftp1.example.com:2121 ftp://1.2.3.4 ftp://[::ffff:6.7.8.9]:2121
</pre>

<p>
The backend servers can <i>also</i> be contained in a list in a JSON file,
<i>e.g.</i>:
<pre>
[
  "ftp://ftp1.example.com:2121",
  "ftp://[::ffff:6.7.8.9]:2121"
]
</pre>
You then only need to configure the path to that JSON file:
<pre>
  ProxyReverseServers file:/path/to/backends.json
</pre>

<p>
The backend servers can <i>also</i> be provided from an external SQL database,
queried by <code>mod_proxy</code> via <a href="http://www.proftpd.org/docs/contrib/mod_sql.html#SQLNamedQuery"><code>SQLNamedQuery</code></a>.  For example,
<i>assuming</i> a schema such as this:
<pre>
  CREATE TABLE proxy_user_servers (
    user_name TEXT,
    url TEXT
  );

  CREATE INDEX proxy_user_servers_name_idx ON proxy_user_servers (user_name);
</pre>
where <em>url</em> contains URLs, <i>e.g.</i> "ftp://1.2.3.4:21".  Then you
would configure <code>mod_proxy</code> to query for those per-user backend URLs
using <code>ProxyReverseServers</code> like this:
<pre>
  &lt;IfModule mod_sql.c&gt;
    ...
    SQLNamedQuery get-user-servers SELECT "url FROM proxy_user_servers WHERE user_name = %{0}"
  &lt;/IfModule&gt;

  ProxyRole reverse
  ProxyReverseConnectPolicy PerUser
  ProxyReverseServers sql:/get-user-servers
</pre>

<p>
Given that <code>mod_proxy</code> uses SQLite, does that mean that the table
used for storing these per-user URLs <b>must</b> be SQLite?  <b>No</b>.  The
use of <code>SQLNamedQuery</code> means that <b>any database</b>, supported
by <code>mod_sql</code>, can be used.

<p>
<hr>
<h3><a name="ProxyRole">ProxyRole</a></h3>
<strong>Syntax:</strong> ProxyRole <em>role</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyRole</code> directive configures whether <code>mod_proxy</code>
will perform forward or reverse proxying.  The list of supported <em>roles</em>
are thus:
<ul>
  <li><code>forward</code>
    <p>
    Perform forward proxying.
  </li>

  <p>
  <li><code>reverse</code>
    <p>
    Perform reverse proxying.
  </li>
</ul>

<p>
<b>Note</b> that the <code>ProxyRole</code> directive is <b>required</b>
for <code>mod_proxy</code> to function.  If this directive is not configured,
connections to <code>mod_proxy</code> will fail.

<p>
<hr>
<h3><a name="ProxySourceAddress">ProxySourceAddress</a></h3>
<strong>Syntax:</strong> ProxySourceAddress <em>address</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxySourceAddress</code> directive configures the <em>address</em>
(or <em>device name</em>) of a network interface on the host machine, to
be used when connecting to the backend/destination server.  This directive
is most useful on a multi-homed (or DMZ) host; frontend connections can
be received on one network interface, and the backend connections can use
a different network interface.  Imagine <i>e.g.</i> separate WAN/LAN interfaces
on a proxying host.

<p>
<hr>
<h3><a name="ProxyTables">ProxyTables</a></h3>
<strong>Syntax:</strong> ProxyTables <em>table-info</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config<br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyTables</code> directive is used to specify a directory that
<code>mod_proxy</code> will use for storing its database files; these files
are used for tracking the various load balancing/healthcheck statistics used
for proxying.

<p>
<b>Note</b> that the <code>ProxyTables</code> directive is <b>required</b>
for <code>mod_proxy</code> to function.  If this directive is not configured,
connections to <code>mod_proxy</code> will fail.

<p>
<hr>
<h3><a name="ProxyTimeoutConnect">ProxyTimeoutConnect</a></h3>
<strong>Syntax:</strong> ProxyTimeoutConnect <em>timeout</em><br>
<strong>Default:</strong> ProxyTimeoutConnect 5sec<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyTimeoutConnect</code> directive configures the amount of time
that <code>mod_proxy</code> will wait for the backend/destination server to
accept a TCP connection, before giving up.

<p>
Note that if there are many different backend/destination servers to try
(due to <i>e.g.</i> <code>ProxyRetryCount</code>), <i>and</i> if those
backend servers are slow, the connecting client might itself see connection
timeouts to <code>mod_proxy</code>.  To guard against such slow backend
servers, a more aggressively short timeout can be used:
<pre>
  ProxyTimeoutConnect 1sec
</pre>

<p>
<hr>
<h3><a name="ProxyTimeoutLinger">ProxyTimeoutLinger</a></h3>
<strong>Syntax:</strong> ProxyTimeoutLinger <em>timeout</em><br>
<strong>Default:</strong> ProxyTimeoutLinger 3sec<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyTimeoutLinger</code> directive configures the amount of time
that <code>mod_proxy</code> will wait (<em>lingering</em>), after receiving
all of the data on the data transfer connection to the backend server, for the
explicit "end of transfer" response from the backend server, before giving up.

<p>
<hr>
<h3><a name="ProxyTLSCACertificateFile">ProxyTLSCACertificateFile</a></h3>
<strong>Syntax:</strong> ProxyTLSCACertificateFile <em>path</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCACertificateFile</code> directive configures one file where
you can assemble the certificates of Certification Authorities (CA) which will
be used to verify the servers' certificates.  Such a file is merely the
concatenation of the various PEM-encoded CA certificates.  This directive can
be used in addition to, or as an alternative for,
<code>ProxyTLSCACertificatePath</code>.

<p>
Example:
<pre>
  ProxyTLSCACertificateFile /etc/ftpd/cacerts.pem
</pre>

<p>
<b>Note</b> that the location of CA certificates is <b>required</b> for
<code>mod_proxy</code>'s TLS support; verification of server certificates
is required for secure connections to backend/destination servers.  For
this reason, <code>mod_proxy</code> ships with its own default
<code>ProxyTLSCACertificateFile</code>, which is generated using <code>libcurl</code>'s <code>mk-ca-bundle.pl</code> script:
<pre>
  $ lib/mk-ca-bundle.pl -u cacerts.pem
</pre>

<p>
<hr>
<h3><a name="ProxyTLSCACertificatePath">ProxyTLSCACertificatePath</a></h3>
<strong>Syntax:</strong> ProxyTLSCACertificatePath <em>directory</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCACertificatePath</code> directive sets the directory for the
certificates of Certification Authorities (CAs); these are used to verify the
server certificates presented.  This directive may be used in addition to, or
as alternative for, <code>ProxyTLSCACertificateFile</code>.

<p>
The files in the configured directory have to be PEM-encoded, and are accessed
through hash filenames.  This means one cannot simply place the CA certificates
there: one also has to create symbolic links named <i>hash-value</i>.N.  The
<code>c_rehash</code> utility that comes with OpenSSL can be used to create
the necessary symlinks.

<p>
Example:
<pre>
  ProxyTLSCACertificatePath /etc/ftpd/cacerts/
</pre>

<p>
<hr>
<h3><a name="ProxyTLSCARevocationFile">ProxyTLSCARevocationFile</a></h3>
<strong>Syntax:</strong> ProxyTLSCACertificateFile <em>path</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCARevocationFile</code> directive configures one file that can
contain the Certificate Revocation Lists (CRL) of Certification Authorities
(CA); these CRLs are used during the verification of server certificates. Such
a file is merely the concatenation of the various PEM-encoded CRL files.  This
directive can be used in addition to, or as an alternative for,
<code>ProxyTLSCARevocationPath</code>.

<p>
Example:
<pre>
  ProxyTLSCARevocationFile /etc/ftpd/cacrls.pem
</pre>

<p>
<hr>
<h3><a name="ProxyTLSCARevocationPath">ProxyTLSCARevocationPath</a></h3>
<strong>Syntax:</strong> ProxyTLSCARevocationPath <em>directory</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCARevocationPath</code> directive sets the directory for the
Certificate Revocation Lists (CRL) of Certification Authorities (CAs); these
are used during the verification of server certificates.  This directive may
be used in addition to, or as alternative for,
<code>ProxyTLSCARevocationFile</code>.

<p>
The files in the configured directory have to be PEM-encoded, and are accessed
through hash filenames.  This means one cannot simply place the CRLs there:
one also has to create symbolic links named <i>hash-value</i>.N.  The
<code>c_rehash</code> utility that comes with OpenSSL can be used to create
the necessary symlinks.

<p>
Example:
<pre>
  ProxyTLSCARevocationPath /etc/ftpd/cacrls/
</pre>

<p>
<hr>
<h3><a name="ProxyTLSCertificateFile">ProxyTLSCertificateFile</a></h3>
<strong>Syntax:</strong> ProxyTLSCertificateFile <em>path</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCertificateFile</code> directive points to the PEM-encoded
file containing the <em>client</em> certificate file, and optionally also
the corresponding private key.  <em>Note</em> that this directive is only
needed for backend/target FTPS servers which require client authentication.

<p>
Example:
<pre>
  ProxyTLSCertificateFile /etc/ftpd/client-cert.pem
</pre>

<p>
<hr>
<h3><a name="ProxyTLSCertificateKeyFile">ProxyTLSCertificateKeyFile</a></h3>
<strong>Syntax:</strong> ProxyTLSCertificateKeyFile <em>path</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCertificateKeyFile</code> directive points to the PEM-encoded
file containing the <em>client</em> certificate file, and optionally also

<p>
The <code>ProxyTLSCertificateKeyFile</code> directive points to the PEM-encoded
private key file for the client certificate indicated by
<code>ProxyTLSCertificateFile</code>. If the private key is not combined with
the certificate in the <code>ProxyTLSCertificateFile</code>, use this additional
directive to point to the file with the standalone private key.  When
<code>ProxyTLSCertificateFile</code> is used and the file contains both the
certificate and the private key, this directive need not be used.  <b>However,
this practice is strongly discouraged</b>.  Instead we recommend you to separate
the certificate and the private key.

<p>
<hr>
<h3><a name="ProxyTLSCipherSuite">ProxyTLSCipherSuite</a></h3>
<strong>Syntax:</strong> ProxyTLSCipherSuite <em>cipher-list</em><br>
<strong>Default:</strong> ProxyTLSCipherSuite DEFAULT:!ADH:!EXPORT:!DES<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCipherSuite</code> directive configures the list of
acceptable SSL/TLS ciphersuites to use for backend SSL/TLS connections.  The
syntax is that of the OpenSSL <code>ciphers</code> command, <i>e.g.</i>:
<pre>
  $ openssl ciphers -v <em>&lt;cipher-list&gt;</em>
</pre>
may be used to list all of the ciphers and the order described by a specific
<em>&lt;cipher-list&gt;</em>.

<p>
<hr>
<h3><a name="ProxyTLSEngine">ProxyTLSEngine</a></h3>
<strong>Syntax:</strong> ProxyTLSEngine <em>on|off|auto</em><br>
<strong>Default:</strong> ProxyTLSEngine auto<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSEngine</code> directive configures the use of SSL/TLS for
<em>backend</em> FTP connections.  The supported values are:
<ul>
  <li><em>on</em>
    <p> 
    Use of SSL/TLS is <b>required</b>; backend servers which do not support
    SSL/TLS <b>or</b> which fail the SSL/TLS handshake will cause the proxied
    session to be closed.
  </li>

  <p>
  <li><em>off</em>
    <p> 
    Use of SSL/TLS is <b>disabled</b>; backend servers which do support SSL/TLS
    will be ignored, and only FTP will be used.
  </li>

  <p>
  <li><em>auto</em>
    <p>
    Use of SSL/TLS will be <b>automatically</b> used if the backend server
    supports SSL/TLS (via <code>AUTH TLS</code> in its <code>FEAT</code>
    response).  If the SSL/TLS handshake fails, the backend connection will
    proceed using plain FTP.

    <p>
    <b>Note</b>: this is the default behavior in <code>mod_proxy</code>.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyTLSOptions">ProxyTLSOptions</a></h3>
<strong>Syntax:</strong> ProxyTLSOptions <em>options</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSOptions</code> directive is used to configure various
optional SSL/TLS behavior of <code>mod_proxy</code>.

<p>
Example:
<pre>
  ProxyTLSOptions EnableDiags
</pre>

<p>
The currently implemented options are:
<ul>
  <li><code>EnableDiags</code>
    <p>
    Sets callbacks in the OpenSSL library such that <b>a lot</b> of
    SSL/TLS protcol information is logged to the
    <a href="#ProxyLog"><code>ProxyLog</code></a> file.  This option is
    <b>very</b> useful when debugging strange interactions with FTPS servers.
  </li>

  <p>
  <li><code>NoSessionCache</code>
    <p>
    By default, when using SSL/TLS, <code>mod_proxy</code> will <em>cache</em>
    the negotiated SSL sessions in its local database, for reuse in enabling
    SSL session resumption in future connections to those hosts.  Use this
    option to <b>disable</b> use of session caching if/when needed.
  </li>

  <p>
  <li><code>NoSessionTickets</code>
    <p>
    By default, when using SSL/TLS, <code>mod_proxy</code> will <em>cache</em>
    any <a href="http://www.faqs.org/rfcs/rfc5077.html">session tickets</a>
    offered by the server in its local database, for reuse in enabling
    SSL session resumption in future connections to those hosts.  Use this
    option to <b>disable</b> use of session tickets if/when needed.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyTLSPreSharedKey">ProxyTLSPreSharedKey</a></h3>
<strong>Syntax:</strong> ProxyTLSPreSharedKey <em>identity key-info</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSPreSharedKey</code> directive is used to configure a
<em>pre-shared key</em> (PSK), for use in
<a href="http://en.wikipedia.org/wiki/TLS-PSK">TLS-PSK</a> ciphersuites.  Each
PSK has an <em>identity</em> (a string/name used by clients to request the use
of that PSK), and the actual key data.  The key data may be encoded in different
ways; the <code>ProxyTLSPreSharedKey</code> directive requires that the data be
hex-encoded, as indicated in the <em>key-info</em> parameter.

<p>
The <em>key-info</em> parameter is comprised of the type of encoding used for
the key data, and the full path to the key file.  Only "hex" encoding is
supported right now.  Thus an example <code>ProxyTLSPreSharedKey</code>
directive would be:
<pre>
  ProxyTLSPreSharedKey MyPSK hex:/path/to/psk.key
</pre>
The configured file <b>cannot be world-readable or world-writable</b>; the
<code>mod_proxy</code> module will skip/ignore such insecure permissions.

<p>
To generate this shared key (which is just a randomly generated bit of data),
you can use:
<pre>
  $ openssl rand 160 -out /path/to/identity.key -hex
</pre>
Note that <code>ProxyTLSPreSharedKey</code> requires at least 20 bytes of key
data.  Having generated the random key data, tell <code>mod_proxy</code> to use
it via:
<pre>
  ProxyTLSPreSharedKey identity hex:/path/to/identity.key
</pre>

<p>
<hr>
<h3><a name="ProxyTLSProtocol">ProxyTLSProtocol</a></h3>
<strong>Syntax:</strong> ProxyTLSProtocol <em>protocols</em><br>
<strong>Default:</strong> ProxyTLSProtocol TLSv1 TLSv1.1 TLSv1.2<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSProtocol</code> directive is used to configure the SSL/TLS
protocol versions that <code>mod_proxy</code> should use when establishing
SSL/TLS sessions to backend servers.

<p>
The allowed protocols are:
<p>
<table>
  <tr>
    <td><code>SSLv3</code></td>
    <td>Use only SSLv3</td>
  </tr>

  <tr>
    <td><code>TLSv1</code></td>
    <td>Use only TLSv1</td>
  </tr>

  <tr>
    <td><code>TLSv1.1</code></td>
    <td>Use only TLSv1.1</td>
  </tr>

  <tr>
    <td><code>TLSv1.2</code></td>
    <td>Use only TLSv1.2</td>
  </tr>

</table>

<p>
To support both SSLv3 and TLSv1, simply list both parameters for the
<code>ProxyTLSProtocol</code> directive, <i>e.g.</i>:
<pre>
  ProxyTLSProtocol SSLv3 TLSv1
</pre>

<p>
The <code>ProxyTLSProtocol</code> directive can also be used in a different
manner, to <em>add</em> or <em>subtract</em> protocol support.  For example,
to enable all protocols <b>except</b> SSLv3, you can use:
<pre>
  ProxyTLSProtocol ALL -SSLv3
</pre>
Using the directive in this manner requires that "ALL" be the <b>first</b>
parameter, <i>and</i> that all protocols have either a <code>+</code>
(<em>add</em>) or <code>-</code> (<em>subtract</em>) prefix.  "ALL" will
always be expanded to all of the supported SSL/TLS protocols known by
<code>mod_proxy</code> and supported by <code>OpenSSL</code>.

<p>
<hr>
<h3><a name="ProxyTLSTimeoutHandshake">ProxyTLSTimeoutHandshake</a></h3>
<strong>Syntax:</strong> ProxyTLSTimeoutHandshake <em>timeout</em><br>
<strong>Default:</strong> ProxyTLSTimeoutHandshake 30sec<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSTimeoutHandshake</code> directive configures the maximum
number of seconds for <code>mod_proxy</code> to complete an SSL/TLS handshake.
If set to zero, <code>mod_proxy</code> will wait forever for a handshake to
complete.  The default is 30 seconds.

<p>
<hr>
<h3><a name="ProxyTLSTransferProtectionPolicy">ProxyTLSTransferProtectionPolicy</a></h3>
<strong>Syntax:</strong> ProxyTLSTransferProtectionPolicy <em>client|required|clear</em><br>
<strong>Default:</strong> ProxyTLSTransferProtectionPolicy required<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyTLSTransferProtectionPolicy</code> directive configures the data
transfer protection <em>policy</em>, when using SSL/TLS, that
<code>mod_proxy</code> uses when performing data transfers (<i>e.g.</i> file
uploads/downloads, directory listings) with the backend/destination server.

<p>
The currently supported policies are:
<ul>
  <li><code>client</code>
    <p>
    This policy indicates that <code>mod_proxy</code> will use whatever
    the connected client uses.  Thus if the client sends <code>PROT C</code>,
    <code>mod_proxy</code> will send <code>PROT C</code> to the
    backend/destination server.
  </li>

  <p>
  <li><code>required</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <em>protected</em> TLS data transfers (<i>i.e.</i> using
    <code>PROT P</code> commands) with the backend/destination server.

    <p>
    This is the <em>recommended policy</em> in most cases.
  </li>

  <p>
  <li><code>clear</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <em>clear</em> (<i>i.e.</i> <em>unprotected</em>) data
    transfers (<i>i.e.</i> using <code>PROT C</code> commands) with the
    backend/destination server.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyTLSVerifyServer">ProxyTLSVerifyServer</a></h3>
<strong>Syntax:</strong> ProxyTLSVerifyServer <em>on|off</em><br>
<strong>Default:</strong> ProxyTLSVerifyServer on<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSVerifyServer</code> directive configures how
<code>mod_proxy</code> handles certificates presented by servers.  If
<em>off</em>, the module will accept <b>any</b> server certificate and
establish an SSL/TLS session, but will <b>not</b> verify the certificate.  If
<em>on</em>, the module will verify a server's certificate and, furthermore,
will fail all SSL handshake attempts <b>unless</b> the server presents a valid
certificate.

<p>
<hr>
<h2><a name="Usage">Usage</a></h2>

<p>
<b>Benefits of Proxying</b><br>
The benefits of using a module like <code>mod_proxy</code> depend mostly
on the type of proxying, forward or reverse, that <code>mod_proxy</code>
is configured to perform.  There are some benefit, however, that the module
can bring, regardless of the type of proxying:
<ul>
  <li>Add ProFTPD's FTPS support (via <code>mod_tls</code>) for FTP <em>servers</em> which do not support FTPS
  <li>Add ProFTPD's FTPS support for FTP <em>clients</em> which do not support FTPS
  <li>Add ProFTPD's IPv6 support for FTP clients/servers which do not support it
  <li>Add ProFTPD's logging power (<code>TransferLog</code>, <code>ExtendedLog</code>, <i>etc</i>) for FTP servers which do not provide such versatile logging
  <li>Use ProFTPD's monitoring capabilities (<i>e.g.</i> <code>mod_snmp</code>) for FTP servers which do not have such features
</ul>

<p>
When using <code>mod_proxy</code> for proxying, <b>all</b> data transfers
(<i>e.g.</i> file uploads/downloads, directory listings, etc) pass through
<code>mod_proxy</code>; data transfers do <b>not</b> occur directly between
the "frontend" clients and the "backend" servers.  This happens so that
clients are <b>completely</b> unaware of the network structure for the
backend servers; this is especially important when reverse proxying, where
it means that the client sees <code>mod_proxy</code> <em>as the real</em> FTP
server.

<p>
<i>Forward Proxying</i><br>
One of the most common benefits of a forward proxy is having controlled access,
by clients within an internal LAN, to outside servers.  FTP makes this sort
of thing notoriously difficult for firewalls/routers due to its multi-TCP
connection nature; this, in turn, makes proxying of FTP more difficult.  But
<code>mod_proxy</code> makes this possible; it understands FTP, and thus
provides the access control needed for such use cases.

<p>
When using <code>mod_proxy</code> as a forward proxy, FTP clients which can
only perform active data transfers can use <code>mod_proxy</code> as a way
to use passive data transfers with the destination FTP server.

<p>
Similarly, FTP clients which do not support IPv6 can proxy through
<code>mod_proxy</code> to reach a destination FTP server with an IPv6 address;
<code>mod_proxy</code> handles IPv4 and IPv6 addresses transparently.

<p>
<i>Reverse Proxying</i><br>
Just as <code>mod_proxy</code> can aid naive/legacy FTP clients via forward
proxying, <code>mod_proxy</code> can similarly front legacy FTP servers.
For example, <code>mod_proxy</code> can sit in front of FTP servers which
do not handle IPv6 addresses, and provide this functionality transparently
to IPv6-capable FTP clients.

<p>
When performing reverse proxying, <code>mod_proxy</code> can also perform
load balancing in various ways.  The common methods of "round robin" and
"least connections" are implemented; <code>mod_proxy</code> also provides
"sticky session" load balancing of clients as well.

<p>
<b>Handling of Proxied Sessions</b><br>
Once a proxied session has authenticated with the backend/destination server,
the <code>mod_proxy</code> module automatically chroots itself to a
subdirectory of the <a href="#ProxyTables"><code>ProxyTables</code></a>
directory, after which all root privileges are permanently dropped.

<p>
<b>Forward Proxy Configuration</b><br>
Before discussing example forward proxy configurations for
<code>mod_proxy</code>, it is very important to understand the consequences
of providing forward proxy capabilities.

<p>
<b>Important Security Considerations</b><br>
A forward proxy can be used by <b>any</b> client to have <em>the proxy</em>
connect to <b>any</b> arbitrary host, while hiding the client's true identity.
Malicious behavior, hacking or denial-of-service attempts, <i>etc</i> will
appear to be coming from <em>your proxy</em>; this is dangerous for your
network, and for the Internet at large.  Think of the damage that has been
done, <em>and continues to happen</em>, due to open/unrestricted proxies/relays
such as open DNS or SMTP/email proxies.

<p>
This is the reason that <code>mod_proxy</code> does not allow just <b>any</b>
client to use its forward proxy capabilities by default; instead, only
clients connecting from the LAN are allowed by default.  Allowing trusted
outside clients is done using the
<a href="#ProxyForwardEnabled"><code>ProxyForwardEnabled</code></a> directive.
Even allowing internal clients to use your forward proxy can be troublesome,
depending on the destination hosts selected by the clients.  To ensure that
your clients are using the forward proxy to connect only to the hosts allowed,
you can use the <a href="#ProxyForwardTo"><code>ProxyForwardTo</code></a>
directive to configure a regular expression-based whitelist of allowed
destination/target hosts; <b>this is strongly recommended</b>.

<p>
With all that said, here's an example <code>mod_proxy</code> configuration
for supporting forward proxying:
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole forward
    ProxyForwardMethod user@host
    ProxyForwardTo ^ftp\.example\.com [NC]
  &lt;/IfModule&gt;
</pre>

<p>
<b>Reverse Proxy Configuration</b><br>
Reverse proxies (also known as "gateways") are often used to provide access
to FTP resources, located with internal networks, to the outside world.  The
reverse proxy can perform load balancing, provide functionality that the
internal servers may not be able to do, and even perform things like caching.

<p>
Access control for reverse proxies is less critical than for forward proxies
because clients can only reach, via the reverse proxy, the backend servers
that the reverse proxy has been configured to use; the clients do <b>not</b>
get to choose arbitrary hosts for the reverse proxy to use.

<p>
Here's an example <code>mod_proxy</code> configuration for supporting reverse
proxying:
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole reverse
    ProxyReverseConnectPolicy RoundRobin
    ProxyReverseServers ftp://ftp-backend1.example.com:2121 ftp://ftp-backend2.example.com:2121 ...
  &lt;/IfModule&gt;
</pre>

<p>
Here's an example <code>mod_proxy</code> configuration for reverse proxying,
with lookup of per-user backend servers:
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole reverse
    ProxyReverseConnectPolicy PerUser

    # We need to provide a pool of backend servers as a fallback
    ProxyReverseServers ftp://ftp-backend1.example.com:2121 ftp://ftp-backend2.example.com:2121 ...

    # Look up per-user backend servers from user-specific JSON files
    ProxyReverseServers file:/var/ftp/proxy/backends/%U.json
  &lt;/IfModule&gt;
</pre>

Similarly, you can use a <i>per-group</i> lookup for the backend servers when
reverse proxying:
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole reverse
    ProxyReverseConnectPolicy PerGroup
    ProxyOptions UseReverseProxyAuth

    # We need to provide a pool of backend servers as a fallback
    ProxyReverseServers ftp://ftp-backend1.example.com:2121 ftp://ftp-backend2.example.com:2121 ...

    # Look up per-group backend servers from group-specific JSON files
    ProxyReverseServers file:/var/ftp/proxy/backends/%g.json
  &lt;/IfModule&gt;
</pre>

<p>
In order to support FTP over SSL/TLS (FTPS) connections from <em>clients</em>
when reverse proxying, simply include your normal <code>mod_tls</code>
configuration with the same <code>&lt;VirtualHost&gt;</code> configuration
with your <code>mod_proxy</code> configuration.

<p>
For FTPS support to the backend <em>servers</em>, your reverse proxy
configuration would look something like this:
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole reverse
    ProxyReverseConnectPolicy RoundRobin
    ProxyReverseServers ftp://ftp-backend1.example.com:2121 ftp://ftp-backend2.example.com:2121 ...

    # Use FTPS when supported/available by the backend server
    ProxyTLSEngine auto

    # List of trusted root CAs
    ProxyTLSCACertificateFile /etc/ftpd/cacerts.pem
  &lt;/IfModule&gt;
</pre>
In fact, <code>mod_proxy</code> comes with a default
<code>ProxyTLSCACertificateFile</code> (comprised of the root CAs that most
browsers use/trust), <b>and</b> the default <code>ProxyTLSEngine</code>
value is <em>auto</em>.  This means that, by default, <code>mod_proxy</code>
will try to use FTPS for backend connections automatically (assuming that
ProFTPD is built with OpenSSL support using the <code>--enable-openssl</code>
configure option).

<p>
<b>Load Balancing versus Session Stickiness</b><br>
For reverse proxy configurations, there is a choice between
<em>load balancing</em> and <em>sticky session</em>
<code>ProxyReverseConnectPolicy</code> parameters; these parameters determine
the selection of the backend server that will handle the incoming connection.

<p>
Which should you use, and why?

<p>
All of the <em>balancing</em> policies are able to select the backend server
<em>when the FTP client connects to the proxy, before sending any commands</em>.
Most of the "sticky" policies, on the other hand, require more knowledge about
the user (<i>e.g.</i> <code>USER</code> name, <code>HOST</code> name, SSL
session ID) <em>before the backend server can be determined</em>, thus backend
server selection is delayed until that information is obtained.

<p>
<em>Balancing</em> is best when all of your backend severs are identical with
regard to the content they have, <b>and</b> when it does not matter which
server handles a particular client.  Maybe all of your backend servers use a
shared filesystem via NFS or similar, thus directory listings will be the same
for a user no matter which backend server is used, and uploading files to one
server means that those files can be downloaded/seen by the other servers.
Balancing policies are also best when all of your backend servers have similar
processing power (memory, CPU, network, disk), so that all backend servers
are equally capable of providing the same service to the connecting client.

<p>
The <em>balancing</em> policies are:
<ul>
  <li><code>LeastConns</code>
  <li><code>Random</code>
  <li><code>RoundRobin</code>
  <li><code>Shuffle</code>
</ul>

<p>
<em>Stickiness</em> is best when your backend servers are <b>not</b> identical,
and some users/clients <em>should only ever go to the same set of backend
servers</em>.  Thus the user/client needs to be "sticky" to a given backend
server.

<p>
The <em>sticky</em> policies are:
<ul>
  <li><code>PerGroup</code>
  <li><code>PerHost</code>
  <li><code>PerUser</code>
</ul>

<p>
<b>SFTP/SCP Support</b><br>
The <code>mod_proxy</code> module only works for FTP/FTPS sessions; it does
<b>not</b> currently support/handle SFTP/SCP sessions.

<p>
<b>Logging</b><br>
The <code>mod_proxy</code> module supports different forms of logging.  The
main module logging is done via the
<a href="#ProxyLog"><code>ProxyLog</code></a> directive.  For debugging
purposes, the module also uses <a href="http://www.proftpd.org/docs/howto/Tracing.html">trace logging</a>, via the module-specific channels:
<ul>
  <li>proxy
  <li>proxy.conn
  <li>proxy.db
  <li>proxy.forward
  <li>proxy.ftp.conn
  <li>proxy.ftp.ctrl
  <li>proxy.ftp.data
  <li>proxy.ftp.msg
  <li>proxy.ftp.sess
  <li>proxy.ftp.xfer
  <li>proxy.inet
  <li>proxy.netio
  <li>proxy.reverse
  <li>proxy.reverse.db
  <li>proxy.reverse.redis
  <li>proxy.session
  <li>proxy.tls
  <li>proxy.tls.db
  <li>proxy.tls.redis
  <li>proxy.uri
</ul>

<p>
Thus for trace logging, to aid in debugging, you would use the following in
your <code>proftpd.conf</code>:
<pre>
  TraceLog /path/to/proxy-trace.log
  Trace proxy:20
</pre>
This trace logging can generate large files; it is intended for debugging
use only, and should be removed from any production configuration.

<p><a name="Wishlist"></a>
<b>Suggested Future Features</b><br>
The following lists the features I hope to add to <code>mod_proxy</code>,
according to need, demand, inclination, and time:
<ul>
  <li><code>MODE Z</code> support
  <li>Directory format translation (<i>e.g.</i> <code>LIST</code> to <code>MLSD</code>)
  <li>SFTP/SCP support
</ul>

<p>
See the GitHub <a href="https://github.com/Castaglia/proftpd-mod_proxy/issues">issues</a> page for current bugs and feature requests, and to report issues.

<p><a name="FAQ"></a>
<b>Frequently Asked Questions</b><br>

<p><a name="ProxyRoundRobinVsLeastConns"></a>
<font color=red>Question</font>: I have heard a lot about both "round robin"
and "least conns" for load balancing.  Which is better for FTP connections?<br>
<font color=blue>Answer</font>:  There is not an easy answer to this, because
it really comes down to the type of traffic that your FTP servers will see.

<p>
<b><i>If</i></b> your FTP sessions tend to be long-lived (<i>e.g.</i> on the
order of minutes to hours), then using <code>ProxyReverseConnectPolicy
LeastConns</code> will tend to provide the best distribution of those sessions
across your pool of backend servers.  The assumption here is that <b>new</b>
connections arrive infrequently <em>relative to the number of existing
connections</em>.

<p>
On the other hand, <b><i>if</i></b> your FTP sessions tend to be shorter
(<i>e.g.</i> minutes at most), then using <code>ProxyReverseConnectPolicy
RoundRobin</code> might provide a more even distribution of connections
across your pool of backend servers.

<p><a name="ProxyPerHostBackendServers"></a>
<font color=red>Question</font>: I am using:
<pre>
  ProxyReverseConnectPolicy PerHost
</pre>
and would like to configure different pools of backend servers for different
incoming clients.  How do I do this?<br>
<font color=blue>Answer</font>:  The best way to achieve this would be
to use <a href="http://www.proftpd.org/docs/howto/Classes.html">classes</a>
and <code>mod_ifsession</code>'s <code>&lt;IfClass&gt;</code> sections.  For
example:
<pre>
  &lt;Class proxied-clients&gt;
  &lt;/Class&gt;

  ProxyRole reverse
  ProxyReverseConnectPolicy PerHost

  &lt;IfClass proxied-clients&gt;
    ProxyReverseServers ftp://ftp-special1.example.com:2121 ftp://ftp-special2.example.com:2121 ...
  &lt;/IfClass&gt;

  # Don't forget to configure the backend server pool for clients coming
  # from other networks!
  &lt;IfClass !proxied-clients&gt;
    ProxyReverseServers ftp://ftp-backend1.example.com:2121 ftp://ftp-backend2.example.com:2121 ...
  &lt;/IfClass&gt;
</pre>

<p><a name="ProxyFTPSSupport"></a>
<font color=red>Question</font>: Does <code>mod_proxy</code> support SSL/TLS
connections, <i>i.e.</i> FTPS?<br>
<font color=blue>Answer</font>:  Short answer: yes.

<p>
The long answer is the <code>mod_proxy</code> supports FTPS connections
<b>both</b> on the <em>frontend</em>, from connecting clients, <b>and</b> on
the <em>backend</em>, to backend servers.  This means that all of the following
flows are supported:
<pre>
  <em>client</em> --- FTPS ---> <em>proxy</em> --- FTP ---> <em>server</em>
  <em>client</em> --- FTP ---> <em>proxy</em> --- FTPS ---> <em>server</em>
  <em>client</em> --- FTPS ---> <em>proxy</em> --- FTPS ---> <em>server</em>
</pre>

<p>
Thus <code>mod_proxy</code>'s FTPS support is suited for reverse proxy
configurations, where <code>mod_proxy</code> can be used to provide SSL/TLS
capabilities to old/legacy FTP servers which do not implement it.   The
<code>mod_proxy</code> module is <em>also</em> suited for forward proxy
configurations, where the FTPS support can be used to provide SSL/TLS
capabilities to old/legacy FTP clients which do not implement it.

<p><a name="ProxyReverseProxyCredentials"></a>
<font color=red>Question</font>: I want to use <code>mod_proxy</code> for
reverse proxying.  I want to centralize all of my user authentication in
<code>mod_proxy</code>, <b>and</b> I want to use <em>different</em> user
credentials when logging in to the backend servers.  Can <code>mod_proxy</code>
do all of this?<br>
<font color=blue>Answer</font>: Yes.

<p>
There are a couple of key parts of your <code>mod_proxy</code> configuration
to pay attention to, for achieving the above.
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole reverse

    <b># Make sure to authenticate in the proxy itself
    ProxyOptions UseReverseProxyAuth</b>

    ProxyReverseConnectPolicy ...

    <b># Include the username/passwords to use for the backend servers
    # <em>in the URLs</em>.</b>
    ProxyReverseServers ftp://<b>user1:password1@</b>ftp-backend1.example.com:2121 ftp://<b>user2:password2@</b>ftp-backend2.example.com:2121 ...
  &lt;/IfModule&gt;
</pre>
When a URL uses the "username:password" syntax for including the credentials
to use for that connection, <code>mod_proxy</code> will use those URI
credentials when logging in to that backend server.

<p><a name="ProxyLimitByGroup"></a>
<font color=red>Question</font>: I have configured <code>mod_proxy</code> to
block the <code>LIST</code> command for one group of users, like so:
<pre>
  &lt;Limit LIST&gt;
    DenyGroup somegroup
  &lt;/Limit&gt;
</pre>
But this <code>&lt;Limit&gt;</code> is not working.  Is this a bug?<br>
<font color=blue>Answer</font>:  No, it is not a bug.  It is, unfortunately,
expected behavior.

<p>
The <code>&lt;Limit&gt;</code> mechanism works on the <b>authenticated</b>
user/group names.  And in many cases, it is <b>not</b> <code>mod_proxy</code>
which authenticates the user, it is the backend server.  Thus it is the
backend server which knows the groups to which the authenticated user belongs;
<code>mod_proxy</code> only knows that the <code>USER</code> name was
successfully authenticated by the backend user.  Thus <em>group</em>-based
limits cannot be honored.

<p>
However, <b>if</b> proxy auth <b>is</b> enabled, then group-based limits will
work.  This means using either the following when forward proxying:
<pre>
  ProxyRole forward

  # Either of these two methods result in proxy auth
  ProxyForwardMethod proxyuser,user@host
  ProxyForwardMethod proxyuser@host,user
</pre>
or this, when reverse proxying:
<pre>
  ProxyRole reverse
  ProxyOptions UseReverseProxyAuth
</pre>

<p><a name="ProxyReverseSelectionByCert"></a>
<font color=red>Question</font>: Can <code>mod_proxy</code> be configured
as a reverse proxy, and to select the backend server based on the <em>client
certificate</em> used by the frontend FTPS client?<br>
<font color=blue>Answer</font>: Yes, but it requires the use of a custom SQL
query.

<p>
The idea here is to define a SQL query which looks up the backend server to
use, based on information in the frontend FTPS client certificate.  Since the
<code>mod_proxy</code> module already uses SQLite, you <i>should</i>
be able to use the <code>mod_sql_sqlite</code> module if needed.  The SQL
table schema might look like:
<pre>
  CREATE TABLE proxy_backends (
    common_name TEXT PRIMARY KEY,
    url TEXT
  );
</pre>

<pre>
  &lt;IfModule mod_tls.c&gt;
    ...
    # Tell mod_tls to export environment variables containing various
    # certificate fields, for use by e.g. mod_sql.
    TLSOptions StdEnvVars
    ...
  &lt;/IfModule&gt;

  &lt;IfModule mod_sql.c&gt;
    ...
    # Use the TLS_CLIENT_S_DN_CN environment variable (for the CommonName of
    # the Subject section of the frontend FTPS client certificate) provided
    # by mod_tls in our selection.
    SQLNamedQuery get-user-servers SELECT "url FROM proxy_backends WHERE common_name = '%{env:TLS_CLIENT_S_DN_CN}'"
    ...
  &lt;/IfModule&gt;

  &lt;IfModule mod_proxy.c&gt;
    ...
    ProxyRole reverse
    ProxyReverseConnectPolicy PerUser

    # Use a named SQL query to lookup the backend server to use.  Note that
    # the name used here is the name of our SQLNamedQuery defined above.
    ProxyReverseServers sql:/get-user-servers
    ...
  &lt;/IfModule&gt;
</pre>
Note that the <code>mod_tls</code> module provides many other environment
variables for other fields of the certificate; using a field other than
CommonName is also quite doable, depending on your needs.

<p>
<hr>
<h2><a name="Installation">Installation</a></h2>
To install <code>mod_proxy</code>, go to the third-party module area in
the proftpd source code and unpack the <code>mod_proxy</code> source tarball:
<pre>
  $ cd <i>proftpd-dir</i>/contrib/
  $ tar zxvf /path/to/mod_proxy-<i>version</i>.tar.gz
</pre>
after unpacking the latest proftpd-1.3.<i>x</i> source code.  For including
<code>mod_proxy</code> as a staticly linked module:
<pre>
  $ ./configure --with-modules=mod_proxy:...
</pre>
To build <code>mod_proxy</code> as a DSO module:
<pre>
  $ ./configure --enable-dso --with-shared=mod_proxy:...
</pre>
Then follow the usual steps:
<pre>
  $ make
  $ make install
</pre>
<b>Note</b>: <code>mod_proxy</code> uses the
<a href="http://www.sqlite.org"><code>SQLite</code></a> library; thus the
<code>sqlite3</code> development library/headers <b>must</b> be installed for
building <code>mod_proxy</code>.

<p>
It is <b>highly recommended</b> that SQLite 3.8.5 or later be used.  Problems
have been reported with <code>mod_proxy</code> when SQLite 3.6.20 is used;
these problems disappeared once SQLite was upgraded to a newer version.

<p>
<hr>

<font size=2><b><i>
&copy; Copyright 2015-2017 TJ Saunders<br>
 All Rights Reserved<br>
</i></b></font>

<hr>
</body>
</html>