Re: FTP load balancing?

From: Willy Tarreau <w#1wt.eu>
Date: Thu, 22 May 2008 10:35:11 +0200


Hi Alberto,

On Wed, May 21, 2008 at 08:58:20PM +0200, Alberto Giménez wrote:
> Hi,
>
> I've found a problem trying to balance FTP servers (well, really just
> use a FTP server and a backup one through the haproxy box). I'm
> currently using a kernel patched with cttproxy (2.0.6) to provide
> transparent proxy support and haproxy 1.3.14.
>
> FTP sessions hang when a data connection must be opened. This is true
> for active mode, and I guess the problem is because of the FTP
> protocol itself:
>
> client (control connection) ---> haproxy ----> backend FTP server
> client (data connection) (port X) -----> haproxy (port 20)
> haproxy (port Y)
> -----> backend FTP server (port 20)
> haproxy (port Y)
> <------ backend FTP server (port 20)
>
> And then haproxy doesn't forward "port Y" to "port X" on the client,
> so data connection is lost on haproxy box and the client "hangs"
> waiting for a response.

yes, that's one of the problems with FTP.

> Using passive mode works, because backend server tells the client
> directly what port to use (and his real IP, not the balanced one!).

This will not work for most clients (particularly those behind firewalls), as the destination address of the data connection will not be the same as for the control connection.

> I'm not sure if telling the customers to "force passive mode on their
> FTP clients" is a very polite option but... I wonder if anyone had the
> same problem and found a solution for it. I have not found anything
> about haproxy + ftp balancing on the net. Some references to other
> load balancers but no real clue.

I got active FTP load balancing to work in a very simple manner using transparent proxy :

client C connects to the service address V on haproxy port 21. haproxy forwards the connection to server S1 port 21, using C as the source address. When client sends "PORT C,X", the server tries to connect to C through the machine running haproxy. You simply have to add a source NAT rule on this machine, which translates S1 source port 20 to V source port 20. The client will then receive a connection from V which is where it established the control connection.

Regards,
Willy Received on 2008/05/22 10:35

This archive was generated by hypermail 2.2.0 : 2008/05/22 10:45 CEST