OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • FTP reverse proxy TLS?
« previous next »
  • Print
Pages: [1]

Author Topic: FTP reverse proxy TLS?  (Read 4213 times)

Nacho

  • Newbie
  • *
  • Posts: 12
  • Karma: 1
    • View Profile
FTP reverse proxy TLS?
« on: August 12, 2017, 01:25:16 pm »
Hi,

I've setup a Filezilla FTP server on windows, setup TLS authentication and tested this on the local network, all is working fine.
then I configured the OPNSense (17.7) proxy-ftp module according to the tutorial here: https://forum.opnsense.org/index.php?topic=3868.0 and tested from outside the local network; I can connect and I receive the welcome banner but then I get the following error:
Code: [Select]
Command: AUTH TLS
Response: 234 Using authentication type TLS
Status:      Initializing TLS...
Error:        GnuTLS error -110: The TLS connection was non-properly terminated.
Status:      Server did not properly shut down TLS connection
Error:        Could not connect to server

When I disable TLS on the server I can connect fine through the proxy but somehow the TLS authentication fails. Am I missing something in my configuration, or would this not be supported?

A bit more details logging from the client:
Code: [Select]
Trace:        CFtpLogonOpData::ParseResponse() in state 1
Trace:        CControlSocket::SendNextCommand()
Trace:        CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace:        CFtpControlSocket::OnReceive()
Response: 234 Using authentication type TLS
Trace:        CFtpLogonOpData::ParseResponse() in state 2
Status:      Initializing TLS...
Trace:        CTlsSocketImpl::Handshake()
Trace:        CTlsSocketImpl::ContinueHandshake()
Trace:        TLS handshake: About to send CLIENT HELLO
Trace:        TLS handshake: Sent CLIENT HELLO
Trace:        CTlsSocketImpl::OnSend()
Trace:        CTlsSocketImpl::OnRead()
Trace:        CTlsSocketImpl::ContinueHandshake()
Trace:        CTlsSocketImpl::Failure(-110)
Error:        GnuTLS error -110: The TLS connection was non-properly terminated.
Status:      Server did not properly shut down TLS connection
Trace:        CRealControlSocket::OnClose(53)
Trace:        CRealControlSocket::DoClose(66)
Trace:        CControlSocket::DoClose(66)
Trace:        CFtpControlSocket::ResetOperation(66)
Trace:        CControlSocket::ResetOperation(66)
Error:        Could not connect to server
Trace:        CFileZillaEnginePrivate::ResetOperation(66)

« Last Edit: August 12, 2017, 01:44:58 pm by Nacho »
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: FTP reverse proxy TLS?
« Reply #1 on: August 12, 2017, 03:04:02 pm »
long story short: the plugin has no idea which port should be opened for the data connection and the connection is tried to establish against a closed port.
Logged

Nacho

  • Newbie
  • *
  • Posts: 12
  • Karma: 1
    • View Profile
Re: FTP reverse proxy TLS?
« Reply #2 on: August 12, 2017, 03:57:24 pm »
Hi Fabian,

Thanks for your reply.
Is there any workaround to make this work? or will this never work through a NAT?
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: FTP reverse proxy TLS?
« Reply #3 on: August 12, 2017, 05:50:12 pm »
It will never work through NAT as long as the server does not terminate TLS so the port numbers can be read.

What you eventually can do is limiting the ftp server to a port range and forward this port range to the server.
for example forward 100 ports to the ftp server.

vsftpd has the settings pasv_max_port and pasv_min_port [1]. So you may use 10000 up to 10100. Note that this is bad security practice as it does not check if this connections belong to a ftp control connection which means that the server can open any port and everything is allowed.

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-ftp-vsftpd-conf.html
Logged

Nacho

  • Newbie
  • *
  • Posts: 12
  • Karma: 1
    • View Profile
Re: FTP reverse proxy TLS?
« Reply #4 on: August 12, 2017, 11:51:40 pm »
That makes sense. I guess I'll have to find other options to provide secure access.

Thanks!
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: FTP reverse proxy TLS?
« Reply #5 on: August 13, 2017, 09:10:37 am »
SFTP / SCP (both use SSH) could be an option as well as something web based (like Nextcloud)

EDIT: If it has to be FTP, you can still also provide a web ftp server to access your FTP server via HTTPS.
« Last Edit: August 13, 2017, 09:12:09 am by fabian »
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • FTP reverse proxy TLS?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2