FTP reverse proxy TLS?

Started by Nacho, August 12, 2017, 01:25:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 12, 2017, 01:25:16 PM Last Edit: August 12, 2017, 01:44:58 PM by Nacho
Hi,

I've setup a Filezilla FTP server on windows, setup TLS authentication and tested this on the local network, all is working fine.
then I configured the OPNSense (17.7) proxy-ftp module according to the tutorial here: https://forum.opnsense.org/index.php?topic=3868.0 and tested from outside the local network; I can connect and I receive the welcome banner but then I get the following error:
Code Select

Command: AUTH TLS
Response: 234 Using authentication type TLS
Status:      Initializing TLS...
Error:        GnuTLS error -110: The TLS connection was non-properly terminated.
Status:      Server did not properly shut down TLS connection
Error:        Could not connect to server


When I disable TLS on the server I can connect fine through the proxy but somehow the TLS authentication fails. Am I missing something in my configuration, or would this not be supported?

A bit more details logging from the client:
Code Select

Trace:        CFtpLogonOpData::ParseResponse() in state 1
Trace:        CControlSocket::SendNextCommand()
Trace:        CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace:        CFtpControlSocket::OnReceive()
Response: 234 Using authentication type TLS
Trace:        CFtpLogonOpData::ParseResponse() in state 2
Status:      Initializing TLS...
Trace:        CTlsSocketImpl::Handshake()
Trace:        CTlsSocketImpl::ContinueHandshake()
Trace:        TLS handshake: About to send CLIENT HELLO
Trace:        TLS handshake: Sent CLIENT HELLO
Trace:        CTlsSocketImpl::OnSend()
Trace:        CTlsSocketImpl::OnRead()
Trace:        CTlsSocketImpl::ContinueHandshake()
Trace:        CTlsSocketImpl::Failure(-110)
Error:        GnuTLS error -110: The TLS connection was non-properly terminated.
Status:      Server did not properly shut down TLS connection
Trace:        CRealControlSocket::OnClose(53)
Trace:        CRealControlSocket::DoClose(66)
Trace:        CControlSocket::DoClose(66)
Trace:        CFtpControlSocket::ResetOperation(66)
Trace:        CControlSocket::ResetOperation(66)
Error:        Could not connect to server
Trace:        CFileZillaEnginePrivate::ResetOperation(66)


August 12, 2017, 03:04:02 PM #1
long story short: the plugin has no idea which port should be opened for the data connection and the connection is tried to establish against a closed port.
August 12, 2017, 03:57:24 PM #2
Hi Fabian,

Thanks for your reply.
Is there any workaround to make this work? or will this never work through a NAT?
August 12, 2017, 05:50:12 PM #3
It will never work through NAT as long as the server does not terminate TLS so the port numbers can be read.

What you eventually can do is limiting the ftp server to a port range and forward this port range to the server.
for example forward 100 ports to the ftp server.

vsftpd has the settings pasv_max_port and pasv_min_port [1]. So you may use 10000 up to 10100. Note that this is bad security practice as it does not check if this connections belong to a ftp control connection which means that the server can open any port and everything is allowed.

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-ftp-vsftpd-conf.html
August 12, 2017, 11:51:40 PM #4
That makes sense. I guess I'll have to find other options to provide secure access.

Thanks!
August 13, 2017, 09:10:37 AM #5 Last Edit: August 13, 2017, 09:12:09 AM by fabian
SFTP / SCP (both use SSH) could be an option as well as something web based (like Nextcloud)

EDIT: If it has to be FTP, you can still also provide a web ftp server to access your FTP server via HTTPS.
Print
Go Up Pages1
User actions