How to troubleshoot?

Question

How to troubleshoot?

MarcoInnocenti opened this issue 3 years ago · 5 comments

Hi,
I'm trying to use this module against a public ftp server.

LoadModule mod_tls.c
LoadModule mod_proxy.c

ProxyEngine on
ProxyLog /var/log/proftpd/proxy.log
ProxyTables /var/lib/proftpd/proxy

ProxyRole reverse
ProxyRetryCount 1
ProxyReverseServers ftps://test.rebex.net:990

ProxyTLSEngine on

Whenever I try to connect to the proxy I get errors in proxy.log.
It seems to be a configuration error as it tell "Argument not valid". Tcpdump show no connections to test.rebex.net so the proxy doesn't even try to reach it.

mod_proxy/0.7[556913]: selected backend server 'ftps://test.rebex.net:990'
mod_proxy/0.7[556913]: error starting connect to 195.144.107.198#990: Argomento non valido
mod_proxy/0.7[556913]: ProxyRetryCount 1 reached with no successful connection, failing

How can I find which parameter should I change?

Answer 1 · 2022-04-28T00:46:59.000Z

This one is a bit subtle, I fear. To get more detailed information, I recommend using trace logging, specifically adding the following to your configuration:

TraceLog /var/log/proftpd/proxy.log
Trace netio:20 \
  proxy:20 \
  proxy.conn:20 \
  proxy.ftp.conn:20 \
  proxy.ftp.ctrl:20 \
  proxy.ftp.data:20 \
  proxy.ftp.msg:20 \
  proxy.ftp.sess:20 \
  proxy.netio:20 \
  proxy.tls:20 \
  tls:20

I do know that mod_proxy can successfully proxy FTP sessions to Rebex's implicit FTPS (port 990) port; it is one of the mod_proxy integration tests.

I'm hoping that the above detailed logging can reveal what some of the usual causes are...

Could you also provide the ProFTPD version, and mod_proxy version, that you are running? Thanks!

Answer 2 · 2022-04-28T04:14:54.000Z

Thank you. My server was using IPv6 to reach an IPv4 address.

Answer 3 · 2022-04-28T15:39:27.000Z

@MarcoInnocenti I'm glad to hear that you found the issue; what were the log messages that you saw, to help you identify the cause? How did you address it?

I ask because I'm wondering if there are code changes I could make to mod_proxy, to make it detect/handle this situation better. Thanks!

Answer 4 · 2022-04-28T17:43:32.000Z

The problem arose because I tested the proxy using "ftp localhost". The proxy selected the same interface to contact the destination so I solved the issue with the "ProxySourceAddress" parameter.

TraceLog was very clear.

<proxy.conn:4>: error converting IPv6 local address ::1 to IPv4 address: Operazione non permessa
<proxy.conn:14>: ::1 is a loopback address, and unable to reach 195.144.107.198; using 127.0.1.1 instead
<proxy.conn:12>: connecting to backend address 195.144.107.198#990 from 127.0.1.1#0
 mod_proxy/0.7[3894]: error starting connect to 195.144.107.198#990: Argomento non valido
mod_proxy/0.7[3894]: ProxyRetryCount 1 reached with no successful connection, failing

I'm absolutely satisfied and I thank you for all you did and I don't think you can do many thing to have mod-proxy became a better product.

I only had another minor issue with it and it was a documentation one.

mod_tls.c is required to use ftps. In retrospect it is obvious but it took me some time to realize.
I've seen that others stumbled on this problem (https://githubhot.com/repo/Castaglia/proftpd-mod_proxy/issues/208) so maybe mentioning it in the documentation could be of help to someone.

Answer 5 · 2022-04-29T23:20:33.000Z

@MarcoInnocenti Thanks for the feedback.

For the "argument not valid" configuration scenario, I'm thinking to add some ProxyLog log message, when an error occurs, that checks both source and destination addresses to ensure that both are publicly routable (i.e. not RFC 1918 private addresses)) -- if either one is a private address, then I'll log a message suggesting the use of ProxySourceAddress, as a hint/guide for the same fix that you found.

For the mod_tls.c requirement, any suggestions on where, in the mod_proxy docs, to note this? Think that mentioning it in the ProxyTLSEngine docs would suffice?