Load balancing

Passive FTP

On this page

In passive mode File Transfer Protocol (FTP), the client initiates all connections to the server, making it compatible with intermediary proxies and firewalls. In contrast, active mode FTP has the server initiate connections to the client, and this is often blocked. For this reason, passive FTP is recommended over active FTP.

The passive configuration documented on this page supports not only FTP but also FTPS. It does not support SFTP.

Configure FTP servers Jump to heading

Perform these steps on the FTP servers. Consult the documentation for your FTP server.

  1. Configure your FTP server to use passive mode. It should return the IP address of the load balancer as the advertised address of the FTP service. Later, we will configure the load balancer to listen at this address.

    For example, on a vsftpd FTP server, set the pasv_address variable to the IP address of the FTP service configured on the load balancer:

    pasv_address=192.168.0.100  # IP of ftp.example.com
    pasv_address=192.168.0.100  # IP of ftp.example.com

  2. Configure the passive FTP port range on the FTP server. For example, you might use the port range 50000-50010, or you can use a larger range. Be careful to limit the port range to prevent file descriptor exhaustion.

Configure the load balancer Jump to heading

  1. Update your frontend section in the following ways:

    • In the bind directives, set the IP addresses to match the advertised FTP site IP (the pasv_address on the FTP server).
    • In the second bind directive, enter the port range your FTP servers use for data connections (for example, 50000-50010).
    haproxy
    frontend ftp_fe
      mode tcp
      option tcplog
      log global
      bind 192.168.0.100:21          name ftp-control
      bind 192.168.0.100:50000-50010 name ftp-data
      
      default_backend ftp_servers
    haproxy
    frontend ftp_fe
      mode tcp
      option tcplog
      log global
      bind 192.168.0.100:21          name ftp-control
      bind 192.168.0.100:50000-50010 name ftp-data
      
      default_backend ftp_servers

  2. Update your backend section in the following ways:

    • Configure the server directives to use the FTP servers’ IP addresses. Below, we use the FTP servers at 192.168.1.10 and 192.168.1.11.
    • Add stick-table and stick on directives to enable session persistence. This will route a client to the same server for both control and data. It also provides support for FTPS. See Session persistence.
    haproxy
    backend ftp_servers
      mode tcp
      balance leastconn
                           
      stick-table type ip size 100k expire 1h
      stick on src   
      server ftp-server1 192.168.1.10 check port 21
      server ftp-server2 192.168.1.11 check port 21
    haproxy
    backend ftp_servers
      mode tcp
      balance leastconn
                           
      stick-table type ip size 100k expire 1h
      stick on src   
      server ftp-server1 192.168.1.10 check port 21
      server ftp-server2 192.168.1.11 check port 21

Do you have any suggestions on how we can improve the content of this page?

Previous page HTTP Next page TCP
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences