与 HTTP 代理相比,FTP 代理要特殊很多,因为 FTP 要使用随机端口来传输数据,端口号在运行时确定并通过控制链路(控制链路传输 FTP 命令和响应,数据链路传输文件内容)传输,因此代理服务器必须要解析控制链路的响应或请求并替换。
HTTP 代理就要简单很多,客户端与 proxy 通信,并将 Host header 填成 real server 的地址,proxy 之间将整个 TCP message body 转发即可,也就是说,HTTP 代理即可使用四层代理,也可以使用三层代理(端口转发),但 FTP 只能使用四层代理,因为 FTP client 要解析 FTP server reply 取得数据链路地址,三层代理会导致 proxy 只代理控制链路,数据链路依然直连 real server.
FTP proxy 的局限性非常大,如果对客户端透明(即客户端连 proxy 或 real server 只需修改 ip:host),一组 FTP proxy 实例只能代理一个 FTP server, 因为 proxy 无法知晓客户端要连的 real server 的地址(HTTP proxy 能通过 Host header 知道 real server 地址是多少)。
在常用的开源代理软件中,Apache 和 Squid 都支持 FTP 代理,但都不是真正意义上的 FTP 代理。详细信息可以见官方文档:
Apache Module mod_proxy_ftp squid-cache wiki - Feature: Native FTP proxying
ftp.proxy 不太出名,应用也不广,但是功能满足 FTP 代理服务器的需求。
安装过程比较简洁,只安装了一个可执行文件和 man page:
cd src; strip ftp.proxy && cp ftp.proxy /usr/local/sbin cd doc; cp *.1 /usr/local/share/man/man1FTP client: 10.105.44.6 FTP proxy: 10.105.51.240:2121 FTP server: 10.105.87.168:21
ftp.proxy -D 2121 10.105.87.168:21 starting ftp.proxy 1.2.3 in daemon mode ...操作过程:
ftp -d ftp> open 10.105.51.240 2121 Connected to 10.105.51.240 (10.105.51.240). 220 server ready - login please Name (10.105.51.240:root): xxx ---> USER 1251429439 331 password required Password: ---> PASS XXXX 230 login accepted ---> SYST 215 UNIX Type: L8 Remote system type is UNIX. Using binary mode to transfer files. ftp> put /tmp/test.txt /0/test.txt local: /tmp/test.txt remote: /0/test.txt ---> TYPE I 200 Switching to Binary mode. ---> PASV 227 Entering Passive Mode (10,105,51,240,211,175) ---> STOR /0/test.txt 150 Ok to send data. 226 Transfer complete. 5 bytes sent in 3.5e-05 secs (142.86 Kbytes/sec) ftp> delete /0/test.txt ---> DELE /0/test.txt 250 Delete operation successful. ftp> quit ---> QUIT 221 goodbye抓包:
client -> proxy: connect proxy -> client: 220 server ready - login please\r\n client -> proxy: USER xxx\r\n proxy -> client: 331 password required\r\n client -> proxy: PASS xxx\r\n proxy -> server: connect server -> proxy: 220 (vsFTPd 3.0.2)\r\n proxy -> server: USER xxx\r\n server -> proxy: 331 Please specify the password.\r\n proxy -> server: PASS xxx\r\n server -> proxy: 230 Login successful.\r\n proxy -> client: 230 login accepted\r\n client -> proxy: SYST\r\n proxy -> server: SYST\r\n server -> proxy: 215 UNIX Type: L8\r\n proxy -> client: 215 UNIX Type: L8\r\n client -> proxy: TYPE I\r\n proxy -> server: TYPE I\r\n server -> proxy: 200 Switching to Binary mode.\r\n proxy -> client: 200 Switching to Binary mode.\r\n client -> proxy: PASV\r\n proxy -> server: PASV\r\n server -> proxy: 227 Entering Passive Mode (10,105,87,168,224,171).\r\n proxy -> client: 227 Entering Passive Mode (10,105,51,240,211,175)\r\n client -> proxy: connect to port 54191(211*256+175) client -> proxy: STOR /0/test.txt\r\n proxy -> server: STOR /0/test.txt\r\n proxy -> server: connect to port 57515(224*256+171) server -> proxy: 150 Ok to send data.\r\n proxy -> client: 150 Ok to send data.\r\n client -> proxy: send file content proxy -> server: send file content client -> proxy: close data connection proxy -> server: close data connection server -> proxy: 226 Transfer complete.\r\n proxy -> client: 226 Transfer complete.\r\n client -> proxy: DELE /0/test.txt\r\n proxy -> server: DELE /0/test.txt\r\n server -> proxy: 250 Delete operation successful.\r\n proxy -> client: 250 Delete operation successful.\r\n client -> proxy: QUIT\r\n proxy -> server: QUIT\r\n server -> proxy: 221 Goodbye.\r\n proxy -> client: 221 goodbye\r\n server -> proxy: close command connection proxy -> client: close command connection从以下两行可以看出数据传输的地址被 proxy 替换:
server -> proxy: 227 Entering Passive Mode (10,105,87,168,224,171).\r\n proxy -> client: 227 Entering Passive Mode (10,105,51,240,211,175)\r\n