mod_proxy.html

<!DOCTYPE html>
<html>
<head>
<title>ProFTPD module mod_proxy</title>
</head>

<body bgcolor=white>

<hr>
<center>
<h2><b>ProFTPD module <code>mod_proxy</code></b></h2>
</center>
<hr><br>

<p>
The purpose of the <code>mod_proxy</code> module is to provide FTP proxying
capabilities in <code>proftpd</code>, both <em>reverse</em> (or "gateway")
proxying and <em>forward</em> proxying.

<p>
Installation instructions are discussed <a href="#Installation">here</a>.
<b>Note</b> that <code>mod_proxy</code> requires ProFTPD 1.3.6rc2 or later.
Detailed notes on best practices for using this module are
<a href="#Usage">here</a>.

<p>
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

<p>
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

<p>
The most current version of <code>mod_proxy</code> can be found at:
<pre>
  <a href="https://github.com/Castaglia/proftpd-mod_proxy.git">https://github.com/Castaglia/proftpd-mod_proxy.git</a>
</pre>

<h2>Author</h2>
<p>
Please contact TJ Saunders &lt;tj <i>at</i> castaglia.org&gt; with any
questions, concerns, or suggestions regarding this module.

<h2>Thanks</h2>
<p>
<i>2015-08-24</i>: Thanks to Michael Toth &lt;mtoth <i>at</i> queldor.net&gt;
for helping test multiple iterations of <code>mod_proxy</code> with IIS
servers.

<h2>Directives</h2>
<ul>
  <li><a href="#ProxyDataTransferPolicy">ProxyDataTransferPolicy</a>
  <li><a href="#ProxyDatastore">ProxyDatastore</a>
  <li><a href="#ProxyDirectoryListPolicy">ProxyDirectoryListPolicy</a>
  <li><a href="#ProxyEngine">ProxyEngine</a>
  <li><a href="#ProxyForwardEnabled">ProxyForwardEnabled</a>
  <li><a href="#ProxyForwardMethod">ProxyForwardMethod</a>
  <li><a href="#ProxyForwardTo">ProxyForwardTo</a>
  <li><a href="#ProxyLog">ProxyLog</a>
  <li><a href="#ProxyOptions">ProxyOptions</a>
  <li><a href="#ProxyReverseConnectPolicy">ProxyReverseConnectPolicy</a>
  <li><a href="#ProxyReverseServers">ProxyReverseServers</a>
  <li><a href="#ProxyRetryCount">ProxyRetryCount</a>
  <li><a href="#ProxyRole">ProxyRole</a>
  <li><a href="#ProxySFTPCiphers">ProxySFTPCiphers</a>
  <li><a href="#ProxySFTPCompression">ProxySFTPCompression</a>
  <li><a href="#ProxySFTPDigests">ProxySFTPDigests</a>
  <li><a href="#ProxySFTPHostKey">ProxySFTPHostKey</a>
  <li><a href="#ProxySFTPKeyExchanges">ProxySFTPKeyExchanges</a>
  <li><a href="#ProxySFTPOptions">ProxySFTPOptions</a>
  <li><a href="#ProxySFTPPassPhraseProvider">ProxySFTPPassPhraseProvider</a>
  <li><a href="#ProxySFTPServerAlive">ProxySFTPServerAlive</a>
  <li><a href="#ProxySFTPServerMatch">ProxySFTPServerMatch</a>
  <li><a href="#ProxySFTPVerifyServer">ProxySFTPVerifyServer</a>
  <li><a href="#ProxySourceAddress">ProxySourceAddress</a>
  <li><a href="#ProxyTables">ProxyTables</a>
  <li><a href="#ProxyTimeoutConnect">ProxyTimeoutConnect</a>
  <li><a href="#ProxyTimeoutLinger">ProxyTimeoutLinger</a>
  <li><a href="#ProxyTLSCACertificateFile">ProxyTLSCACertificateFile</a>
  <li><a href="#ProxyTLSCACertificatePath">ProxyTLSCACertificatePath</a>
  <li><a href="#ProxyTLSCARevocationFile">ProxyTLSCARevocationFile</a>
  <li><a href="#ProxyTLSCARevocationPath">ProxyTLSCARevocationPath</a>
  <li><a href="#ProxyTLSCertificateFile">ProxyTLSCertificateFile</a>
  <li><a href="#ProxyTLSCertificateKeyFile">ProxyTLSCertificateKeyFile</a>
  <li><a href="#ProxyTLSCipherSuite">ProxyTLSCipherSuite</a>
  <li><a href="#ProxyTLSEngine">ProxyTLSEngine</a>
  <li><a href="#ProxyTLSOptions">ProxyTLSOptions</a>
  <li><a href="#ProxyTLSPreSharedKey">ProxyTLSPreSharedKey</a>
  <li><a href="#ProxyTLSProtocol">ProxyTLSProtocol</a>
  <li><a href="#ProxyTLSTimeoutHandshake">ProxyTLSTimeoutHandshake</a>
  <li><a href="#ProxyTLSTransferProtectionPolicy">ProxyTLSTransferProtectionPolicy</a>
  <li><a href="#ProxyTLSVerifyServer">ProxyTLSVerifyServer</a>
</ul>

<p>
<hr>
<h3><a name="ProxyDataTransferPolicy">ProxyDataTransferPolicy</a></h3>
<strong>Syntax:</strong> ProxyDataTransferPolicy <em>client|active|passive|pasv|epsv|port|eprt</em><br>
<strong>Default:</strong> ProxyDataTransferPolicy client<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyDataTransferPolicy</code> directive configures the data
transfer <em>policy</em> that <code>mod_proxy</code> uses when performing
data transfers (<i>e.g.</i> file uploads/downloads, directory listings) with
the backend/destination server.

<p>
The currently supported policies are:
<ul>
  <li><code>client</code>
    <p>
    This policy indicates that <code>mod_proxy</code> will use whatever
    the connected client uses.  Thus if the client sends <code>PORT</code>,
    <code>mod_proxy</code> will send <code>PORT</code> to the
    backend/destination server.

    <p>
    This is the <em>recommended policy</em> in most cases.
  </li>

  <p>
  <li><code>active</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <em>active</em> data transfers (<i>i.e.</i> using
    <code>PORT</code> commands) with the backend/destination server.
  </li>

  <p>
  <li><code>passive</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <em>passive</em> data transfers (<i>i.e.</i> using
    <code>PASV</code> commands) with the backend/destination server.
  </li>

  <p>
  <li><code>PASV</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <code>PASV</code> commands with the backend/destination
    server.
  </li>

  <p>
  <li><code>PORT</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <code>PORT</code> commands with the backend/destination
    server.
  </li>

  <p>
  <li><code>EPSV</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <code>EPSV</code> commands with the backend/destination
    server.
  </li>

  <p>
  <li><code>EPRT</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <code>EPRT</code> commands with the backend/destination
    server.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyDatastore">ProxyDatastore</a></h3>
<strong>Syntax:</strong> ProxyDatastore <em>type [info]</em><br>
<strong>Default:</strong> ProxyDatastore SQLite<br>
<strong>Context:</strong> server config<br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyDatastore</code> directive configures the <em>type</em> of
datastore that <code>mod_proxy</code> uses for persistence.  The currently
supported datastore <em>types</em> are:
<ul>
  <li>Redis
  <li>SQLite
</ul>

<p>
<b>Note</b> that the Redis <em>type</em> also requires the <em>info</em>
parameter, namely a prefix for all of the Redis keys.  This prefix <b>must</b>
be different/unique among all of your <code>mod_proxy</code> servers using
that Redis server/cluster; the prefix is used to keep all of the data
<i>for this server</i> separate from all other servers.  For example:
<pre>
  &lt;IfModule mod_proxy.c&gt;

    ...
    &lt;IfModule mod_redis.c&gt;
      # Use our IP address as our prefix
      ProxyDatastore Redis 1.2.3.4.
    &lt;/IfModule&gt;
  &lt;/IfModule&gt;
</pre>

<p>
<hr>
<h3><a name="ProxyDirectoryListPolicy">ProxyDirectoryListPolicy</a></h3>
<strong>Syntax:</strong> ProxyDirectoryListPolicy <em>client|"LIST" [opt1 ...]</em><br>
<strong>Default:</strong> ProxyDirectoryListPolicy client<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyDirectoryListPolicy</code> directive configures the directory
list <em>policy</em> that <code>mod_proxy</code> uses when performing
directory lists with the backend/destination server.

<p>
The currently supported policies are:
<ul>
  <li><code>client</code>
    <p>
    This policy indicates that <code>mod_proxy</code> will use whatever
    the connected client uses.  Thus if the client sends <code>MLSD</code>,
    <code>mod_proxy</code> will send <code>MLSD</code> to the
    backend/destination server.

    <p>
    This is the <em>recommended policy</em> in most cases.
  </li>

  <p>
  <li><code>LIST</code>
    <p>
    This policy instructs <code>mod_proxy</code> to use the <code>LIST</code>
    command with the backend/destination server, regardless of the command
    used by the client.  The <code>mod_proxy</code> module then handles any
    reformatting of the <code>LIST</code> response into the response needed
    by the client.  For example, if the client sends <code>MLSD</code> but the
    backend/destination server does not support this command,
    <code>mod_proxy</code> will send <code>LIST</code> instead, and translate
    the backend format into the client-requested format.

    <p>
    The current implementation of this policy handles <code>LIST-&lt;MLSD</code>
    translations only.
  </li>
</ul>

You may also provide <em>options</em>; the currently implemented
<em>options</em> are:
<ul>
  <li><code>UseSlink</code><br>
    <p>
    Use this option to have <code>mod_proxy</code> use the <i>broken</i>
    "OS.unix=slink" syntax, preferred by FTP clients such as FileZilla, for
    indicating symlinks, rather than the more correct "OS.unix=symlink"
    syntax.  See
    <a href="http://bugs.proftpd.org/show_bug.cgi?id=3318">Bug#3318</a> for
    a more detailed discussion.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyEngine">ProxyEngine</a></h3>
<strong>Syntax:</strong> ProxyEngine <em>on|off</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyEngine</code> directive toggles the support for proxying by
<code>mod_proxy</code>.  This is usually used inside a
<code>&lt;VirtualHost&gt;</code> section to enable proxying of FTP sessions for
a particular virtual host. By default <code>mod_proxy</code> is disabled for
both the main server and all configured virtual hosts.

<p>
<hr>
<h3><a name="ProxyForwardEnabled">ProxyForwardEnabled</a></h3>
<strong>Syntax:</strong> ProxyForwardEnabled <em>on|off</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> <code>&lt;Class&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyForwardEnabled</code> directive determines whether a client
can use <code>mod_proxy</code> for forward proxying, based on that client's
<a href="http://www.proftpd.org/docs/howto/Classes.html">class</a>.

<p>
By default, <code>mod_proxy</code> rejects any forward proxy request from
<b>any</b> client, with the exception of clients connecting from
<a href="http://www.faqs.org/rfcs/rfc1918.html">RFC 1918</a> addresses:
<pre>
  192.168.0.0/16
  172.16.0.0/12
  10.0.0.0/8
</pre>
This is done as a security measure: <b>open/unrestricted proxy servers are
dangerous both to your network and to the Internet at large</b>.  Thus to make
it possible for clients to use your server for forward proxying, they <b>must
be explicitly</b> enabled to do so.

<p>
Example:
<pre>
  &lt;Class forward-proxy&gt;
    From 1.2.3.4/12

    # Allow clients from this class to use FTP forward proxying
    ProxyForwardEnabled on
  &lt;/Class&gt;
</pre>

<p>
See also: <a href="#ProxyForwardTo"><code>ProxyForwardTo</code></a>

<p>
<hr>
<h3><a name="ProxyForwardMethod">ProxyForwardMethod</a></h3>
<strong>Syntax:</strong> ProxyForwardMethod <em>method</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyForwardMethod</code> directive configures the <em>method</em>
that clients can use for requesting forward proxying.  Some methods require
that the client authenticate <em>to the proxy first</em>, and then separately
authenticate to the destination server; these methods differ on just when
the client specifies the destination server.  Other methods do not require
proxy authentication.  There are many variations on a theme with these methods.

<p>
The currently supported methods are:
<ul>
  <li><code>proxyuser,user@host</code>
    <p>
    This method indicates that proxy authentication is <b>required</b>.  The
    client first authenticates to the proxy via <code>USER/PASS</code> commands:
<pre>
  USER <em>proxy-user</em>
  PASS <em>proxy-passwd</em>
</pre>
    Then the client authenticates <i>again</i>, this time including the
    address (and optionally port) of the destination server as part of the
    second <code>USER</code> command:
<pre>
  USER <em>real-user</em>@ftp.example.com
  PASS <em>real-passwd</em>
</pre>
    The <code>mod_proxy</code> module will remove the destination address
    portion of the second <code>USER</code> command before proxying it to
    the destination server.
  </li>

  <p>
  <li><code>proxyuser@host,user</code>
    <p>
    This method indicates that proxy authentication is <b>required</b>.  The
    client first authenticates to the proxy via <code>USER/PASS</code> commands;
    note that the destination address (and optionally port) is included as part
    of the first <code>USER</code> command:
<pre>
  USER <em>proxy-user</em>@ftp.example.com
  PASS <em>proxy-passwd</em>
</pre>
    Then the client authenticates <i>again</i>, this time sending the
    <code>USER/PASS</code> commands to authenticate to the destination server:
<pre>
  USER <em>real-user</em>
  PASS <em>real-passwd</em>
</pre>
  </li>

  <p>
  <li><code>user@host</code>
    <p>
    This methods indicates that <i>no proxy authentication</i> is used.  The
    client indicates the destination address (and optionally port) of the
    server as part of the <code>USER</code> command:
<pre>
  USER <em>real-user</em>@ftp.example.com
  PASS <em>real-passwd</em>
</pre>
    The <code>mod_proxy</code> module will remove the destination address
    portion of the <code>USER</code> command before proxying it to the
    destination server.
  </li>

  <p>
  <li><code>user@sni</code>
    <p>
    This methods indicates that <i>no proxy authentication</i> is used.  The
    client indicates the destination address (and optionally port) of the
    server as part of a TLS SNI (Server Name Indication) portion of a TLS
    session:
<pre>
  AUTH TLS <em>handshake with SNI</em>
  USER <em>real-user</em>
  PASS <em>real-passwd</em>
</pre>
  </li>
</ul>

<p>
Configuring the FTP client's proxy settings to match the above methods varies
greatly, depending on the FTP client.

<p>
<hr>
<h3><a name="ProxyForwardTo">ProxyForwardTo</a></h3>
<strong>Syntax:</strong> ProxyForwardTo <em>[!]pattern [flags]</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyForwardTo</code> directive is used to restrict which
hosts/domains can be requested for forward proxying.  The destination host/port
for forward proxying <b>must</b> match the configured <em>pattern</em>
regular expression, or the forward proxying request will fail.

<p>
The optional <em>flags</em> parameter, if present, modifies how the given
<em>pattern</em> will be evaludated.  The supported flags are:
<ul>
  <li><b>nocase|NC</b> (<b>n</b>o <b>c</b>ase)<br>
      This makes the <em>pattern</em> case-insensitive, <i>i.e.</i> there is
      no difference between 'A-Z' and 'a-z' when <em>pattern</em> is matched
      against the path
  </li>
</ul>

<p>
<code>ProxyForwardTo</code> limits the destination hosts <b>to</b> which
clients can request forward proxying; by contrast,
<a href="#ProxyForwardEnabled"><code>ProxyForwardEnabled</code></a> controls
forward proxying based on where clients connect <b>from</b>.

<p>
Example:
<pre>
  # Limit forward proxying to specific host and port
  ProxyForwardTo ^ftp.example.com:21$
</pre>

<p>
<hr>
<h3><a name="ProxyLog">ProxyLog</a></h3>
<strong>Syntax:</strong> ProxyLog <em>path|"none"</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyLog</code> directive is used to specify a log file for
<code>mod_proxy</code>'s reporting on a per-server basis.  The <em>path</em>
parameter given must be the full path to the file to use for logging.

<p>
Note that this path must <b>not</b> be to a world-writable directory and,
unless <code>AllowLogSymlinks</code> is explicitly set to <em>on</em>
(generally a bad idea), the path must <b>not</b> be a symbolic link.

<p>
<hr>
<h3><a name="ProxyOptions">ProxyOptions</a></h3>
<strong>Syntax:</strong> ProxyOptions <em>opt1 ...</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyOptions</code> directive is used to configure various optional
behavior of <code>mod_proxy</code>.  For example:
<pre>
  ProxyOptions UseProxyProtocolV1
</pre>

<p>
The currently implemented options are:
<ul>
  <li><code>AllowForeignAddress</code><br>
    <p>
    The <a href="http://www.proftpd.org/docs/modules/mod_core.html#AllowForeignAddress"><code>AllowForeignAddress</code></a> directive controls the policy for
    <i>frontend</i> data transfer requests from clients connecting to the proxy
    server; it does <b>not</b> apply to <i>backend</i> data transfer requests.
    For those, you will want to use this <code>AllowForeignAddress</code>
    option:
    <pre>
  # Allow for cases where the backend server tells us to use a different IP
  # address for data transfers than the IP address to which mod_proxy connected.
  ProxyOptions AllowForeignAddress
    </pre>
  </li>

  <p>
  <li><code>ShowFeatures</code><br>
    <p>
    When reverse proxying, <code>mod_proxy</code> defaults to not responding to
    the FTP <code>FEAT</code> command, which is used to determine the supported
    features/capabilities of the FTP server; this is done to prevent leaking
    of information about internal FTP servers to the outside world.  However,
    some clients rely on the <code>FEAT</code> data.  For such clients/use
    cases, use this option to tell <code>mod_proxy</code> to proxy the
    <code>FEAT</code> command/response to the backend server.
  </li>

  <p>
  <li><code>UseDirectDataTransfers</code><br>
    <p>
    The <code>mod_proxy</code> module will, by default, proxy all data transfers
    through the proxy server.  Some sites may wish to have the FTP data
    transfers occur directly between the frontend client and the backend server,
    to avoid the latency/overhead of the proxying.  Use this option to
    enable these direct data transfers (akin to <b>D</b>irect <b>S</b>erver
    <b>R</b>eturn, or DSR), for both forward and reverse proxy roles:
    <pre>
  # Enable data transfers directly from frontend client to/from backend server
  ProxyOptions UseDirectDataTransfers
    </pre>
  </li>

  <p>
  <li><code>UseProxyProtocolV1</code><br>
    <p>
    When <code>mod_proxy</code> connects to the backend/destination server,
    use the <a href="http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt"><code>PROXY</code></a> V1 protocol, sending the human-readable <code>PROXY</code>
    command to the destination server.  This allows backend servers to implement
    access controls/logging, based on the IP address of the connecting client.
    The <a href="https://github.com/Castaglia/proftpd-mod_proxy_protocol"><code>mod_proxy_protocol</code></a>
    ProFTPD module can be used to handle the <code>PROXY</code> command on
    the receiving side, <i>i.e.</i> when using <code>proftpd</code> as the
    backend/destination server.

    <p>
    <b>Note</b>: do <b>not</b> use this option unless the backend server
    <em>does</em> support the <code>PROXY</code> V1 protocol.  Otherwise, the
    <code>PROXY</code> protocol message will only confuse the backend server,
    possibly leading to connection/login failures.
  </li>

  <p>
  <li><code>UseProxyProtocolV2</code><br>
    <p>
    When <code>mod_proxy</code> connects to the backend/destination server,
    use the <a href="http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt"><code>PROXY</code></a> V2 protocol, sending a binary-encoded "PROXY" command
    to the destination server.  This allows backend servers to implement
    access controls/logging, based on the IP address of the connecting client.
    The <a href="https://github.com/Castaglia/proftpd-mod_proxy_protocol"><code>mod_proxy_protocol</code></a>
    ProFTPD module can be used to handle the "PROXY" command on the receiving
    side, <i>i.e.</i> when using <code>proftpd</code> as the
    backend/destination server.

    <p>
    <b>Note</b>: do <b>not</b> use this option unless the backend server
    <em>does</em> support the <code>PROXY</code> V2 protocol.  Otherwise, the
    "PROXY" protocol message will only confuse the backend server, possibly
    leading to connection/login failures.
  </li>

  <p>
  <li><code>UseProxyProtocolV2TLVs</code><br>
    <p>
    When <code>mod_proxy</code> is configured to use the PROXY protocol V2,
    via the <code>UseProxyProtocolV2</code> option, this option tells
    <code>mod_proxy</code> to send additional data as Type/Length/Value (TLV).
    These TLVs include:
    <ul>
      <li>ALPN (Application Layer Protocol Negotiation)
      <li>Authority (Hostname provided by client)
      <li>SSL/TLS (whether SSL/TLS is in use at the time of the PROXY protocol)
      <li>SSL/TLS protocol version
      <li>SSL/TLS cipher
      <li>Unique ID (when <a href="http://www.proftpd.org/docs/contrib/mod_unique_id.html"><code>mod_unique_id</code></a> is present/used)
    </ul>

    <p>
    <b>Note</b>: use of the <code>UseProxyProtocolV2</code> option is also
    required for the TLVs to be sent.
  </li>

  <p>
  <li><code>UseReverseProxyAuth</code><br>
    <p>
    When reverse proxying, <code>mod_proxy</code> delegates user authentication
    to the selected backend server.  However, there are some sites which need
    to centralize user authentication in the proxy; use this option to require
    proxy authentication for such cases.  <b>Note</b> that this option
    <b>only</b> pertains to reverse proxy connections; proxy authentication
    when forward proxying is determined by the <code>ProxyForwardMethod</code>
    directive.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyRetryCount">ProxyRetryCount</a></h3>
<strong>Syntax:</strong> ProxyRetryCount <em>count</em><br>
<strong>Default:</strong> ProxyRetryCount 5<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyRetryCount</code> directive configures the number of times
<code>mod_proxy</code> will attempt to connect to the backend/destination
server.  The default is <em>5</em> attempts.

<p>
<hr>
<h3><a name="ProxyReverseConnectPolicy">ProxyReverseConnectPolicy</a></h3>
<strong>Syntax:</strong> ProxyReverseConnectPolicy <em>policy</em><br>
<strong>Default:</strong> RoundRobin<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyReverseConnectPolicy</code> directive configures the
<em>policy</em> that <code>mod_proxy</code> will use for selecting the backend
server when reverse proxying.

<p>
The currently supported policies are:
<ul>
  <li><code>LeastConns</code>
    <p>
    Select the backend server with the lowest number of proxied connections.
  </li>

  <p>
  <li><code>LeastResponseTime</code>
    <p>
    Select the backend server with the least response time; this is determined
    based on the connect time to the backend server, and its number of
    current connections.
  </li>

  <p>
  <li><code>PerGroup</code>
    <p>
    Select a backend server based on the primary group of the authenticated
    <code>USER</code> name used by the connecting client; any future
    connections using that same <code>USER</code> name will be routed to the
    same backend server.

    <p>
    <b>Note</b>: use of this <code>ProxyReverseConnectPolicy</code> also
    <b>requires</b> use of the <code>UseReverseProxyAuth</code>
    <code>ProxyOption</code>, as authenticating the given <code>USER</code>
    name is required for discovering the primary group of that user.
  </li>

  <p>
  <li><code>PerHost</code>
    <p>
    Select a backend server based on the IP address of the connecting client;
    any future connections from that IP address will be routed to the same
    backend server.
  </li>

  <p>
  <li><code>PerUser</code>
    <p>
    Select a backend server based on the <code>USER</code> name used by the
    connecting client; any future connections using that same <code>USER</code>
    name will be routed to the same backend server.
  </li>

  <p>
  <li><code>Random</code>
    <p>
    Randomly select any of the backend servers.
  </li>

  <p>
  <li><code>RoundRobin</code>
    <p>
    Select the next backend server in the list.
  </li>

  <p>
  <li><code>Shuffle</code>
    <p>
    Similar to the <code>Random</code> policy, except the selection happens
    from the not-yet-chosen backend servers.  This means that <b>all</b>
    backend servers will eventually be used evenly, just in a random order.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyReverseServers">ProxyReverseServers</a></h3>
<strong>Syntax:</strong> ProxyReverseServers <em>servers</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyReverseServers</code> directive configures the list of servers
to be used as the backend servers for reverse proxying.

<p>
Each server <b>must</b> be configured as a <i>URL</i>.  Only the "ftp" and
"ftps" schemes are currently supported.  If not specified, the port will be
21.  IPv6 addresses <b>must</b> be enclosed within square brackets.  Thus, for
example, the following are all valid URLs:
<pre>
  ftp://<em>ftp1.example.com:2121</em>
  ftp://<em>1.2.3.4</em>
  ftp://<em>[::ffff:6.7.8.9]:2121</em>
  ftps://<em>ftp2.example.com</em>
  ftps://<em>ftp3.example.com:990</em>
</pre>
And using them all in the configuration would look like:
<pre>
  ProxyReverseServers ftp://ftp1.example.com:2121 ftps://1.2.3.4 ftp://[::ffff:6.7.8.9]:2121
</pre>

<p>
The backend servers can also be discovered via DNS <code>SRV</code> or <code>TXT</code> records, using <code>SRV/TXT</code> URL scheme variants, <i>e.g.</i>:
<pre>
  # Discover backend addresses via DNS SRV records
  ftp+srv://_ftp._tcp.castaglia.org

  # Discover backend addresses via DNS TXT records (which must be an FTP URL)
  ftp+txt://castaglia.org
</pre>
These <code>SRV/TXT</code> URL scheme variations also apply to FTPS URLs.
<b>Note</b> that any explicit port numbers provided in URLs using these
<code>SRV/TXT</code> scheme variants <i>will be ignored</i>; the actual port
numbers to use will be discovered from the <code>SRV</code> and <code>TXT</code>
DNS records.

<p>
The backend servers can <i>also</i> be contained in a list in a JSON file,
<i>e.g.</i>:
<pre>
[
  "ftp://ftp1.example.com:2121",
  "ftp://[::ffff:6.7.8.9]:2121"
]
</pre>
You then only need to configure the path to that JSON file:
<pre>
  ProxyReverseServers file:/path/to/backends.json
</pre>

<p>
<b>Note</b> that <code>mod_proxy</code> has strict requirements for the
permissions on <code>ProxyReverseServers</code> files.  The configured file
<em>must not be world-writable</em>, since that would allow <i>any user</i>
on the system to modify the file, directing proxied connections anywhere else.
If a world-writable <code>ProxyReverseServers</code> file is found, you will
see the following error message logged:
<pre>
  unable to use world-writable ProxyReverseServers '/opt/proxy/reverse.json' (perms 0666): Operation not permitted
</pre>
In addition, the <i>directory</i> containing the
<code>ProxyReverseServers</code> file cannot be world-writable, either.  Even
if the file itself is not world-writable, being in a world-writable directory
means that <i>any user</i> on the system can delete that file, and write a new
file.  When a world-writable directory is found, the following error is logged:
<pre>
  unable to use ProxyReverseServers '/opt/proxy/reverse.json' from world-writable directory '/opt/proxy' (perms 0777): Operation not permitted
</pre>

<p>
The backend servers can <i>also</i> be provided from an external SQL database,
queried by <code>mod_proxy</code> via <a href="http://www.proftpd.org/docs/contrib/mod_sql.html#SQLNamedQuery"><code>SQLNamedQuery</code></a>.  For example,
<i>assuming</i> a schema such as this:
<pre>
  CREATE TABLE proxy_user_servers (
    user_name TEXT,
    url TEXT
  );

  CREATE INDEX proxy_user_servers_name_idx ON proxy_user_servers (user_name);
</pre>
where <em>url</em> contains URLs, <i>e.g.</i> "ftp://1.2.3.4:21".  Then you
would configure <code>mod_proxy</code> to query for those per-user backend URLs
using <code>ProxyReverseServers</code> like this:
<pre>
  &lt;IfModule mod_sql.c&gt;
    ...
    SQLNamedQuery get-user-servers SELECT "url FROM proxy_user_servers WHERE user_name = %{0}"
  &lt;/IfModule&gt;

  ProxyRole reverse
  ProxyReverseConnectPolicy PerUser
  ProxyReverseServers sql:/get-user-servers
</pre>

<p>
Given that <code>mod_proxy</code> uses SQLite, does that mean that the table
used for storing these per-user URLs <b>must</b> be SQLite?  <b>No</b>.  The
use of <code>SQLNamedQuery</code> means that <b>any database</b>, supported
by <code>mod_sql</code>, can be used.

<p>
<hr>
<h3><a name="ProxyRole">ProxyRole</a></h3>
<strong>Syntax:</strong> ProxyRole <em>role</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyRole</code> directive configures whether <code>mod_proxy</code>
will perform forward or reverse proxying.  The list of supported <em>roles</em>
are thus:
<ul>
  <li><code>forward</code>
    <p>
    Perform forward proxying.
  </li>

  <p>
  <li><code>reverse</code>
    <p>
    Perform reverse proxying.
  </li>
</ul>

<p>
<b>Note</b> that the <code>ProxyRole</code> directive is <b>required</b>
for <code>mod_proxy</code> to function.  If this directive is not configured,
connections to <code>mod_proxy</code> will fail.

<p>
<hr>
<h3><a name="ProxySFTPCiphers">ProxySFTPCiphers</a></h3>
<strong>Syntax:</strong> ProxySFTPCiphers <em>algo1 ...</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.8rc3 and later

<p>
The <code>ProxySFTPCiphers</code> directive is used to specify the list of
cipher algorithms that <code>mod_proxy</code> should use when connecting to
backend SSH servers.  The current list of supported cipher algorithms is, in
the default order of preference:
<ul>
  <li>aes256-ctr
  <li>aes192-ctr
  <li>aes128-ctr
  <li>aes256-gcm@openssh.com
  <li>aes128-gcm@openssh.com
  <li>aes256-cbc
  <li>aes192-cbc
  <li>aes128-cbc
  <li>cast128-cbc
  <li>3des-ctr
  <li>3des-cbc
</ul>
By default, all of the above cipher algorithms are presented to the server,
in the above order, during the key exchange.

<p>
The "none" cipher (<i>i.e.</i> no encryption) will <b>not</b> be presented to
the server by default; any sites which wish to use "none" will have to
explicitly configure it via <code>ProxySFTPCiphers</code>.

<p>
Note that CTR mode ciphers (<i>e.g.</i> the <code>aes128-ctr</code>,
<code>aes192-ctr</code>, and <code>aes256-ctr</code> ciphers) are recommended.
Any CBC mode cipher allows for the possibility of an attack which causes
several bits of plaintext to be leaked; the attack is described
<a href="http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt">here</a>.
This attack is on the SSH2 protocol design itself; any SSH2 implementation
which conforms to the RFCs will have this weakness.

<p>
In general, there is no need to use this directive unless only one specific
cipher must be used.

<p>
<hr>
<h3><a name="ProxySFTPCompression">ProxySFTPCompression</a></h3>
<strong>Syntax:</strong> ProxySFTPCompression <em>on|off|delayed</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.8rc3 and later

<p>
The <code>ProxySFTPCompression</code> directive enables the use of zlib
compression of the payload of SSH2 packets.  This can make for smaller packets,
but require more CPU time to compress/uncompress the data.

<p>
The <em>delayed</em> parameter tells <code>mod_proxy</code> to support a custom
extension used by OpenSSH, where compression is not actually enabled until
after the client has successfully authenticated.

<p>
<hr>
<h3><a name="ProxySFTPDigests">ProxySFTPDigests</a></h3>
<strong>Syntax:</strong> ProxySFTPDigests <em>algo1 ...</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.8rc3 and later

<p>
The <code>ProxySFTPDigests</code> directive is used to specify the list of
MAC digest algorithms that <code>mod_proxy</code> should use when connecting to
backend SSH servers.  The current list of supported MAC algorithms is:
<ul>
  <li>hmac-sha2-256
  <li>hmac-sha2-256-etm@openssh.com
  <li>hmac-sha2-512
  <li>hmac-sha2-512-etm@openssh.com
  <li>hmac-sha1
  <li>hmac-sha1-etm@openssh.com
  <li>hmac-sha1-96
  <li>hmac-sha1-96-etm@openssh.com
  <li>umac-64@openssh.com
  <li>umac-64-etm@openssh.com
  <li>umac-128@openssh.com
  <li>umac-128-etm@openssh.com
</ul>
By default, all of the above MAC algorithms are presented to the server,
in the above order, during the key exchange.  <b>Note</b> that some algorithms
(<i>e.g.</i> the SHA256 and SHA512 algorithms) may not be supported by
the version of OpenSSL used; this will be automatically detected.

<p>
The following list of algorithms are <em>supported</em>, but <b>not</b>
presented to servers by default.  These algorithms must be <em>explicitly</em>
configured via <code>ProxySFTPDigests</code> to be available for use by servers:
<ul>
  <li>hmac-md5
  <li>hmac-md5-etm@openssh.com
  <li>hmac-md5-96
  <li>hmac-md5-96-etm@openssh.com
  <li>hmac-ripemd160
</ul>

<p>
The "none" MAC (<i>i.e.</i> no MAC) will <b>not</b> be presented to the server
by default; any sites which wish to use "none" will have to explicitly
configure it via <code>ProxySFTPDigests</code>.

<p>
In general, there is no need to use this directive unless only one specific
MAC algorithm must be used.

<p>
<hr>
<h3><a name="ProxySFTPHostKey">ProxySFTPHostKey</a></h3>
<strong>Syntax:</strong> ProxySFTPHostKey <em>file</em>|agent:<em>/path</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.8rc3 and later

<p>
The <code>ProxySFTPHostKey</code> directive configures the path to a host key
file.  The <code>mod_proxy</code> module uses the keys thus configured for
&quot;hostbased&quot; user authentication to backend SSH servers.

<p>
You can use either an RSA key, a DSA key, and/or ECDSA keys.  These <i>could</i>
be the exact same host key files as used by your SSH server, <i>e.g.</i>:
<pre>
  &lt;IfModule mod_sftp.c&gt;
    ...
    SFTPHostKey /etc/ssh_host_dsa_key
    SFTPHostKey /etc/ssh_host_rsa_key
    SFTPHostKey /etc/ssh_host_ecdsa_key
    SFTPHostKey /etc/ssh_host_ed25519_key
  &lt;/IfModule&gt;

  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ..
    ProxySFTPHostKey /etc/ssh_host_dsa_key
    ProxySFTPHostKey /etc/ssh_host_rsa_key
    ProxySFTPHostKey /etc/ssh_host_ecdsa_key
    ProxySFTPHostKey /etc/ssh_host_ed25519_key
  &lt;/IfModule&gt;
</pre>

<p>
The <code>ProxySFTPHostKey</code> directive can also be used to load host keys
from an SSH agent such as OpenSSH's <code>ssh-agent</code>.  For example:
<pre>
  # Load all of the keys from the ssh-agent configured for proxy use
  ProxySFTPHostKey agent:%{env:SSH_AUTH_SOCK}
</pre>
Using an SSH agent for storing host keys allows for configurations where
the host keys are not stored on files on the server system, <i>e.g.</i>
the keys can be loaded into the SSH agent from a PKCS#11 token.

<p>
<hr>
<h3><a name="ProxySFTPKeyExchanges">ProxySFTPKeyExchanges</a></h3>
<strong>Syntax:</strong> ProxySFTPKeyExchanges <em>algo1 ...</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.8rc3 and later

<p>
The <code>ProxySFTPKeyExchanges</code> directive is used to specify the list of
key exchange algorithms that <code>mod_proxy</code> should use when connecting
to backend SSH servers.  The current list of supported key exchange algorithms
is:
<ul>
  <li>curve448-sha512
  <li>curve25519-sha256
  <li>ecdh-sha2-nistp521
  <li>ecdh-sha2-nistp384
  <li>ecdh-sha2-nistp256
  <li>diffie-hellman-group18-sha512
  <li>diffie-hellman-group16-sha512
  <li>diffie-hellman-group14-sha256
  <li>diffie-hellman-group-exchange-sha256
  <li>diffie-hellman-group-exchange-sha1
  <li>diffie-hellman-group14-sha1
  <li>diffie-hellman-group1-sha1
  <li>rsa1024-sha1
</ul>
By default, all of the above key exchange algorithms <i>except
<code>diffie-hellman-group1-sha1</code></i> are presented to the server, in
the above order, during the key exchange.

<p>
<b>Note</b> that the <code>diffie-hellman-group1-sha1</code> key exchange
algorithm uses a weak hardcoded Diffie-Hellman group, and thus is <b>not</b>
enabled by default.  To enable this key exchange algorithm, you must
configure the <code>ProxySFTPKeyExchanges</code> list to <b>explicitly</b>
include this algorithm, <i>or</i> use the following in your configuration:
<pre>
  ProxySFTPOptions AllowWeakDH
</pre>

<p>
In general, there is no need to use this directive unless only one specific
key exchange algorithm must be used.

<p>
<hr>
<h3><a name="ProxySFTPOptions">ProxySFTPOptions</a></h3>
<strong>Syntax:</strong> ProxySFTPOptions <em>opt1 ...</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.8rc3 and later

<p>
The <code>ProxySFTPOptions</code> directive is used to configure various
optional SSH-specific behavior of <code>mod_proxy</code>.

<p>
For example:
<pre>
  ProxySFTPOptions AllowWeakDH
</pre>

<p>
The currently implemented options are:
<ul>
  <p>
  <li><code>AllowWeakDH</code><br>
    <p>
    The <code>mod_proxy</code> module will not use Diffie-Hellman groups of less
    than 2048 bits, due to <a href="https://www.weakdh.org">weaknesses</a>
    that can downgrade the security of an SSH session.  If for any reason
    your SFTP/SCP servers <b>require</b> smaller Diffie-Hellman groups, then
    use this option.
  </li>

  <p>
  <li><code>NoExtensionNegotiation</code><br>
    <p>
    By default, <code>mod_proxy</code> will offer/support the SSH extension
    negotiation, defined by
    <a href="https://tools.ietf.org/html/rfc8308">RFC 8308</a>.  Use this
    option to disable support for extension negotiations.
  </li>

  <p>
  <li><code>NoHostkeyRotation</code><br>
    <p>
    By default, <code>mod_proxy</code> will offer/support the OpenSSH
    hostkey rotation extensions, "hostkeys-00@openssh.com" and
    "hostkeys-prove-00@openssh.com".  Use this option to disable support for
    these custom OpenSSH extensions.
  </li>

  <p>
  <li><code>NoStrictKex</code><br>
    <p>
    By default, <code>mod_proxy</code> will honor/support the OpenSSH
    "strict KEX" mode extension, "kex-strict-c-v00@openssh.com" and
    "kex-strict-s-v00@openssh.com".  Use this option to disable support for
    these custom OpenSSH extensions.
  </li>

  <p>
  <li><code>OldProtocolCompat</code><br>
    <p>
    Older servers identity their protocol versions as "1.99", rather than as
    "2.0".  By default, <code>mod_proxy</code> will refuse to handle connections
    to such servers.  To enable compatibility with these servers (which
    tend to be derived from ssh.com/Tectia code), use this option.

    <p>
    Note that this option automatically enables the
    <code>PessimisticKexinit</code> ProxySFTPOption as well.
  </li>

  <p>
  <li><code>PessimisticKexinit</code><br>
    <p>
    As described <a href="http://www.proftpd.org/docs/contrib/mod_sftp.html#SFTPTelnetBanner">here</a>, the <code>mod_proxy</code>
    module tries to reduce the connection latency by optimistically sending
    the <code>KEXINIT</code> key exchange message.  However, some SSH servers
    cannot handle this behavior.  Use this option to disable the optimistic
    sending of the <code>KEXINIT</code> message.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxySFTPPassPhraseProvider">ProxySFTPPassPhraseProvider</a></h3>
<strong>Syntax:</strong> ProxySFTPPassPhraseProvider <em>path</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.8rc3 and later

<p>
The <code>ProxySFTPPassPhraseProvider</code> directive is used to specify an
external program which will be called, when <code>mod_proxy</code> starts up,
for each encrypted <code>ProxySFTPHostKey</code> file.  The program will be
invoked with two command-line arguments, passed on <code>stdin</code> to the
program:
<pre>
  <em>servername</em>:<em>portnumber</em> <em>file</em>
</pre>
where <code><em>servername</em>:<em>portnumber</em></code> indicates the
server using that encrypted certificate key, and <em>file</em> indicates the
host key file in question. The program then must print the corresponding
passphrase for the key to <code>stdout</code>.

<p>
The intent is that this external program can perform any security checks
necessary, to make sure that the system is not compromised by an attacker,
and only when these checks pass successfully will the passphrase be provided.
These security checks, and the way the passphrase is determined, can be as
complex as you like.

<p>
Example:
<pre>
  ProxySFTPPassPhraseProvider /etc/ftpd/proxy/get-ssh-passphrase
</pre>

<p>
<hr>
<h3><a name="ProxySFTPServerAlive">ProxySFTPServerAlive</a></h3>
<strong>Syntax:</strong> ProxySFTPServerAlive <em>count interval</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.8rc3 and later

<p>
The <code>ProxySFTPServerAlive</code> directive configures
<code>mod_proxy</code> to send messages to a server, through the encrypted
channel, to request a response from the server.  If <em>count</em> server alive
messages are sent without receiving any response messages from the server, the
client will disconnect.  The <em>interval</em> indicates how much time, in
seconds, that <code>mod_proxy</code> waits for data from the server before
sending a server alive message.

<p>
For example, using:
<pre>
  ProxySFTPServerAlive 3 15
</pre>
will cause an unresponsive server to be disconnected after approximately 45
seconds.

<p>
<hr>
<h3><a name="ProxySFTPServerMatch">ProxySFTPServerMatch</a></h3>
<strong>Syntax:</strong> ProxySFTPServerMatch <em>pattern key1 val1 ...</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.8rc3 and later

<p>
The <code>ProxySFTPServerMatch</code> directive is used to tune some of the
SSH2/SFTP values based on the connected server, for better interoperability
with those servers.  The <em>pattern</em> parameter specifies a POSIX regular
expression which will be matched against the connected server's SSH version
banner.  If the server's banner version matches <em>pattern</em>, then
the configured keys/values are used for that session.

<p>
The currently supported SSH2/SFTP keys which can be tuned via
<code>ProxySFTPServerMatch</code> are:
<ul>
  <li>pessimisticNewkeys<br>
</ul>

<p>
<hr>
<h3><a name="ProxySFTPVerifyServer">ProxySFTPVerifyServer</a></h3>
<strong>Syntax:</strong> ProxySFTPVerifyServer <em>on|off</em><br>
<strong>Default:</strong> ProxySFTPVerifyServer off<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.8rc3 and later

<p>
The <code>ProxySFTPVerifyServer</code> directive tells <code>mod_proxy</code>
whether to verify whether the host keys presented by backend SSH servers have
changed.

<p>
When <code>mod_proxy</code> connects to a backend SSH server for the very first
time, its hostkey will be recorded.  The next time <code>mod_proxy</code>
connects, the hostkey presented will be compared to the previously recorded
hostkey.  When <code>ProxySFTPVerifyServer</code> is <em>on</em>, any hostkey
mismatches will be logged.

<p>
<hr>
<h3><a name="ProxySourceAddress">ProxySourceAddress</a></h3>
<strong>Syntax:</strong> ProxySourceAddress <em>address</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxySourceAddress</code> directive configures the <em>address</em>
(or <em>device name</em>) of a network interface on the host machine, to
be used when connecting to the backend/destination server.  This directive
is most useful on a multi-homed (or DMZ) host; frontend connections can
be received on one network interface, and the backend connections can use
a different network interface.  Imagine <i>e.g.</i> separate WAN/LAN interfaces
on a proxying host.

<p>
<hr>
<h3><a name="ProxyTables">ProxyTables</a></h3>
<strong>Syntax:</strong> ProxyTables <em>table-info</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config<br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyTables</code> directive is used to specify a directory that
<code>mod_proxy</code> will use for storing its database files; these files
are used for tracking the various load balancing/healthcheck statistics used
for proxying.

<p>
<b>Note</b> that the <code>ProxyTables</code> directive is <b>required</b>
for <code>mod_proxy</code> to function.  If this directive is not configured,
connections to <code>mod_proxy</code> will fail.

<p>
<hr>
<h3><a name="ProxyTimeoutConnect">ProxyTimeoutConnect</a></h3>
<strong>Syntax:</strong> ProxyTimeoutConnect <em>timeout</em><br>
<strong>Default:</strong> ProxyTimeoutConnect 5sec<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyTimeoutConnect</code> directive configures the amount of time
that <code>mod_proxy</code> will wait for the backend/destination server to
accept a TCP connection, before giving up.

<p>
Note that if there are many different backend/destination servers to try
(due to <i>e.g.</i> <code>ProxyRetryCount</code>), <i>and</i> if those
backend servers are slow, the connecting client might itself see connection
timeouts to <code>mod_proxy</code>.  To guard against such slow backend
servers, a more aggressively short timeout can be used:
<pre>
  ProxyTimeoutConnect 1sec
</pre>

<p>
<hr>
<h3><a name="ProxyTimeoutLinger">ProxyTimeoutLinger</a></h3>
<strong>Syntax:</strong> ProxyTimeoutLinger <em>timeout</em><br>
<strong>Default:</strong> ProxyTimeoutLinger 3sec<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyTimeoutLinger</code> directive configures the amount of time
that <code>mod_proxy</code> will wait (<em>lingering</em>), after receiving
all of the data on the data transfer connection to the backend server, for the
explicit "end of transfer" response from the backend server, before giving up.

<p>
<hr>
<h3><a name="ProxyTLSCACertificateFile">ProxyTLSCACertificateFile</a></h3>
<strong>Syntax:</strong> ProxyTLSCACertificateFile <em>path</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCACertificateFile</code> directive configures one file where
you can assemble the certificates of Certification Authorities (CA) which will
be used to verify the servers' certificates.  Such a file is merely the
concatenation of the various PEM-encoded CA certificates.  This directive can
be used in addition to, or as an alternative for,
<code>ProxyTLSCACertificatePath</code>.

<p>
Example:
<pre>
  ProxyTLSCACertificateFile /etc/ftpd/cacerts.pem
</pre>

<p>
<b>Note</b> that the location of CA certificates is <b>required</b> for
<code>mod_proxy</code>'s TLS support; verification of server certificates
is required for secure connections to backend/destination servers.  For
this reason, <code>mod_proxy</code> ships with its own default
<code>ProxyTLSCACertificateFile</code>, which is generated using <code>libcurl</code>'s <code>mk-ca-bundle.pl</code> script:
<pre>
  $ lib/mk-ca-bundle.pl -u cacerts.pem
</pre>

<p>
<hr>
<h3><a name="ProxyTLSCACertificatePath">ProxyTLSCACertificatePath</a></h3>
<strong>Syntax:</strong> ProxyTLSCACertificatePath <em>directory</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCACertificatePath</code> directive sets the directory for the
certificates of Certification Authorities (CAs); these are used to verify the
server certificates presented.  This directive may be used in addition to, or
as alternative for, <code>ProxyTLSCACertificateFile</code>.

<p>
The files in the configured directory have to be PEM-encoded, and are accessed
through hash filenames.  This means one cannot simply place the CA certificates
there: one also has to create symbolic links named <i>hash-value</i>.N.  The
<code>c_rehash</code> utility that comes with OpenSSL can be used to create
the necessary symlinks.

<p>
Example:
<pre>
  ProxyTLSCACertificatePath /etc/ftpd/cacerts/
</pre>

<p>
<hr>
<h3><a name="ProxyTLSCARevocationFile">ProxyTLSCARevocationFile</a></h3>
<strong>Syntax:</strong> ProxyTLSCACertificateFile <em>path</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCARevocationFile</code> directive configures one file that can
contain the Certificate Revocation Lists (CRL) of Certification Authorities
(CA); these CRLs are used during the verification of server certificates. Such
a file is merely the concatenation of the various PEM-encoded CRL files.  This
directive can be used in addition to, or as an alternative for,
<code>ProxyTLSCARevocationPath</code>.

<p>
Example:
<pre>
  ProxyTLSCARevocationFile /etc/ftpd/cacrls.pem
</pre>

<p>
<hr>
<h3><a name="ProxyTLSCARevocationPath">ProxyTLSCARevocationPath</a></h3>
<strong>Syntax:</strong> ProxyTLSCARevocationPath <em>directory</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCARevocationPath</code> directive sets the directory for the
Certificate Revocation Lists (CRL) of Certification Authorities (CAs); these
are used during the verification of server certificates.  This directive may
be used in addition to, or as alternative for,
<code>ProxyTLSCARevocationFile</code>.

<p>
The files in the configured directory have to be PEM-encoded, and are accessed
through hash filenames.  This means one cannot simply place the CRLs there:
one also has to create symbolic links named <i>hash-value</i>.N.  The
<code>c_rehash</code> utility that comes with OpenSSL can be used to create
the necessary symlinks.

<p>
Example:
<pre>
  ProxyTLSCARevocationPath /etc/ftpd/cacrls/
</pre>

<p>
<hr>
<h3><a name="ProxyTLSCertificateFile">ProxyTLSCertificateFile</a></h3>
<strong>Syntax:</strong> ProxyTLSCertificateFile <em>path</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCertificateFile</code> directive points to the PEM-encoded
file containing the <em>client</em> certificate file, and optionally also
the corresponding private key.  <em>Note</em> that this directive is only
needed for backend/target FTPS servers which require client authentication.

<p>
Example:
<pre>
  ProxyTLSCertificateFile /etc/ftpd/client-cert.pem
</pre>

<p>
<hr>
<h3><a name="ProxyTLSCertificateKeyFile">ProxyTLSCertificateKeyFile</a></h3>
<strong>Syntax:</strong> ProxyTLSCertificateKeyFile <em>path</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCertificateKeyFile</code> directive points to the PEM-encoded
file containing the <em>client</em> certificate file, and optionally also

<p>
The <code>ProxyTLSCertificateKeyFile</code> directive points to the PEM-encoded
private key file for the client certificate indicated by
<code>ProxyTLSCertificateFile</code>. If the private key is not combined with
the certificate in the <code>ProxyTLSCertificateFile</code>, use this additional
directive to point to the file with the standalone private key.  When
<code>ProxyTLSCertificateFile</code> is used and the file contains both the
certificate and the private key, this directive need not be used.  <b>However,
this practice is strongly discouraged</b>.  Instead we recommend you to separate
the certificate and the private key.

<p>
<hr>
<h3><a name="ProxyTLSCipherSuite">ProxyTLSCipherSuite</a></h3>
<strong>Syntax:</strong> ProxyTLSCipherSuite <em>[protocol] cipher-list</em><br>
<strong>Default:</strong> ProxyTLSCipherSuite DEFAULT:!ADH:!EXPORT:!DES<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSCipherSuite</code> directive configures the list of
acceptable SSL/TLS ciphersuites to use for backend SSL/TLS connections.  The
syntax is that of the OpenSSL <code>ciphers</code> command, <i>e.g.</i>:
<pre>
  $ openssl ciphers -v <em>&lt;cipher-list&gt;</em>
</pre>
may be used to list all of the ciphers and the order described by a specific
<em>&lt;cipher-list&gt;</em>.

<p>
If the SSL library supports TLSv1.3 (<i>e.g.</i> OpenSSL-1.1.1 and later), the
<em>protocol specifier</em> "TLSv1.3" can be used to configure the cipher
suites for that protocol:
<pre>
  # Configure TLSv1.3 ciphersuites
  ProxyTLSCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
</pre>

<p>
<hr>
<h3><a name="ProxyTLSEngine">ProxyTLSEngine</a></h3>
<strong>Syntax:</strong> ProxyTLSEngine <em>on|off|auto|MatchClient</em><br>
<strong>Default:</strong> ProxyTLSEngine auto<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSEngine</code> directive configures the use of SSL/TLS for
<em>backend</em> FTP connections.  <b>Note</b> that SSL/TLS support
<b>requires</b> the presence/use of the <code>mod_tls</code> ProFTPD module.

<p>
The supported values are:
<ul>
  <li><em>on</em>
    <p> 
    Use of SSL/TLS is <b>required</b>; backend servers which do not support
    SSL/TLS <b>or</b> which fail the SSL/TLS handshake will cause the proxied
    session to be closed.
  </li>

  <p>
  <li><em>off</em>
    <p> 
    Use of SSL/TLS is <b>disabled</b>; backend servers which do support SSL/TLS
    will be ignored, and only FTP will be used.
  </li>

  <p>
  <li><em>auto</em>
    <p>
    Use of SSL/TLS will be <b>automatically</b> used if the backend server
    supports SSL/TLS (via <code>AUTH TLS</code> in its <code>FEAT</code>
    response).  If the SSL/TLS handshake fails, the backend connection will
    proceed using plain FTP.

    <p>
    <b>Note</b>: this is the default behavior in <code>mod_proxy</code>.
  </li>

  <p>
  <li>
    <p>
    Use of SSL/TLS to the backend server will attempt to <em>match</em> the
    SSL/TLS usage of the frontend client.  Thus if the frontend client uses
    explicit FTPS, then explicit FTPS will be attempted with the backend;
    similarly for implicit FTPS.  And if the frontent client does not use
    FTPS, then SSL/TLS will not be used for the backend connection.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyTLSOptions">ProxyTLSOptions</a></h3>
<strong>Syntax:</strong> ProxyTLSOptions <em>options</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSOptions</code> directive is used to configure various
optional SSL/TLS behavior of <code>mod_proxy</code>.

<p>
Example:
<pre>
  ProxyTLSOptions EnableDiags
</pre>

<p>
The currently implemented options are:
<ul>
  <li><code>AllowWeakSecurity</code>
    <p>
    Sets the cryptographic security level to "zero", meaning that any/all
    ciphers and key sizes are permitted.  This option allows for the best
    interoperability with <i>any</i> FTPS server, but is
    <b>not recommended</b>.  Use only when necessary.
  </li>

  <p>
  <li><code>EnableDiags</code>
    <p>
    Sets callbacks in the OpenSSL library such that <b>a lot</b> of
    SSL/TLS protcol information is logged to the
    <a href="#ProxyLog"><code>ProxyLog</code></a> file.  This option is
    <b>very</b> useful when debugging strange interactions with FTPS servers.
  </li>

  <p>
  <li><code>NoSessionCache</code>
    <p>
    By default, when using SSL/TLS, <code>mod_proxy</code> will <em>cache</em>
    the negotiated SSL sessions in its local database, for reuse in enabling
    SSL session resumption in future connections to those hosts.  Use this
    option to <b>disable</b> use of session caching if/when needed.
  </li>

  <p>
  <li><code>NoSessionTickets</code>
    <p>
    By default, when using SSL/TLS, <code>mod_proxy</code> will <em>cache</em>
    any <a href="http://www.faqs.org/rfcs/rfc5077.html">session tickets</a>
    offered by the server in its local database, for reuse in enabling
    SSL session resumption in future connections to those hosts.  Use this
    option to <b>disable</b> use of session tickets if/when needed.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyTLSPreSharedKey">ProxyTLSPreSharedKey</a></h3>
<strong>Syntax:</strong> ProxyTLSPreSharedKey <em>identity key-info</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSPreSharedKey</code> directive is used to configure a
<em>pre-shared key</em> (PSK), for use in
<a href="http://en.wikipedia.org/wiki/TLS-PSK">TLS-PSK</a> ciphersuites.  Each
PSK has an <em>identity</em> (a string/name used by clients to request the use
of that PSK), and the actual key data.  The key data may be encoded in different
ways; the <code>ProxyTLSPreSharedKey</code> directive requires that the data be
hex-encoded, as indicated in the <em>key-info</em> parameter.

<p>
The <em>key-info</em> parameter is comprised of the type of encoding used for
the key data, and the full path to the key file.  Only "hex" encoding is
supported right now.  Thus an example <code>ProxyTLSPreSharedKey</code>
directive would be:
<pre>
  ProxyTLSPreSharedKey MyPSK hex:/path/to/psk.key
</pre>
The configured file <b>cannot be world-readable or world-writable</b>; the
<code>mod_proxy</code> module will skip/ignore such insecure permissions.

<p>
To generate this shared key (which is just a randomly generated bit of data),
you can use:
<pre>
  $ openssl rand 160 -out /path/to/identity.key -hex
</pre>
Note that <code>ProxyTLSPreSharedKey</code> requires at least 20 bytes of key
data.  Having generated the random key data, tell <code>mod_proxy</code> to use
it via:
<pre>
  ProxyTLSPreSharedKey identity hex:/path/to/identity.key
</pre>

<p>
<hr>
<h3><a name="ProxyTLSProtocol">ProxyTLSProtocol</a></h3>
<strong>Syntax:</strong> ProxyTLSProtocol <em>protocols</em><br>
<strong>Default:</strong> ProxyTLSProtocol TLSv1 TLSv1.1 TLSv1.2<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSProtocol</code> directive is used to configure the SSL/TLS
protocol versions that <code>mod_proxy</code> should use when establishing
SSL/TLS sessions to backend servers.

<p>
The allowed protocols are:
<p>
<table>
  <tr>
    <td><code>SSLv3</code></td>
    <td>Use only SSLv3</td>
  </tr>

  <tr>
    <td><code>TLSv1</code></td>
    <td>Use only TLSv1</td>
  </tr>

  <tr>
    <td><code>TLSv1.1</code></td>
    <td>Use only TLSv1.1</td>
  </tr>

  <tr>
    <td><code>TLSv1.2</code></td>
    <td>Use only TLSv1.2</td>
  </tr>

</table>

<p>
To support both SSLv3 and TLSv1, simply list both parameters for the
<code>ProxyTLSProtocol</code> directive, <i>e.g.</i>:
<pre>
  ProxyTLSProtocol SSLv3 TLSv1
</pre>

<p>
The <code>ProxyTLSProtocol</code> directive can also be used in a different
manner, to <em>add</em> or <em>subtract</em> protocol support.  For example,
to enable all protocols <b>except</b> SSLv3, you can use:
<pre>
  ProxyTLSProtocol ALL -SSLv3
</pre>
Using the directive in this manner requires that "ALL" be the <b>first</b>
parameter, <i>and</i> that all protocols have either a <code>+</code>
(<em>add</em>) or <code>-</code> (<em>subtract</em>) prefix.  "ALL" will
always be expanded to all of the supported SSL/TLS protocols known by
<code>mod_proxy</code> and supported by <code>OpenSSL</code>.

<p>
<hr>
<h3><a name="ProxyTLSTimeoutHandshake">ProxyTLSTimeoutHandshake</a></h3>
<strong>Syntax:</strong> ProxyTLSTimeoutHandshake <em>timeout</em><br>
<strong>Default:</strong> ProxyTLSTimeoutHandshake 30sec<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSTimeoutHandshake</code> directive configures the maximum
number of seconds for <code>mod_proxy</code> to complete an SSL/TLS handshake.
If set to zero, <code>mod_proxy</code> will wait forever for a handshake to
complete.  The default is 30 seconds.

<p>
<hr>
<h3><a name="ProxyTLSTransferProtectionPolicy">ProxyTLSTransferProtectionPolicy</a></h3>
<strong>Syntax:</strong> ProxyTLSTransferProtectionPolicy <em>client|required|clear</em><br>
<strong>Default:</strong> ProxyTLSTransferProtectionPolicy required<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>ProxyTLSTransferProtectionPolicy</code> directive configures the data
transfer protection <em>policy</em>, when using SSL/TLS, that
<code>mod_proxy</code> uses when performing data transfers (<i>e.g.</i> file
uploads/downloads, directory listings) with the backend/destination server.

<p>
The currently supported policies are:
<ul>
  <li><code>client</code>
    <p>
    This policy indicates that <code>mod_proxy</code> will use whatever
    the connected client uses.  Thus if the client sends <code>PROT C</code>,
    <code>mod_proxy</code> will send <code>PROT C</code> to the
    backend/destination server.
  </li>

  <p>
  <li><code>required</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <em>protected</em> TLS data transfers (<i>i.e.</i> using
    <code>PROT P</code> commands) with the backend/destination server.

    <p>
    This is the <em>recommended policy</em> in most cases.
  </li>

  <p>
  <li><code>clear</code>
    <p>
    Regardless of the commands sent by the client, <code>mod_proxy</code>
    will use only <em>clear</em> (<i>i.e.</i> <em>unprotected</em>) data
    transfers (<i>i.e.</i> using <code>PROT C</code> commands) with the
    backend/destination server.
  </li>
</ul>

<p>
<hr>
<h3><a name="ProxyTLSVerifyServer">ProxyTLSVerifyServer</a></h3>
<strong>Syntax:</strong> ProxyTLSVerifyServer <em>on|off</em><br>
<strong>Default:</strong> ProxyTLSVerifyServer on<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_proxy<br>
<strong>Compatibility:</strong> 1.3.6rc2 and later

<p>
The <code>ProxyTLSVerifyServer</code> directive configures how
<code>mod_proxy</code> handles certificates presented by servers.  If
<em>off</em>, the module will accept <b>any</b> server certificate and
establish an SSL/TLS session, but will <b>not</b> verify the certificate.  If
<em>on</em>, the module will verify a server's certificate and, furthermore,
will fail all SSL handshake attempts <b>unless</b> the server presents a valid
certificate.

<p>
<hr>
<h2><a name="Usage">Usage</a></h2>

<p>
<b>Benefits of Proxying</b><br>
The benefits of using a module like <code>mod_proxy</code> depend mostly
on the type of proxying, forward or reverse, that <code>mod_proxy</code>
is configured to perform.  There are some benefit, however, that the module
can bring, regardless of the type of proxying:
<ul>
  <li>Add ProFTPD's FTPS support (via <code>mod_tls</code>) for FTP <em>servers</em> which do not support FTPS
  <li>Add ProFTPD's FTPS support for FTP <em>clients</em> which do not support FTPS
  <li>Add ProFTPD's IPv6 support for FTP clients/servers which do not support it
  <li>Add ProFTPD's logging power (<code>TransferLog</code>, <code>ExtendedLog</code>, <i>etc</i>) for FTP servers which do not provide such versatile logging
  <li>Use ProFTPD's monitoring capabilities (<i>e.g.</i> <code>mod_snmp</code>) for FTP servers which do not have such features
</ul>

<p>
When using <code>mod_proxy</code> for proxying, <b>all</b> data transfers
(<i>e.g.</i> file uploads/downloads, directory listings, etc) pass through
<code>mod_proxy</code>; data transfers do <b>not</b> occur directly between
the "frontend" clients and the "backend" servers.  This happens so that
clients are <b>completely</b> unaware of the network structure for the
backend servers; this is especially important when reverse proxying, where
it means that the client sees <code>mod_proxy</code> <em>as the real</em> FTP
server.

<p>
<i>Forward Proxying</i><br>
One of the most common benefits of a forward proxy is having controlled access,
by clients within an internal LAN, to outside servers.  FTP makes this sort
of thing notoriously difficult for firewalls/routers due to its multi-TCP
connection nature; this, in turn, makes proxying of FTP more difficult.  But
<code>mod_proxy</code> makes this possible; it understands FTP, and thus
provides the access control needed for such use cases.

<p>
When using <code>mod_proxy</code> as a forward proxy, FTP clients which can
only perform active data transfers can use <code>mod_proxy</code> as a way
to use passive data transfers with the destination FTP server.

<p>
Similarly, FTP clients which do not support IPv6 can proxy through
<code>mod_proxy</code> to reach a destination FTP server with an IPv6 address;
<code>mod_proxy</code> handles IPv4 and IPv6 addresses transparently.

<p>
<i>Reverse Proxying</i><br>
Just as <code>mod_proxy</code> can aid naive/legacy FTP clients via forward
proxying, <code>mod_proxy</code> can similarly front legacy FTP servers.
For example, <code>mod_proxy</code> can sit in front of FTP servers which
do not handle IPv6 addresses, and provide this functionality transparently
to IPv6-capable FTP clients.

<p>
When performing reverse proxying, <code>mod_proxy</code> can also perform
load balancing in various ways.  The common methods of "round robin" and
"least connections" are implemented; <code>mod_proxy</code> also provides
"sticky session" load balancing of clients as well.

<p>
<b>Handling of Proxied Sessions</b><br>
Once a proxied session has authenticated with the backend/destination server,
the <code>mod_proxy</code> module automatically chroots itself to a
subdirectory of the <a href="#ProxyTables"><code>ProxyTables</code></a>
directory, after which all root privileges are permanently dropped.

<p>
<b>Forward Proxy Configuration</b><br>
Before discussing example forward proxy configurations for
<code>mod_proxy</code>, it is very important to understand the consequences
of providing forward proxy capabilities.

<p>
<b>Important Security Considerations</b><br>
A forward proxy can be used by <b>any</b> client to have <em>the proxy</em>
connect to <b>any</b> arbitrary host, while hiding the client's true identity.
Malicious behavior, hacking or denial-of-service attempts, <i>etc</i> will
appear to be coming from <em>your proxy</em>; this is dangerous for your
network, and for the Internet at large.  Think of the damage that has been
done, <em>and continues to happen</em>, due to open/unrestricted proxies/relays
such as open DNS or SMTP/email proxies.

<p>
This is the reason that <code>mod_proxy</code> does not allow just <b>any</b>
client to use its forward proxy capabilities by default; instead, only
clients connecting from the LAN are allowed by default.  Allowing trusted
outside clients is done using the
<a href="#ProxyForwardEnabled"><code>ProxyForwardEnabled</code></a> directive.
Even allowing internal clients to use your forward proxy can be troublesome,
depending on the destination hosts selected by the clients.  To ensure that
your clients are using the forward proxy to connect only to the hosts allowed,
you can use the <a href="#ProxyForwardTo"><code>ProxyForwardTo</code></a>
directive to configure a regular expression-based whitelist of allowed
destination/target hosts; <b>this is strongly recommended</b>.

<p>
With all that said, here's an example <code>mod_proxy</code> configuration
for supporting forward proxying:
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole forward
    ProxyForwardMethod user@host
    ProxyForwardTo ^ftp\.example\.com\:21$ [NC]
  &lt;/IfModule&gt;
</pre>
If the configured <code>ProxyForwardTo</code> pattern is <em>not</em> met,
the following will be logged in the <code>ProxyLog</code>:
<pre>
mod_proxy/0.7[16151]: host/port 'server.example.org:2121' did not match ProxyForwardTo ^ftp\.example\.com\:21$, rejecting
</pre>

<p>
<b>Reverse Proxy Configuration</b><br>
Reverse proxies (also known as "gateways") are often used to provide access
to FTP resources, located with internal networks, to the outside world.  The
reverse proxy can perform load balancing, provide functionality that the
internal servers may not be able to do, and even perform things like caching.

<p>
Access control for reverse proxies is less critical than for forward proxies
because clients can only reach, via the reverse proxy, the backend servers
that the reverse proxy has been configured to use; the clients do <b>not</b>
get to choose arbitrary hosts for the reverse proxy to use.

<p>
Here's an example <code>mod_proxy</code> configuration for supporting reverse
proxying:
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole reverse
    ProxyReverseConnectPolicy RoundRobin
    ProxyReverseServers ftp://ftp-backend1.example.com:2121 ftp://ftp-backend2.example.com:2121 ...
  &lt;/IfModule&gt;
</pre>

<p>
Here's an example <code>mod_proxy</code> configuration for reverse proxying,
with lookup of per-user backend servers:
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole reverse
    ProxyReverseConnectPolicy PerUser

    # We need to provide a pool of backend servers as a fallback
    ProxyReverseServers ftp://ftp-backend1.example.com:2121 ftp://ftp-backend2.example.com:2121 ...

    # Look up per-user backend servers from user-specific JSON files
    ProxyReverseServers file:/var/ftp/proxy/backends/%U.json
  &lt;/IfModule&gt;
</pre>

Similarly, you can use a <i>per-group</i> lookup for the backend servers when
reverse proxying:
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole reverse
    ProxyReverseConnectPolicy PerGroup
    ProxyOptions UseReverseProxyAuth

    # We need to provide a pool of backend servers as a fallback
    ProxyReverseServers ftp://ftp-backend1.example.com:2121 ftp://ftp-backend2.example.com:2121 ...

    # Look up per-group backend servers from group-specific JSON files
    ProxyReverseServers file:/var/ftp/proxy/backends/%g.json
  &lt;/IfModule&gt;
</pre>

<p>
In order to support FTP over SSL/TLS (FTPS) connections from <em>clients</em>
when reverse proxying, simply include your normal <code>mod_tls</code>
configuration with the same <code>&lt;VirtualHost&gt;</code> configuration
with your <code>mod_proxy</code> configuration.

<p>
For FTPS support to the backend <em>servers</em>, your reverse proxy
configuration would look something like this:
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole reverse
    ProxyReverseConnectPolicy RoundRobin
    ProxyReverseServers ftp://ftp-backend1.example.com:2121 ftp://ftp-backend2.example.com:2121 ...

    # Use FTPS when supported/available by the backend server
    ProxyTLSEngine auto

    # List of trusted root CAs
    ProxyTLSCACertificateFile /etc/ftpd/cacerts.pem
  &lt;/IfModule&gt;
</pre>
In fact, <code>mod_proxy</code> comes with a default
<code>ProxyTLSCACertificateFile</code> (comprised of the root CAs that most
browsers use/trust), <b>and</b> the default <code>ProxyTLSEngine</code>
value is <em>auto</em>.  This means that, by default, <code>mod_proxy</code>
will try to use FTPS for backend connections automatically (assuming that
ProFTPD is built with OpenSSL support using the <code>--enable-openssl</code>
configure option).

<p>
<b>Load Balancing versus Session Stickiness</b><br>
For reverse proxy configurations, there is a choice between
<em>load balancing</em> and <em>sticky session</em>
<code>ProxyReverseConnectPolicy</code> parameters; these parameters determine
the selection of the backend server that will handle the incoming connection.

<p>
Which should you use, and why?

<p>
All of the <em>balancing</em> policies are able to select the backend server
<em>when the FTP client connects to the proxy, before sending any commands</em>.
Most of the "sticky" policies, on the other hand, require more knowledge about
the user (<i>e.g.</i> <code>USER</code> name, <code>HOST</code> name, SSL
session ID) <em>before the backend server can be determined</em>, thus backend
server selection is delayed until that information is obtained.

<p>
<em>Balancing</em> is best when all of your backend severs are identical with
regard to the content they have, <b>and</b> when it does not matter which
server handles a particular client.  Maybe all of your backend servers use a
shared filesystem via NFS or similar, thus directory listings will be the same
for a user no matter which backend server is used, and uploading files to one
server means that those files can be downloaded/seen by the other servers.
Balancing policies are also best when all of your backend servers have similar
processing power (memory, CPU, network, disk), so that all backend servers
are equally capable of providing the same service to the connecting client.

<p>
The <em>balancing</em> policies are:
<ul>
  <li><code>LeastConns</code>
  <li><code>Random</code>
  <li><code>RoundRobin</code>
  <li><code>Shuffle</code>
</ul>

<p>
<em>Stickiness</em> is best when your backend servers are <b>not</b> identical,
and some users/clients <em>should only ever go to the same set of backend
servers</em>.  Thus the user/client needs to be "sticky" to a given backend
server.

<p>
The <em>sticky</em> policies are:
<ul>
  <li><code>PerGroup</code>
  <li><code>PerHost</code>
  <li><code>PerUser</code>
</ul>

<p>
<b>Implicit FTPS Support</b><br>
The <code>mod_proxy</code> module includes support for using <a href="https://en.wikipedia.org/wiki/FTPS#Implicit">implicit FTPS</a> with backend servers,
both when forward and reverse proxying.  <b>Note</b> that implicit FTPS support
<b>requires</b> the presence/use of the <code>mod_tls</code> ProFTPD module.

<p>
In order to use implicit FTPS for a reverse proxy server, the URI syntax
must be used in a <code>ProxyReverseServers</code> directive; the scheme
<b>must</b> be "ftps" <i>and</i> the port must be explicitly specified as 990,
thus:
<code>
  ProxyReverseServers ftps://ftp.example.com:990
</code>

<p>
When forward proxying, the client must request the destination server <i>and</i>
specify a port of 990, <i>e.g.</i>:
<code>
  USER user@ftp.example.com:990
</code>

<p>
Note that there is an additional wrinkle/caveat for implicit FTPS support when
your <code>mod_proxy</code> installation uses shared/DSO modules.  You must
ensure, in a list of <code>LoadModule</code> directives, that
<code>mod_proxy</code> appears <i>before</i> <code>mod_tls</code>:
<pre>
  # Make sure that mod_tls appears after mod_proxy in the list of loaded
  # modules
  LoadModule mod_proxy.c
  LoadModule mod_tls.c
</pre>
Why does this matter?

<p>
A lot of things happen when a client connects, via TCP, to the server (in this
case, to a server configured to be a proxy). ProFTPD publishes this "on connect"
event to all of the modules, in "module load order". The <em>last</em> module
loaded will be the <em>first</em> module to receive this event; this means
"module loader order" is the <em>reverse</em> order of your
<code>LoadModule</code> directives.

<p>
What we want is for the <code>mod_tls</code> module to handle the "on connect"
event first, so that it handles the implicit TLS handshake.  In doing so, the
<code>mod_tls</code> module will record some internal session state showing
that a TLS handshake occurred.  The <code>mod_proxy</code> module looks for the
internal session state that <code>mod_tls</code> sets, and will Do The Right
Thing if it sees that a TLS session is in effect.

<p>
On the other hand, if <code>mod_proxy</code> appears after <code>mod_tls</code>
in the <code>LoadModule</code> list, then it is the <code>mod_proxy</code>
module which handles the "on connect" event before <code>mod_tls</code> does.
<code>mod_proxy</code> looks for the session state to see if a TLS session is
in effect, does not find the session state, and then attempts to proxy things
like the backend banner to the client.  The frontend client is expecting TLS
handshake bytes, not plaintext text bytes from the banner, and thus the frontend
client will see a TLS error.

<p>
<b>SFTP/SCP Support</b><br>
The <code>mod_proxy</code> module now supports <em>reverse</em> proxying (but
<b>not</b> <em>forward</em> proxying) of SFTP/SCP sessions.

<p>
To support a reverse proxy configuration for SFTP/SCP sessions, specify
the <code>sftp</code> scheme in your <code>ProxyReverseServers</code> URIs,
like so:
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole reverse
    ProxyReverseConnectPolicy RoundRobin
    ProxyReverseServers sftp://ssh-backend1.example.com:2222 sftp://ssh-backend2.example.com ...
  &lt;/IfModule&gt;
</pre>

<p>
When proxying SSH connections like this, there will be <em>two</em> separate
SSH sessions:
<pre>
  frontend client --- (SSH session #1) --> proxy --- (SSH session #2) --> backend server
</pre>
Each SSH session creates a unique session ID, as a hash of client- and
server-provided values known as <code>H</code>.  This is important for some
types of authentication, as we see later.

<p>
Proxying of SSH connections is more complex than proxying of FTP/FTPS
connections, <i>especially</i> when it comes to authentication.  FTP supports
simple password-based authentication, whereas SSH supports multiple different
authentication mechanisms.  And two authentication mechanisms, in particular,
require a slightly more sophisticated <code>mod_proxy</code> configuration:
&quot;hostbased&quot; and &quot;publickey&quot;.

<p>
When the frontend SSH client requests the &quot;keyboard-interactive&quot;
or &quot;password&quot; authentication mechanisms, then <code>mod_proxy</code>
can handle the client using the above configuration as-is. For the
&quot;hostbased&quot; and &quot;publickey&quot; authentication mechanisms,
<code>mod_proxy</code> needs to do a little more work -- and it requires
support on the backend servers for &quot;hostbased&quot; authentication.

<p>
Let's consider the common &quot;publickey&quot; use case (the frontend
&quot;hostbased&quot; case is quite similar).  The frontend client has a
public/private key pair; <code>mod_proxy</code> has no knowledge or access to
that frontend private key (by design).  The frontend client performs the
&quot;publickey&quot; authentication by hashing several types of data, then
encrypts that hash with its private key; the server (<code>mod_proxy</code> in
this case) then hashes the same data, and decrypts the client-sent value with
the client's public key.  The complication is that one of the types of data
included in these hashes is the unique session ID known as <code>H</code>
mentioned above.  The <code>H</code> values for the SSH connections (from the
frontend client to the proxy, and separately from the proxy to the backend
server) <b>will be different</b>.  And since <code>mod_proxy</code> has no
access to the frontend private key, it cannot forge or change <code>H</code>
(and this is a good thing).  But it does mean that <code>mod_proxy</code>
cannot simply proxy the &quot;publickey&quot; authentication request as is,
from frontend client to backend server.

<p>
Instead, for these authentication mechanisms, <code>mod_proxy</code> will
use a different authentication mechanism, specifically &quot;hostbased&quot;
authentication, to the backend server.  This makes sense, right?  The backend
server trusts that the proxy is doing proper handling of <b>all</b> frontend
clients, thus backend server can trust the entire proxy host, not just
individual clients proxied by that host.  In order support these backend
&quot;hostbased&quot; authentication requests, <code>mod_proxy</code> will
need to know its private key to use for such things, via
<a href="#ProxySFTPHostKey"><code>ProxySFTPHostKey</code></a>; this can
actually the same private key used by the <code>SFTPHostKey</code> directive
(or be a different private key, depending on your needs).  It also requires
that the backend servers be configured to trust the corresponding public key;
for <code>mod_sftp</code>, this would be done using its
<code>SFTPAuthorizedHostKeys</code> directive.

<p>
The SFTP/SCP support in <code>mod_proxy</code> also properly supports the
<code>PerUser</code>, <code>PerGroup</code>
<a href="#ProxyReverseConnectPolicy"><code>ProxyReverseConnectPolicy</code></a>
values, subject the same caveats.  This means that <code>mod_proxy</code>
can proxy different frontend SSH users to different backend servers (and
even rewrite/change the user name via the <a href="http://www.proftpd.org/docs/contrib/mod_rewrite.html"><code>mod_rewrite</code></a> module); just like for
FTP/FTPS sessions, you can configure the per-user lookup of backend servers
using SQL queries, JSON files, <i>etc</i>.

<p>
<b>Logging</b><br>
The <code>mod_proxy</code> module supports different forms of logging.  The
main module logging is done via the
<a href="#ProxyLog"><code>ProxyLog</code></a> directive.  For debugging
purposes, the module also uses <a href="http://www.proftpd.org/docs/howto/Tracing.html">trace logging</a>, via the module-specific channels:
<ul>
  <li>proxy
  <li>proxy.conn
  <li>proxy.db
  <li>proxy.dns
  <li>proxy.forward
  <li>proxy.ftp.conn
  <li>proxy.ftp.ctrl
  <li>proxy.ftp.data
  <li>proxy.ftp.dirlist
  <li>proxy.ftp.facts
  <li>proxy.ftp.msg
  <li>proxy.ftp.sess
  <li>proxy.ftp.xfer
  <li>proxy.inet
  <li>proxy.netio
  <li>proxy.random
  <li>proxy.reverse
  <li>proxy.reverse.db
  <li>proxy.reverse.redis
  <li>proxy.session
  <li>proxy.ssh.agent
  <li>proxy.ssh.auth
  <li>proxy.ssh.bcrypt
  <li>proxy.ssh.cipher
  <li>proxy.ssh.compress
  <li>proxy.ssh.crypto
  <li>proxy.ssh.db
  <li>proxy.ssh.disconnect
  <li>proxy.ssh.interop
  <li>proxy.ssh.kex
  <li>proxy.ssh.keys
  <li>proxy.ssh.msg
  <li>proxy.ssh.packet
  <li>proxy.ssh.service
  <li>proxy.ssh.utf8
  <li>proxy.tls
  <li>proxy.tls.db
  <li>proxy.tls.redis
  <li>proxy.uri
</ul>

<p>
Thus for trace logging, to aid in debugging, you would use the following in
your <code>proftpd.conf</code>:
<pre>
  TraceLog /path/to/proxy-trace.log
  Trace proxy:20
</pre>
This trace logging can generate large files; it is intended for debugging
use only, and should be removed from any production configuration.

<p><a name="Notes"></a>
<b>Logging Notes</b><br>
The following is a list of <em>notes</em>, logging variables that can be used in
custom <code>LogFormats</code> and/or custom SQL statements:
<ul>
  <li><code>%{note:mod_proxy.backend-ip}</code>: IP address of the backend/proxied server
  <li><code>%{note:mod_proxy.backend-port}</code>: Port of the backend/proxied server
  <li><code>%{note:mod_proxy.backend-url}</code>: URL to the backend/proxied server
</ul>

<p><a name="SELinux"></a>
<b>SELinux</b><br>
If using the <code>mod_proxy</code> module on an SELinux-enabled system, you
may need the following to allow for proper operations of proxying.  For example,
using the following <code>mod_proxy</code> configuration:
<pre>
  ProxyTables /var/ftp/proxy
</pre>
may require that you run:
<pre>
  $ semanage fcontext --add --type public_content_rw_t '/var/ftp/proxy(/.*)?'
  $ setsebool -P ftpd_anon_write=1
  $ setsebool -P nis_enabled=1
</pre>

<p><a name="Wishlist"></a>
<b>Suggested Future Features</b><br>
The following lists the features I hope to add to <code>mod_proxy</code>,
according to need, demand, inclination, and time:
<ul>
  <li><code>MODE Z</code> support
</ul>

<p>
See the GitHub <a href="https://github.com/Castaglia/proftpd-mod_proxy/issues">issues</a> page for current bugs and feature requests, and to report issues.

<p><a name="FAQ"></a>
<b>Frequently Asked Questions</b><br>

<p><a name="ProxyRoundRobinVsLeastConns"></a>
<font color=red>Question</font>: I have heard a lot about both "round robin"
and "least conns" for load balancing.  Which is better for FTP connections?<br>
<font color=blue>Answer</font>:  There is not an easy answer to this, because
it really comes down to the type of traffic that your FTP servers will see.

<p>
<b><i>If</i></b> your FTP sessions tend to be long-lived (<i>e.g.</i> on the
order of minutes to hours), then using <code>ProxyReverseConnectPolicy
LeastConns</code> will tend to provide the best distribution of those sessions
across your pool of backend servers.  The assumption here is that <b>new</b>
connections arrive infrequently <em>relative to the number of existing
connections</em>.

<p>
On the other hand, <b><i>if</i></b> your FTP sessions tend to be shorter
(<i>e.g.</i> minutes at most), then using <code>ProxyReverseConnectPolicy
RoundRobin</code> might provide a more even distribution of connections
across your pool of backend servers.

<p><a name="ProxyPerHostBackendServers"></a>
<font color=red>Question</font>: I am using:
<pre>
  ProxyReverseConnectPolicy PerHost
</pre>
and would like to configure different pools of backend servers for different
incoming clients.  How do I do this?<br>
<font color=blue>Answer</font>:  The best way to achieve this would be
to use <a href="http://www.proftpd.org/docs/howto/Classes.html">classes</a>
and <code>mod_ifsession</code>'s <code>&lt;IfClass&gt;</code> sections.  For
example:
<pre>
  &lt;Class proxied-clients&gt;
  &lt;/Class&gt;

  ProxyRole reverse
  ProxyReverseConnectPolicy PerHost

  &lt;IfClass proxied-clients&gt;
    ProxyReverseServers ftp://ftp-special1.example.com:2121 ftp://ftp-special2.example.com:2121 ...
  &lt;/IfClass&gt;

  # Don't forget to configure the backend server pool for clients coming
  # from other networks!
  &lt;IfClass !proxied-clients&gt;
    ProxyReverseServers ftp://ftp-backend1.example.com:2121 ftp://ftp-backend2.example.com:2121 ...
  &lt;/IfClass&gt;
</pre>

<p><a name="ProxyFTPSSupport"></a>
<font color=red>Question</font>: Does <code>mod_proxy</code> support SSL/TLS
connections, <i>i.e.</i> FTPS?<br>
<font color=blue>Answer</font>:  Short answer: yes.

<p>
The long answer is the <code>mod_proxy</code> supports FTPS connections
<b>both</b> on the <em>frontend</em>, from connecting clients, <b>and</b> on
the <em>backend</em>, to backend servers.  This means that all of the following
flows are supported:
<pre>
  <em>client</em> --- FTPS ---> <em>proxy</em> --- FTP ---> <em>server</em>
  <em>client</em> --- FTP ---> <em>proxy</em> --- FTPS ---> <em>server</em>
  <em>client</em> --- FTPS ---> <em>proxy</em> --- FTPS ---> <em>server</em>
</pre>

<p>
Thus <code>mod_proxy</code>'s FTPS support is suited for reverse proxy
configurations, where <code>mod_proxy</code> can be used to provide SSL/TLS
capabilities to old/legacy FTP servers which do not implement it.   The
<code>mod_proxy</code> module is <em>also</em> suited for forward proxy
configurations, where the FTPS support can be used to provide SSL/TLS
capabilities to old/legacy FTP clients which do not implement it.

<p><a name="ProxyReverseProxyCredentials"></a>
<font color=red>Question</font>: I want to use <code>mod_proxy</code> for
reverse proxying.  I want to centralize all of my user authentication in
<code>mod_proxy</code>, <b>and</b> I want to use <em>different</em> user
credentials when logging in to the backend servers.  Can <code>mod_proxy</code>
do all of this?<br>
<font color=blue>Answer</font>: Yes.

<p>
There are a couple of key parts of your <code>mod_proxy</code> configuration
to pay attention to, for achieving the above.
<pre>
  &lt;IfModule mod_proxy.c&gt;
    ProxyEngine on
    ProxyLog /path/to/proxy.log
    ProxyTables /var/ftp/proxy

    ProxyRole reverse

    <b># Make sure to authenticate in the proxy itself
    ProxyOptions UseReverseProxyAuth</b>

    ProxyReverseConnectPolicy ...

    <b># Include the username/passwords to use for the backend servers
    # <em>in the URLs</em>.</b>
    ProxyReverseServers ftp://<b>user1:password1@</b>ftp-backend1.example.com:2121 ftp://<b>user2:password2@</b>ftp-backend2.example.com:2121 ...
  &lt;/IfModule&gt;
</pre>
When a URL uses the "username:password" syntax for including the credentials
to use for that connection, <code>mod_proxy</code> will use those URI
credentials when logging in to that backend server.

<p><a name="ProxyLimitByGroup"></a>
<font color=red>Question</font>: I have configured <code>mod_proxy</code> to
block the <code>LIST</code> command for one group of users, like so:
<pre>
  &lt;Limit LIST&gt;
    DenyGroup somegroup
  &lt;/Limit&gt;
</pre>
But this <code>&lt;Limit&gt;</code> is not working.  Is this a bug?<br>
<font color=blue>Answer</font>:  No, it is not a bug.  It is, unfortunately,
expected behavior.

<p>
The <code>&lt;Limit&gt;</code> mechanism works on the <b>authenticated</b>
user/group names.  And in many cases, it is <b>not</b> <code>mod_proxy</code>
which authenticates the user, it is the backend server.  Thus it is the
backend server which knows the groups to which the authenticated user belongs;
<code>mod_proxy</code> only knows that the <code>USER</code> name was
successfully authenticated by the backend user.  Thus <em>group</em>-based
limits cannot be honored.

<p>
However, <b>if</b> proxy auth <b>is</b> enabled, then group-based limits will
work.  This means using either the following when forward proxying:
<pre>
  ProxyRole forward

  # Either of these two methods result in proxy auth
  ProxyForwardMethod proxyuser,user@host
  ProxyForwardMethod proxyuser@host,user
</pre>
or this, when reverse proxying:
<pre>
  ProxyRole reverse
  ProxyOptions UseReverseProxyAuth
</pre>

<p><a name="ProxyReverseSelectionByCert"></a>
<font color=red>Question</font>: Can <code>mod_proxy</code> be configured
as a reverse proxy, and to select the backend server based on the <em>client
certificate</em> used by the frontend FTPS client?<br>
<font color=blue>Answer</font>: Yes, but it requires the use of a custom SQL
query.

<p>
The idea here is to define a SQL query which looks up the backend server to
use, based on information in the frontend FTPS client certificate.  Since the
<code>mod_proxy</code> module already uses SQLite, you <i>should</i>
be able to use the <code>mod_sql_sqlite</code> module if needed.  The SQL
table schema might look like:
<pre>
  CREATE TABLE proxy_backends (
    common_name TEXT PRIMARY KEY,
    url TEXT
  );
</pre>

<pre>
  &lt;IfModule mod_tls.c&gt;
    ...
    # Tell mod_tls to export environment variables containing various
    # certificate fields, for use by e.g. mod_sql.
    TLSOptions StdEnvVars
    ...
  &lt;/IfModule&gt;

  &lt;IfModule mod_sql.c&gt;
    ...
    # Use the TLS_CLIENT_S_DN_CN environment variable (for the CommonName of
    # the Subject section of the frontend FTPS client certificate) provided
    # by mod_tls in our selection.
    SQLNamedQuery get-user-servers SELECT "url FROM proxy_backends WHERE common_name = '%{env:TLS_CLIENT_S_DN_CN}'"
    ...
  &lt;/IfModule&gt;

  &lt;IfModule mod_proxy.c&gt;
    ...
    ProxyRole reverse
    ProxyReverseConnectPolicy PerUser

    # Use a named SQL query to lookup the backend server to use.  Note that
    # the name used here is the name of our SQLNamedQuery defined above.
    ProxyReverseServers sql:/get-user-servers
    ...
  &lt;/IfModule&gt;
</pre>
Note that the <code>mod_tls</code> module provides many other environment
variables for other fields of the certificate; using a field other than
CommonName is also quite doable, depending on your needs.

<p>
<hr>
<h2><a name="Installation">Installation</a></h2>
To install <code>mod_proxy</code>, go to the third-party module area in
the proftpd source code and unpack the <code>mod_proxy</code> source tarball:
<pre>
  $ cd <i>proftpd-dir</i>/contrib/
  $ tar zxvf /path/to/mod_proxy-<i>version</i>.tar.gz
</pre>
after unpacking the latest proftpd-1.3.<i>x</i> source code.  For including
<code>mod_proxy</code> as a statically linked module:
<pre>
  $ ./configure --with-modules=mod_proxy:...
</pre>
To build <code>mod_proxy</code> as a DSO module:
<pre>
  $ ./configure --enable-dso --with-shared=mod_proxy:...
</pre>
Then follow the usual steps:
<pre>
  $ make
  $ make install
</pre>
<b>Note</b>: <code>mod_proxy</code> uses the
<a href="http://www.sqlite.org"><code>SQLite</code></a> library; thus the
<code>sqlite3</code> development library/headers <b>must</b> be installed for
building <code>mod_proxy</code>.

<p>
It is <b>highly recommended</b> that SQLite 3.8.5 or later be used.  Problems
have been reported with <code>mod_proxy</code> when SQLite 3.6.20 is used;
these problems disappeared once SQLite was upgraded to a newer version.

<b>Note</b>: <code>mod_proxy</code> uses the OpenSSL library, so its
development library/header files <b>must</b> be installed for building
<code>mod_proxy</code>.

<p>
<hr>

<font size=2><b><i>
&copy; Copyright 2015-2024 TJ Saunders<br>
 All Rights Reserved<br>
</i></b></font>

<hr>
</body>
</html>