Forum Discussion
FTP Proxy , user based forwarding with iRule
Im looking into using a VS as an FTP Proxy towards my backend webserver. Currently i already works for one webserver behind the VS.
Im now trying to write an iRule to forward traffic to the right server based on the username the ftp-connection is initiated with. Secondly i need to rewrite the username and remove the web-paramater
Example:
USER1 connects to with following credential USER1@WEB1
@WEB1 is removed from the credential and forwarded towards pool WEB1
Anybody any ideas how to do this last part ?
- Andy_McGrathCumulonimbus
Just working on a similar project extracting user credentials from SMTPS requests.
First nothing in the FTP iRule commands that can do this for you so you need to read the TCP payload to locate and extract the data you need.
To do this you need to work out a flow where you enable collection of the next clientside and/or serverside payload using $1 (or $1 if you are using SSL offload) then identify the payload with the $1 details and do some manipulation with the $1TCP::release`.
Best is look at the following code share examples which you can hopefully use as a base:
So currently i can redirect traffic to the right server based on username.
But the username gets modified when sending it to the server from F5 somehow. I use following to change the tcp::payload
TCP::payload replace 0 [TCP::payload length] "" set packetdata "USER $user" TCP::payload replace 0 0 $packetdata
serverside we see the following
[pid 31210] FTP command: Client "::ffff:10.1.1.1", "USER usernameSYST"
when i log tcp::payload on F5 i see "USER username". So i have no idea where the SYST part comes from
- Andy_McGrathCumulonimbus
Can you share the value you're setting the variable
in your iRule?user
It's the following.
log local0. [TCP::payload] this gives username@ftp1 regexp "USER \(\[a-zA-Z0-9_-]+)" [TCP::payload] all user log local0. "$user" this gives username
- Andy_McGrathCumulonimbus
Try this:
TCP::payload replace 0 [TCP::payload length] "" TCP::payload replace 0 0 "USER $user\r\n"
The
I think is needed as the end of the FTP command.\r\n
Thanks thats correct!
Username is correct now on the serverside.
- Andy_McGrathCumulonimbus
Good glad it worked for you :D
Any idea on how to read out, the password? I have only succes connecting if i place the password in the tcp::payload.
set packetdata "USER $user\r\nPASS test123\r\n"
I could set up a datagroup with all users and passwords on F5 but that is something i would like to avoid.
- Andy_McGrathCumulonimbus
From what I have seen FTP
command is sent separately following aPASS
request from the FTP server.331
This is from an example PCAP file I found online:
< 220- < 220 6bone.informatik.uni-leipzig.de FTP server (NetBSD-ftpd 20041119) ready. > USER anonymous < 331 Guest login ok, type your name as password. > PASS IEUser@ < 230 Guest login ok, access restrictions apply. > opts utf8 on < 502 Unknown command 'utf8'. > syst < 215 UNIX Type: L8 Version: NetBSD-ftpd 20041119 > site help < 214-
If this is the case for your client and server I would expect the F5 can simply pass through the password in the next payload.
It is possible that different authentication methods are available (Hit this issue when writing extract iRule for SMTP authentication) so you would need to check as I do not know FTP in that much detail.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com