haproxy 和 ftp(s) 有问题,我不明白。
listen FTPVIP
bind *:21 ssl crt /etc/haproxy/git-03.test.local.crt ssl-min-ver TLSv1.2
bind *:60000-65535 ssl crt /etc/haproxy/git-03.test.local.crt ssl-min-ver TLSv1.2
mode tcp
option tcplog
option tcpka
# balance leastconn
# stick on src
# stick-table type ip size 10240k expire 30m
# server WinFTPServer2016FTP1 172.16.34.63:2121 check port 2121 ssl verify none check send-proxy-v2
server WinFTPServer2016FTP1 172.16.34.63:2121 check port 2121 ssl verify none
用 curl ftp 测试失败,因为没有通信。
curl -vv --user test:test --ftp-ssl --ftp-ssl-reqd --ftp-pasv ftp://git-03.test.local:21/upload/
但是在端口 21 上卷曲 https 至少会发生 ssl/tls 密钥交换。
curl -vv --user test:Serrig54455 https://git-03.test.local:21
* Trying 172.16.34.63:21...
* Connected to git-03.feltengroup.local (172.16.34.63) port 21 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
与未加密的 ftp 类似的问题,未建立与端口 21 的通信。似乎 FTP 协议已经与侦听器存在一般性问题。
感谢您的帮助。