Hello, I am trying to create an orchestration for my organization but when defining a route for my TCP (ftp) traffic, Trafik does nothing, I have already purged the logs and I have no information about what is happening.
.ENV
PROJECT_NAME=c_server_project
PROJECT_BASE_URL=server.docker.localhost
PROJECT_PORT_FTP=21
TRAEFIK_TAG=v2.10
In the docker-compose.yml I have multiples services, a website, a ftp.
services:
traefik:
image: traefik:$TRAEFIK_TAG
container_name: "${PROJECT_NAME}_traefik"
ports:
- "8080:8080" # Dashboard
- "${PROJECT_PORT}:80"
- "${PROJECT_PORT_SSL}:443"
- "${PROJECT_PORT_FTP}:21"
command:
- --log.level=DEBUG
- --api.insecure=true
- --providers.docker=true
- --providers.docker.network=internal
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.ftp.address=:21
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
ftp-server:
image: lhauspie/vsftpd-alpine
container_name: "${PROJECT_NAME}_website_ftp"
environment:
- FTP_USER=user
- FTP_PASS=pass
ports:
- 20-22:20-22
- 21100-21110:21100-21110
- 990:990
volumes:
- ./Apps/website/website:/home/vsftpd/website
labels:
- "traefik.enable=true"
- "traefik.tcp.routers.${PROJECT_NAME}_website_ftp.rule=HostSNI(`ftp.${PROJECT_BASE_URL}`)"
- "traefik.tcp.routers.${PROJECT_NAME}_website_ftp.entrypoints=ftp"
- "traefik.tcp.services.${PROJECT_NAME}_website_ftp.loadbalancer.server.port=21"
I am trying with the command ftp and with the localhost it works but with the host defined it does not connect
The localhost:21 works, because the port 21 is mapped with 21 of the container, but a want to use traefik.
ftp -p localhost 21
Not work with the host
ftp -p ftp.server.docker.localhost 21
And the next question is how to do this but with TLS, everything is very confusing.
FTP is kind of obsolete, in general I would recommend to use a different protocol (like scp), that does not require a lot of open ports.
You are mixing to expose ports to Traefik and your FTP server, not sure if that is desirable.
Sidenote: I think when using FTP with command passive, it is only using the main connection, no additional TCP ports.
Papina
December 14, 2023, 3:52am
3
TCP requests like ftp can't use redirect rules, thats only for HTTP type requests, they use .rule=HostSNI(*) and just rely on the port being available
traefik-docker-compose.yml
version: "3.7"
services:
traefik:
image: traefik:latest
container_name: "traefik"
volumes:
# Traefik requires access to docker.sock to read docker labels
- /var/run/docker.sock:/var/run/docker.sock:ro # Access to Docker
ports:
- "${PROJECT_PORT}:80"
- "${PROJECT_PORT_SSL}:443"
- "${PROJECT_PORT_FTP}:21"
command:
# Traefik settings to get a Dashboard and log settings
- "--api.dashboard=true"
- "--api=true"
- "--api.insecure=true"
- "--log.filePath=/logs/traefik.json"
- "--log.format=json"
- "--log.level=INFO"
# EntryPoints web ports
- "--entryPoints.web.address=:${PROJECT_PORT}"
- "--entryPoints.websecure.address=:${PROJECT_PORT_SSL}"
# Redirect http to https
- "--entryPoints.web.http.redirections.entryPoint.to=websecure"
- "--entryPoints.web.http.redirections.entryPoint.scheme=https"
# EntryPoints for TCP/UDP Traffic
- "--entryPoints.tcp-ftp.address=:${PROJECT_PORT_FTP}" # Expose FTP Port
# Setup the docker provider, and basic rules to grab the docker service name as the host name
- "--providers.docker=true"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.exposedByDefault=true"
- "--providers.docker.defaultRule=HostRegexp(`{{ index .Labels \"com.docker.compose.service\" }}.{anydomain:.*}`)"
# Setup the file provider so we can add dynamic rules as YAML files, eg OAUTH middleware chains
- "--providers.file.directory=/rules"
- "--providers.file.watch=true"
labels:
- "traefik.http.routers.traefik-rtr.service=api@internal"
ftp-docker-compose.yml
version: "3.7"
services:
ftp-server:
image: lhauspie/vsftpd-alpine
environment:
- FTP_USER=user
- FTP_PASS=pass
volumes:
- ./Apps/website/website:/home/vsftpd/website
labels:
- "traefik.tcp.services.ftp-server-svc.loadbalancer.server.port=21"
- "traefik.tcp.routers.ftp-server.entrypoints=tcp-ftp"
- "traefik.tcp.routers.ftp-server.rule=HostSNI(`*`)"
- "traefik.tcp.routers.ftp-server.tls=false"
test the ftp process:
C:\>ftp -d <ftp ip address, eg 127.0.0.1>
Connected to 127.0.0.1.
220 Welcome to FTP Server
---> OPTS UTF8 ON
200 Always in UTF8 mode.
User (127.0.0.1:(none)): user
---> USER user
331 Please specify the password.
Password:
---> PASS pass
230 Login successful.
ftp>