FTP(S) Implicit with Traefik

Traefik Traefik v2
,
1

Greetings, some time ago I opened a post here ftp in traefik v2.10 asking for ftp with traefik, now I have to activate TLS, since the network we work in forces us to encrypt all traffic. But I can't manage to activate implicit ftps and route the traffic with traefik.

Port 20-22 are no longer needed and TLS works if I don't use traefik, but I would like to centralize it, is there any way?

traefik:
    image: traefik:${TRAEFIK_TAG}
    container_name: "${PROJECT_NAME}_traefik"
    ports:
      - ...
      - "${PROJECT_PORT}:80"
      - "${PROJECT_PORT_SSL}:443"
      # - 20-21:20-21
      - 990:990
      - 21100-21110:21100-21110

# I have overwritten the ftp container image to have the same certificate.
ftp-server:
    container_name: "${PROJECT_NAME}_ftp-server"
    image: lhauspie/vsftpd-alpine
    # ports:
    #  # - 20-21:20-21
    #   - 990:990
    #   - 21100-21110:21100-21110
    environment:
      - FTP_USER=${PROJECT_FTPS_USER}
      - FTP_PASS=${PROJECT_FTPS_PASS}
      - FTP_MODE=ftps_implicit
    networks:
      - proxy
    labels:
      - traefik.tcp.routers.${PROJECT_NAME}_ftp-server.rule=HostSNI(`*`)
      - traefik.tcp.routers.${PROJECT_NAME}_ftp-server.entrypoints=ftps,ftp-pasv0,ftp-pasv1,ftp-pasv2,ftp-pasv3,ftp-pasv4,ftp-pasv5,ftp-pasv6,ftp-pasv7,ftp-pasv8,ftp-pasv9,ftp-pasv10
    volumes:
      - ./App/folder/user:/home/vsftpd/user
      - ./config/certs/cert-comb.pem:/etc/vsftpd/vsftpd.pem:ro

static.yml

entryPoints:
  ftps:
    address: ":990"
  ftp-pasv0:
    address: ":21100"
  ftp-pasv1:
    address: ":21101"
  ftp-pasv2:
    address: ":21102"
  ftp-pasv3:
    address: ":21103"
  ftp-pasv4:
    address: ":21104"
  ftp-pasv5:
    address: ":21105"
  ftp-pasv6:
    address: ":21106"
  ftp-pasv7:
    address: ":21107"
  ftp-pasv8:
    address: ":21108"
  ftp-pasv9:
    address: ":21109"
  ftp-pasv10:
    address: ":21110"

I modified the dynamic.yml file to define every rule and entrypoint.

# tcp:
#   routers:
#     ftp-server:
#       rule: HostSNI(`*`)
#       tls: true
#       entryPoints:
#         - "ftps"
#         - "ftp-pasv0"
#         - "ftp-pasv1"
#         - "ftp-pasv2"
#         - "ftp-pasv3"
#         - "ftp-pasv4"
#         - "ftp-pasv5"
#         - "ftp-pasv6"
#         - "ftp-pasv7"
#         - "ftp-pasv8"
#         - "ftp-pasv9"
#         - "ftp-pasv10"
#       service: "ftp-server@docker"
...

Thanks for your support.

2

You seriously run a 3 year old image? Great to use TLS for security when your target service has gathered unfixed security issues for such a long time.

If you can use FTPS without Traefik, does that mean the target service creates its own (custom) TLS certificate?

3

Actually We don't use the lhauspie/vsftpd-alpine image, I have put it as an example, I modified the image by adding configuration and updating the base alpine image.

I also removed the ports that are not needed, also no certificate genre with openssl, etc.

  ftp-server:
    container_name: "${PROJECT_NAME}-ftp-server"
    build:
      context: ./Apps/vsftpd/
      dockerfile: Dockerfile

I have put it as an example so that it can be replicated quickly and as an example.

To pass the certificate I use a volume, with this I pass the certificate in Traefik to the FTPS container, I doubt it's a good practice, but it's the only thing that worked.