0

currently working on an ftp proxy with ProFTPD.

Our setup is pretty much still the same as in this issue.

However, we struggle to make use of the username. As we want to hide/transport the target server in the username we do an rewrite on the username to get it cleaned up.

So far so good, we can use the clean username. To do an LDAP authentication.

However we are still in need of the targetserver string that was in the username before the rewrite.

Any information on how to:

  • save the original username to a environment variable before it is rewritten (and prevent the env variable to be rewritten as well)
  • use the ProFTPD notes (read about it but somehow failed to find and docs on it)
  • access the original username (not the rewritten one)
  • any other information how to accomplish hiding username and targetserver in the connection and using it

are very welcome.

Maybe there is some kind of technique that we do use in the wrong way or a technique that we failed to use so far.

Edit:

Regarding @Castaglia

Was said we do have 2 infos in the original username. ADuser@RemoteServer.

Withe the ADuser we want to establish an LDAP authentication. With the RemoteServer info we want to connect to a remote server with credentials we queried from MySQL.

What we struggle with right now is making use of both infos. With the rewrite we get a clean user but loose the server.

So what we are looking for is some sort of option to save the original string to a var. And rewrite it 2 times. One time into a userstring to authenticate ans one time into a server name to know which server the user wants to connect to.

4

2 回答 2

2

对于感兴趣的一方,这就是我们(我和丹尼尔)解决它的方式。

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCondition %m USER
  RewriteRule ^(.*#)?([0-9A-Za-z]+)(@)?(.*)? $2
</IfModule>

<IfModule mod_ldap.c>
  LDAPServer ...
  ...
</ifModule>

<IfModule mod_sql.c>
  SQLBackend mysql
  SQLConnectInfo ...
  SQLLog USER server_token
  SQLNamedQuery server_token UPDATE "buffer_token='%{note:mod_rewrite.$4}' WHERE username = '%U'" users
  SQLAuthenticate off
  SQLNamedQuery get-url  SELECT "concat('ftp://',ftp_username, ':', ftp_password, '@', ftp_servername) FROM users inner join server_user on users.id = user_id inner join servers on servers.id = server_id WHERE username = '%U' and token = buffer_token"
</IfModule>

<IfModule mod_proxy.c>
...
</IfModule>
ProxyReverseServers sql:/get-url
于 2017-08-04T09:02:28.373 回答
1

我认为要获得您想要实现的目标,您可以尝试以下方法。

首先,稍微修改一下RewriteRule,以便捕获命令的第二部分USER例如“RemoteServer”),因此:

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCondition %m USER
  RewriteRule ^(.*#)?([0-9A-Za-z]+)(@)?(.*)? $2
</IfModule>

接下来,在您的 SQL 查询配置中,使用注释引用来检索该正则表达式组:

<IfModule mod_sql.c>
  ...
  SQLConnectInfo ... PERCONNECTION
  ...
  SQLNamedQuery get-url SELECT "concat('ftp://',ftp_username, ':', ftp_password, '@', ftp_servername) FROM users ... WHERE concat(username, '@', token) = '%{note:mod_rewrite.$4}'"
  ...
</IfModule>

%{note:mod_rewrite.$4}符号表示“插入存储在键'mod_rewrite.$4'下的会话注释的值”。并在这些会话笔记中mod_rewrite存储/记录匹配的组;RewriteRule使用$N基于 1 的索引,因此$1对于第一组、 对于第二组(在您的示例命令$2中将是“ADuser”值)、对于第三组USER$3

我已经更新了我的答案,包括使用“PERCONNECTION”SQLConnectInfo政策。为什么?这告诉模块在客户端连接时mod_sql连接到 SQL 数据库,而不是等到客户端提供所有必要的凭据。由于存储有关捕获的正则表达式组的注释的方式,这是必要的:这些注释仅在该命令的持续时间内被捕获(,在您的情况下,只有命令)。因此,我们希望在处理命令时使用配置的 SQL 语句,因为那是该引用有效的时候。mod_rewriteUSERUSER%{note:mod_rewrite.$4}

希望这可以帮助!

于 2017-08-03T06:44:15.313 回答