[lug] Making an HTTPS tunnel to an FTP server

Chris Riddoch riddochc at gmail.com
Tue Dec 20 19:48:55 MST 2011 

On Tue, Dec 20, 2011 at 12:13 PM, Glenn Murray <glenn.murray at gmail.com> wrote:
>  I have a ProFTPD server running on port 21 behind a
> firewall.  I'm like to create an HTTPS tunnel through the firewall to
> ProFTPD so that users outside the firewall can connect to ProFTPD
> using the same ProFTPD credentials as inside the firewall.  I
> understand that another set of credentials is necessary to set up the
> tunnel.  The odd thing here is that (at this point) it has to be
> HTTPS, and not FTPS, SFTP, etc.

If you want ProFTPD to be answering the request, the request needs to
be something that ProFTPD knows what to do with - namely, FTP.

So, if you want to provide an HTTPS interface to talk *to* ProFTPD, it
sounds like you want to be effectively driving an FTP client on a web
server from a browser outside the network - there'd be sort of a
file-browser web application that's a front-end for talking to the
ProFTPD server.  Do I understand the problem right?

If that's the case, I just googled for: ftp "file browser" web, and
found a variety of web applications that might suffice, but I haven't
used any of them myself.  You can set up the SSL requirement on
whatever web server is offering the ftp "front-end."

Most of these "file browsers" look like the user is asked to specify
the FTP server to connect to, and it seems unwise to allow users to
choose any arbitrary FTP server (or provide credentials through the
web interfaces for whatever arbitrary FTP server someone wants to
connect to, thus encouraging users to trust their passwords to
whatever server is hosting the web interface...)

These things might be customizable, but I haven't looked at the
specific applications to find out how easy that is.  I'm a little
discouraged that most of the options seem to be implemented in PHP,
I've developed a bit of a knee-jerk expectation that anything written
in PHP is fundamentally insecure.  If it were me, I'd probably
consider implementing it myself, get partway through doing so, and
then decide that there really must be a better way of accomplishing
all this.

I cite: http://xkcd.com/949/

*sigh*

-- 
Chris Riddoch
http://www.syntacticsugar.org/

More information about the LUG mailing list