implicit FTPS reverse proxy using caddy-l4

[mati1210]

i've been enjoying using copyparty, however some programs i'd like to use it with (vlc mostly) don't support webdav, so my next best option is FTPS. caddy handles HTTPS encryption for me, and to avoid copying certificates around the file system¹ i've figured out a way to use it as a (implicit only²) FTPS reverse proxy, and i figured i might as well share it

assuming you're using the systemd service, installed from a package manager, and have the caddy-l4 extension installed:

Step 1: set up a network namespace for copyparty

copyparty won't be able to bind to the ports required for ftp if caddy has already bound to them, so we'll have to run copyparty in a separate network namespace. as a bonus this will disable internet access to copyparty, if you're particularly paranoid

this script will add a copyparty-netns.service that runs before copyparty.service and sets up a new network namespace for copyparty to run in

#!/bin/sh -e
tee /etc/systemd/system/copyparty-netns.service <<-"EOF"
	[Unit]
	Description=setup copyparty ns

	[Service]
	Type=oneshot
	Environment=IF=copyparty NS=copyparty IFPFX=10.99.112

	ExecStartPre=-/sbin/ip netns add ${NS}
	ExecStartPre=-/sbin/ip link add ${IF} type veth peer ${IF} netns ${NS}

	ExecStart=ip addr replace ${IFPFX}.1/24 dev ${IF}
	ExecStart=ip -n ${NS} addr replace ${IFPFX}.2/24 dev ${IF}

	ExecStart=ip link set ${IF} up
	ExecStart=ip -n ${NS} link set ${IF} up
	ExecStart=ip -n ${NS} link set lo up
EOF

systemctl edit --drop-in=namespace --stdin copyparty.service <<- "EOF"
	[Unit]
	After=copyparty-netns.service
	Wants=copyparty-netns.service

	[Service]
	NetworkNamespacePath=/var/run/netns/copyparty
EOF

Step 2: caddy configuration

unfortunately caddy-l4 as of writing does not support dynamic ports required for ftp passive, so you'll have to do it in a verbose way

(ftps) {
  :{args[0]} {
    route {
      tls {
        connection_policy {
          alpn ftp
        }
      }
      proxy 10.99.112.2:{args[0]}
    }
  }
}

{
  layer4 {
    import ftps 990

    import ftps 65500
    import ftps 65501
    import ftps 65502
    # etc ..
  }
}

Step 3: copyparty configuration

set copyparty to run on your namespace ip address along to whatever else you're using, and ftp/ftp-pr according to the ports set on the caddy configuration

[global]
  i: 10.99.112.2,unix:770:caddy:/run/copyparty/sock
  ftp: 990
  ftp-pr: 65500-65520

Step 4: pretending to be a FTPS server

this still won't work, because FTPS requires some commands that the regular FTP handler doesn't recognize, so we'll have to patch it a bit to make it work

this script adds it as a separate file (copyparty-ftpspatch), and sets copyparty.service to run it as default

#!/bin/sh
scriptpath="/usr/local/bin/copyparty-FTPSpatch"

tee "$scriptpath" <<-"EOF"
#!/usr/bin/env python
from copyparty.__main__ import main
from copyparty.ftpd import FtpHandler

def ftp_PBSZ(self, line):
    self.respond("200 PBSZ=0")


def ftp_PROT(self, line):
    if line.upper() != "P":
        self.respond("534 unencrypted data channel unsupported")
    else:
        self.respond("200 yeah")


for cmd in ["PBSZ", "PROT"]:
    FtpHandler.proto_cmds.update(
        {cmd: {"perm": None, "auth": False, "arg": True, "help": cmd}}
    )
    setattr(FtpHandler, f"ftp_{cmd}", locals()[f"ftp_{cmd}"])

main()
EOF
chmod +x "$scriptpath"

systemctl edit --drop-in=exec --stdin copyparty.service <<- EOF
	[Service]
	ExecStart=
	ExecStart=$scriptpath -c /etc/copyparty.d/init
EOF

Footnotes

1. also because the ftps handler wasnt working out for me and also because it was fun ↩

2. i couldn't figure out how to make it match against a packet with empty payload without writing a custom matcher and i have never used go. one day maybe ↩