Java FTP Proxy Server

This program will help you if you are behind a firewall and do not have FTP access to the internet, but you have access to machine that has. It will then work as proxy server and in that way let you connect to FTP servers outside the firewall. It is also possible to do it the other way around, i.e. gain FTP access from the internet to beyond the firewall (make sure this wont constitute a security hazard).

The proxy is extremely small and light-weight and can be run by almost anyone. Originally I wrote the program because I was behind a firewall that did not allow FTP, but I did have shell access to a machine inside the firewall but with full internet access.

Table of contents

• Getting started
• Download
• Source code
• Bugs
• Changelog
• License
• A note on Squid
• Comments
• Links

Getting started

The proxy machine should have Java 1.1 or better installed. You start the program with java FtpProxy. The default port is 8089. Before you start the program, you might want to restrict access to the server, so that it wont constitute a security hazard in your firewall. Use the allow_from and/or the bind_address directives in the configuration file. A sample configuration file is included in the download. The file itself contains a lot of explanation of the various options. Currently no further documentation of the configuration file exists.

As of version 1.3.0 the configuration variables may also be specified on the command line, e.g. java FtpProxy --bind_port=1234. In addition to those variables listed in the sample configuration file, --config_file=myconfig.conf may also be specified in order to use a different configuration file than the default, ftproxy.conf. In earlier versions (≤ 1.2.4) only the port number could be specified on the command line: java FtpProxy 1234.

If your FTP client supports proxying of the type "USERID=user@site", just enter the proxy computers name and the preferred port number in your client, and you should be up and running. If your FTP client does not support that you will have to connect to the proxy machine on the predefined port using user@site[:port] as login, where user is your username for the remote FTP host, site is the name of the latter and port is the port number on which the FTP server is running (if omitted, the standard port, 21, is assumed).

Configuring CuteFTP

In the menu FTP, Settings, Options, Firewall you enter the host name of the machine that runs the Java proxy and the port number, you are using (the standard port number is 8089). Select the type USER user@site, and check Enable firewall access. Do not enter User ID or password here.

Now connect to the FTP site as normal, except that you check the Use firewall option on the Advanced tab in the Connection dialog.

Configuring UltraEdit

UltraEdit has the ability to open files via FTP. Click on Accounts in the Open from FTP/Save As to FTP. Simply check Use proxy and enter the host name of the Proxy server and the port number, you are using (the standard port number is 8089).

Using a web browser

To use the proxy with web browsers that supports FTP you can use the URL ftp://user*site[*port]@proxy:port/
- or you can supply the password in the URL like this: ftp://user*site[*port]:password@proxy:port/. Remember that your password will then be visible in the browser history etc.

Do not enter anything under FTP Proxy Settings in the browser settings.

In order to use this feature, the configuration variable enable_url_syntax should be set to 1 (this is the default).

If you have access to a Squid proxy server with FTP support, you may prefer to use that instead of the Java FTP Proxy Server. However, Squid will only work with web browsers and not (most) regular FTP clients.

Download

• ftpproxy 1.3.2
• ftpproxy-1.3.0.zip (version 1.3.0)
• ftpproxy-1.2.4.zip (version 1.2.4)
• ftpproxy-1.1.1.zip (version 1.1.1)
• ftpproxy-1.0.4.zip (version 1.0.4)

The source code is available on Github.

Bugs

The proxy does not use default ports as specified in the RFC. A workaround is to do an explicit PASV or PORT command before any commands that use a data connections (most clients do this anyway).

Changelog

2014/02/20 Added support for EPSV and fixed a bug when username contains @ or * (thanks to Ingo Zenz).
2006/02/13 Fixed a typo in masquerade_host in the sample configuration file on this site (the configuration file included in the ZIP file did not have this typo)
2003/07/09 version 1.3.0: Race condition fixed, validate_data_connection configuration variable and other sanity/security checks added (thanks to Kenneth Golomb). Ability to specifiy configuration variables on the command line added.
2003/02/23 version 1.2.4: More robust parsing of IP numbers (thanks to Peter Seidenberg).
2002/06/13 version 1.2.3: Added support for masquerading of IP address in response to PASV command (contributed by Rasjid Wilcox)
2002/06/06 version 1.2.2: Bug-fix: the proxy would hang when the configuration option only_auto=1 is used (thanks to Tom W)
2002/04/18 version 1.2.1: Some minor error messages are now only output in debug mode.
2002/02/14 version 1.2: Rewrite and restructuring. The proxy can now also communicate with the server in passive mode. It is now possible to specify which ports the proxy should choose for the data connection.
2001/05/21 version 1.1.1: A bug related to multi-line replies has been fixed. The problem occured when connecting to ftp.microsoft.com.
2000/10/01 Version 1.1 has been released. This version includes several new features such as IP-based access control based on both origin and destination, and the ability to act as a transparent proxy for a host, e.g. on an internal network.
2000/09/23 Made a change to make the proxy work on certain machines with two network interfaces.
2000/02/15 It is now also possible to connect to a server on other ports than the standard port (21).
2000/02/15 Major bug fix. A rather embarrasing error had remained in the code until now. The proxy sent its IP address "backwards"! It wasn't supposed to work at all (but for some reason it did anyway under certain conditions) ... Further investigation has showed that it I was confused by a broken implementation of the class InetAddress in the Java installation I was using.
1999/10/19 The login user*site is now also supported in addition to user@site. Only if the login contains no @ the former is assumed. This makes it possible to use the proxy from certain web-browsers. The alternative syntax is used because @ is a reserved character in an ftp://-url.
1999/04/20 The program is now released under the GNU General Public License which basically means that you are allowed to copy, modify and distribute it as long as you obey the conditions mentioned in the license.
1999/02/24 All println(x) were replaced by print(x + "\r\n") followed by flush() to force output of CR LF on all platforms.
1998/05/14 Some files received were too long. Problem corrected.

License

The program is released under the GNU General Public License.

A note on Squid

Squid is a well-known web proxy with some FTP capabilities. However, some people tend to misunderstand the concept of Squid. Squid is an HTTP proxy, i.e. you can only use it with a browser, not your regular FTP client.

Comments

Feel free to contact me with comments, bug reports and suggestions regarding the proxy. If you want to contribute a patch, you may send a pull request on Github. Please do not mail me with general questions regarding Java programming, FTP or FTP proxies.

Links

You might also want to try one of these programs that offer similar functionality.

• ftp.proxy
• ftp-proxy from The SuSE Proxy-Suite - included in Ubuntu, Debian, OpenBSD, FreeBSD