The logic in making passive connections through FTP proxy are correctly implemented in Apache, i.e. first try to use EPSV -> if that fails, try PASV -> if that fails, try PORT. However, only error codes 500 ("Syntax error, command unrecognized"), 501 ("Syntax error in parameters or arguments") and 502 ("Command not implemented") are accepted for the decision of trying to use PASV if EPSV fails. For all other error codes, the connection is reseted. In RFC 2428, it is stated that if the server doesn't support EPSV it MUST return error message 522 ("Protocol not supported"). I think Apache should be changed so that PASV is tried when receiving message 522 as well. Also, some firewall vendors (at least Checkpoint) seem to have adopted the choice of returning error message 505 ("Command Blocked") if the firewall doesn't allow EPSV to be passed. Thus, it should also be included that PASV is tried in Apache when receiving message 505 as well.
Created attachment 15344 [details] Patch to fix bug 35280
Added patch which makes ftp_proxy try to use PASV if message 522 ("Protocol not supported") or 505 ("Command blocked") is received when trying to use EPSV.
Some server like download.fedora.redhat.com 220 Fedora FTP server ready. All transfers are logged. [no EPSV] returns "550 Permission denied." to EPSV, and accepts PASV command. Apache FTP proxy should fall back to PASV when receiving 550 too.
Created attachment 20730 [details] Updating to mod_proxy_ftp.c, includes the codes requested in comments, and is more lenient Updating to the new mod_proxy_ftp.c file. This patch checks only if the return code is a 5XX variety for EPSV as a condition for falling back to PASV. This is smaller and faster than checking for multiple int values too.
Some old firewalls seem not to even understand the EPSV command, but rather pass it through intact. This of course prevents the data connection from being properly established. It would be nice if either (1) a failure to establish the data connection would cause a fallback to PASV, or (2) an option were provided in the configuration to not use ESPV at all. #2 is preferable, of course, because it eliminates the delay while waiting for the data connection to time out.
Undo spam change
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.