Error EElFTPSUnacceptedReplyError: Unaccepted server reply code 425 to command LIST

[AlvaroAguilarAlhama]

I am trying to deploy your image within K8s and I have seen this error:

Opening FTP connection to XXX.XXX.XXX.XXX
FTP login with username XXXXXX
<<<  220 Welcome to FTPS Server
>>>  AUTH TLS
<<<  234 Proceed with negotiation.
The FTPS server certificate is unknown.
Showing user prompt...
User chose to trust the TLS certificate.
>>>  USER XXXXXX
<<<  331 Please specify the password.
>>>  PASS XXXXXXXXXXX
<<<  230 Login successful.
>>>  PBSZ 0
<<<  200 PBSZ set to 0.
>>>  PROT P
<<<  200 PROT now Private.
>>>  FEAT
<<<  211-Features:
 AUTH TLS
 EPRT
 EPSV
 MDTM
 PASV
 PBSZ
 PROT
 REST STREAM
 SIZE
 TVFS
 UTF8
211 End
>>>  CWD .
<<<  250 Directory successfully changed.
>>>  PWD
<<<  257 "/" is the current directory
>>>  CWD /
<<<  250 Directory successfully changed.
>>>  PWD
<<<  257 "/" is the current directory
Opening directory /...
>>>  PWD
<<<  257 "/" is the current directory
>>>  CWD /
<<<  250 Directory successfully changed.
>>>  TYPE A
<<<  200 Switching to ASCII mode.
>>>  PASV
<<<  227 Entering Passive Mode (10,42,10,140,73,18).
>>>  LIST
<<<  425 Security: Bad IP connecting.
>>>  CWD /
<<<  250 Directory successfully changed.
Error EElFTPSUnacceptedReplyError: Unaccepted server reply code 425 to command LIST

Looking at the configuration file, I see that nothing is specified within pasv_address=

# external ip here
# if you are in a private network and expect to be visited by the outside

pasv_address=

pasv_enable=YES
pasv_min_port=18700
pasv_max_port=18710
port_enable=YES

# ref: https://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/
allow_writeable_chroot=YES

# ref: https://github.com/microsoft/WSL/issues/5412#issuecomment-644330450
seccomp_sandbox=NO
isolate_network=NO

# ref: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s2-ftp-vsftpd-conf-opt-log
#
# When enabled, all FTP requests and responses are logged, providing the
# option xferlog_std_format is not enabled. Useful for debugging.
log_ftp_protocol=NO
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=NO

I'm adding the env vars:

env:
            - name: BF_FTPS_VSFTPD_WELCOME
              value: "Welcome to FTPS Server"
            - name: BF_FTPS_EXTERNAL_URI
              value: "XXXXXXXXXXXX.com"
            - name: "BF_FTPS_VSFTPD_USER"
              valueFrom:
                secretKeyRef:
                  name: ftps-connection
                  key: username
            - name: "BF_FTPS_VSFTPD_PASS"
              valueFrom:
                secretKeyRef:
                  name: ftps-connection
                  key: password

[bfren]

Thank you - it looks like a helper executable bf-env-check is broken, I'll investigate.

[AlvaroAguilarAlhama]

Yes, my solution was to change the file template so that it always took the BF_FTPS_EXTERNAL_URI environment variable. On the other hand, when exposing it behind a load balancer, the connection was not very stable, so I had to add another configuration: pasv_promiscuous=YES.
For future versions, an extra environment variable could be added to indicate vsftpd configurations that are not defined.
Thank you for your help, and for creating and publishing this image.

[bfren]

The latest version should fix this now - let me know!

[bfren]

OK I have added an environment option for enabling pasv_promiscuous - BF_FTPS_VSFTPD_ENABLE_PASV_PROMISCUOUS (apologies for the horrifically long name!! Conventions don't always end up with snappy things.

On my test server, all this is working now, so I will close this and the duplicate #139.

[CheeseL0ver]

@AlvaroAguilarAlhama Did you ever get this working for a k8s deployment? I had partial success but nothing near the level needed to actually use it in a production environment.

[AlvaroAguilarAlhama]

@AlvaroAguilarAlhama Did you ever get this working for a k8s deployment? I had partial success but nothing near the level needed to actually use it in a production environment.

I have achieved this by deploying in a statefulset with the specified variables and pasv_promiscuous enabled, exposing port 22 and the passive ports.

Thank you, @bfren , for the changes.

[CheeseL0ver]

@AlvaroAguilarAlhama Did you ever get this working for a k8s deployment? I had partial success but nothing near the level needed to actually use it in a production environment.

I have achieved this by deploying in a statefulset with the specified variables and pasv_promiscuous enabled, exposing port 22 and the passive ports.

Thank you, @bfren , for the changes.

Oh I see, I was unable to get a successful deployment but I was trying to have multiple instances served by different hostnames but existing in the same cluster so think of a "multi-tenant" design. I still might leverage this project in the future but for routing complexity I took a different path for now. Thanks for sharing!

[bfren]

Thanks @CheeseL0ver - you're right, hostname routing is not supported like that I'm afraid. The only way you could do that would be using /path aliases, all on the same host.