Accessing pure ftpd from host or container network (pick one, you can't do both)

[Warfront1]

Same exact issue as this: #76 re-opening here.

The bug is that you can seemingly only configure ftpd one of two ways:

1. It is only accessible from within internal docker network (non host network) [Demonstrated below]
2. It is only accessible from the host, and not the internal docker network.

Here is how to reproduce:

version: '3.1'

services:
  ftps_server:
    image: stilliard/pure-ftpd:buster-latest@sha256:80ce2a218c58972f7c428b9bb112b32b5bd57ecd7dde458f22f8977e8db8ad5b
    ports:
      - "30000-30009:30000-30009"
      - "21:21"
    environment:
      - "PUBLICHOST=ftps_server"
      - "ADDED_FLAGS=-d -d -b --tls 2"
      - "TLS_CN=ftps_server"
      - "TLS_ORG=Demo"
      - "TLS_C=UK"
      - "TLS_USE_DSAPRAM=true"
      - "FTP_USER_NAME=bob"
      - "FTP_USER_PASS=12345"
      - "FTP_USER_HOME=/home/ftpusers/bob"
    hostname: ftps_server
    volumes:
      - ftp_tls:/etc/ssl/private/
  ftps_client:
    image: jlesage/filezilla:v1.28.0@sha256:d9286b92bc1cc98d0802e621fc2a4b806dd4512d8eca18970d7ba486aea8e750
    ports:
      - "5800:5800"
    links:
      - ftps_server
volumes:
  ftp_tls:

Steps:

1. Docker-compose up
2. On host machine in your web browser of choice navigate to: http://localhost:5800/
3. On the quick connect section fill out the following details:
   a) Host: ftps_server
   b) Username: bob
   c) Passowrd: 12345
   d) You can leave the port blank
4. Press the "Quickconnect" button, and accept all unknown certificate errors/pop ups that occur.\
5. Congratulations you are now connected, and can upload/download/delete/create anything you want on the ftps_server
   -- STEPS 1 through 5 demonstrate how we can successfully access the ftp from within the compose network.
   -- The next series of steps will show you how we are NOT able to connect via the host

-- Now go to the host machine
Use your favorite ftp client (I'm on windows using filezilla)

1. On the quick connect section fill out the following details:
   a) Host: ftps_server
   b) Username: bob
   c) Passowrd: 12345
   d) You can leave the port blank
   -- Does not work (obviously)
2. On the quick connect section fill out the following details:
   a) Host: localhost
   b) Username: bob
   c) Passowrd: 12345
   d) You can leave the port blank
   -- You are prompted for a certificate unknown, but get this error: "500 I won't open a connection to ::1%3666957829 (only to 172.19.0.1)"
3. On the quick connect section fill out the following details:
   a) Host: Put your host machines local ip address here (host.docker.internal on my dev machine)
   b) Username: bob
   c) Passowrd: 12345
   d) You can leave the port blank
   -- You hang at "Retrieving directory listing..."

Other Notes:
Just as the original bug report suggests switching the PUBLICHOST env variable to the host machines local ip address here (host.docker.internal on my dev machine) will inverse the test results. Simply put you will then not be able to access the ftps server from within the compose network, but will be able to access from your host machine.

Originally posted by @Warfront1 in #76 (comment)

[stilliard]

Hi @Warfront1 , sorry for the delayed reply.
Thanks for sending this in and the detailed flow, i've not had chance to go through the steps yet but will try to find time over the weekend.
One thing that popped to mind when reading this quickly though was what you added in the other notes section about PUBLICHOST, this needs to be the end ip the connection uses and that sounds like it fixes it from the host or external access. When connecting to it from inside the containers, could you also specify the same ip?

[Max-Pol]

@Warfront1 with ubuntu, I don't have any problem to connect from host with HOST: localhost, or HOST: ip of the container. Try to connect using the ip of your docker container. To retrieve the IP of your container:

docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' name_or_id_of_your_container

[Warfront1]

@Max-Pol
Using the configuration exactly as posted in my original post.
Name of container pureftptestbed_ftps_server_1
docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' pureftptestbed_ftps_server_1
Gives me 172.28.0.2

First test case:
Within the compose network via the ftps_client:
On the quick connect section fill out the following details:
a) Host: 172.28.0.2
b) Username: bob
c) Passowrd: 12345
d) You can leave the port blank
Congratulations you are now connected, and can upload/download/delete/create anything you want on the ftps_server

Second test case:
On the host machine using filezilla
a) Host: 172.28.0.2
b) Username: bob
c) Passowrd: 12345
d) You can leave the port blank

Error:	Connection timed out after 20 seconds of inactivity
Error:	Could not connect to server
Status:	Waiting to retry...

I know the networking for docker for windows/mac/linux all have slightly different setups:
https://docs.docker.com/docker-for-windows/networking/
https://docs.docker.com/docker-for-mac/networking/

Perhaps this is why it works for you in ubuntu. I was able to verify this on two windows 10 development machines of mine.
The last tests I did above where on docker desktop version 2.5.0.1

Worth noting, I do not have this issue with any other container/images I try to run. For example here is a another test SFTP container I often use:

version: '3.1'

services:
  sftp_server:
    image: atmoz/sftp
    command: foo:pass:::uploads
    ports:
      - "2222:22"
  ftps_client:
    image: jlesage/filezilla:v1.28.0@sha256:d9286b92bc1cc98d0802e621fc2a4b806dd4512d8eca18970d7ba486aea8e750
    ports:
      - "5800:5800"
    links:
      - sftp_server

I am able to access this atmoz/sftp in this example via the host and the compose network without any issue (from the host I use localhost as the address typically, and for within the compose network I use the hostname sftp_server .

[DerZade]

I'm using windows and have to connect to the container from my host. I'm just too dumb to get it working. I guess I'm encountering the same issue as described in the first post. I already tried to set PUBLICHOST to host.docker.internal and connect with the same host name but still get the same 500 error.

Did anyone get this working on windows? 😅

[Warfront1]

I'm using windows and have to connect to the container from my host. I'm just too dumb to get it working. I guess I'm encountering the same issue as described in the first post. I already tried to set PUBLICHOST to host.docker.internal and connect with the same host name but still get the same 500 error.

Did anyone get this working on windows? 😅

@DerZade
On the host machine open cmd and run the following: ping host.docker.internal

Take that ip (this will be specific to your dev machine.... above is mine 192.168.1.30 boxed in red), and set that as your PUBLICHOST.
Then in your favorite FTP client on the host machine connect to that same IP (for me 192.168.1.30).

Note: As this issue mentions you will not be able to access it via the compose network then. Which perhaps may be sufficient for your use case.

[Warfront1]

I have just retested this issue on the latest version of Buster, and I have confirmed that it has still not been rectified.
stilliard/pure-ftpd:buster-latest@sha256:6109069c2e432ef117418d6bdbbe56275492c94af1594574b03891ae044eee53
I am also now testing on a new system running Windows 11 (Version 10.0.22621 Build 22621) with Docker Desktop (Version 4.17.0).

@stilliard, Have you had the chance to take a look at this issue?

[Warfront1]

I have found a partial workaround for the time being.

version: '3.1'

services:
  ftps_server:
    image: stilliard/pure-ftpd:buster-latest@sha256:80ce2a218c58972f7c428b9bb112b32b5bd57ecd7dde458f22f8977e8db8ad5b
    ports:
      - "30000-30009:30000-30009"
      - "21:21"
    environment:
      - "ADDED_FLAGS=-d -d -b -4 -S 0.0.0.0,21 -c 100 -C 100 -y 100:100 --tls 2"
      - "TLS_CN=ftps_server"
      - "TLS_ORG=Demo"
      - "TLS_C=UK"
      - "TLS_USE_DSAPRAM=true"
      - "FTP_USER_NAME=bob"
      - "FTP_USER_PASS=12345"
      - "FTP_USER_HOME=/home/ftpusers/bob"
    hostname: ftps_server
    volumes:
      - ftp_tls:/etc/ssl/private/
  ftps_client:
    image: jlesage/filezilla:latest@sha256:15b7eb68b5df6a53681c298f00c3f3a5f9fdc61d61b74cffe137d9ccdbe9a145
    ports:
      - "5800:5800"
    links:
      - ftps_server
volumes:
  ftp_tls:

This will allow you to connect in active mode via the filezilla client within the compose network.
This will allow you to connect in passive mode via a filezilla client on the host machine.
The host machine will only be able to connect if you use the local IP address of the host machine.
On Windows you can get this IP Address by issuing the command on Command Prompt ipconfig | findstr /C:Address.