Modules | Directives | FAQ | Glossary | Sitemap
Apache HTTP Server Version 2.4
Available Languages: en
The File Transfer Protocol (FTP) is a classicstandard for transfer of files and records over a TCP/IP network. Itwas defined by Jon Postel and Joyce Reynolds in RFC 959,which was released in 1985. This means that FTP precedes the HTTPprotocol that is usually associated with the Apache server by morethan half a decade. The mod_ftp
module brings supportfor FTP to the Apache server and includes several updates to theoriginal protocol. Most notably, mod_ftp
implements FTPover Transport Layer Security (TLS) as described in RFC4217.
On this manual page, a brief technical overview of the FTP protocolis provided, followed by a discussion of the FTP implementation bymod_ftp
.
See also
- RFC959 — FILE TRANSFER PROTOCOL (FTP)
- RFC1579 — Firewall-Friendly FTP
- RFC4217 — Securing FTP with TLS
mod_ssl
- Authentication, Authorizationand Access Control
- Comments
Overview of the FTP Protocol
The File Transfer Protocol (FTP) is designed to facilitatebi-directional transfer of files and records between hosts on a TCP/IPnetwork. Unlike HTTP, the FTP protocol is stateful: the clientestablishes a Control Connection for the duration of an FTPsession that typically spans multiple data transfers.
FTP uses a separate TCP connection for data transfer. Commands areissued and acknowledged over the Control Connection, a TCPconnection to well-known port 21. If the user issues a command thatrequires a response more elaborate than a one-line response code, aData Connection is established between the client and theserver. The response data—the contents of a file or adirectory listing—is sent over that data connection.
Historically, the data connection was established from the serverback to the client. The client would bind to an arbitrary port, andthen transmit its IP address and the port number to the server usingthe PORT command. The server then set up a data connectionto that port on the client host, whereupon the client issues the datatransfer command. This approach is referred to as Active FTP(since the server acts to set up the data connection). Unfortunately,active FTP does not work well with firewalls and Network AddressTranslation (NAT) because incoming connections are often blocked. Inthe case of NAT, the client only instructs the server to connect toits internal, non-routable IP address. Some firewalls and NAT routerssupport the FTP protocol, but this support is not universal. In caseswhere FTP is supported, these devices can rewrite the PORT command andestablish ad-hoc access rules for FTP data connections.
Because of these limitations, an alternative approach was developedin which the direction of the data connection is reversed. This isknown as Passive FTP. Before starting a data transfer, theclient issues a PASV command. The server binds to anarbitrary port number and transmits its IP address and that portnumber back to the client. The client then sets up a data connectionto this address and port on the server, and issues the data transfercommand. Passive FTP is more firewall-friendly than Active FTP,because client-side firewalls are typically more lenient on outgoingconnections than inbound ones.
While it is possible for FTP to support unauthenticated sessions,in practice all sessions are authenticated. Typically, FTP serversauthenticate against the user database of the server on which theyrun. To facilitate downloads by the general public, FTP serversgenerally support a special username (by convention "anonymous"or "ftp") to provide read-only access. Users are asked (butoften not required) to provide their e-mail address as response to thePassword
prompt.
For more information on the basic functionality of the FTP protocolplease refer to RFC 959 or Wikipedia.
Comments
Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.