mod_ban whitelisting does not work for connections using mod_proxy_protocol #32
Description
I have connections coming on a backend ProFTPD from another ProFTPD using mod_proxy as a reverse proxy, using the proxy protocol V2.
Both are running the same ProFTPD version from Debian 12 packages (1.3.8+dfsg-4+deb12u4), the backend ony have a private IP address.
I'm using similar mod_ban rules on both servers and have whitelisted on both the IP of a client that should not be subjected to mod_ban rules.
The whitelist works on the front but does not seem to be applied on the backend.
Part of the configuration that is common on both and related to mod_proxy_protocol and mod_ban :
<Class expect-proxy-protocol>
From 10.150.225.35
From 10.150.225.62
</Class>
<IfModule mod_proxy_protocol.c>
<IfClass expect-proxy-protocol>
ProxyProtocolEngine on
ProxyProtocolVersion haproxyV2
AllowForeignAddress expect-proxy-protocol
</IfClass>
</IfModule>
[...]
<IfModule mod_ban.c>
<Class whitelist>
From 185.200.5.161
From 195.124.11.238
</Class>
<IfClass whitelist>
BanEngine off
</IfClass>
<IfClass !whitelist>
BanEngine on
BanLog /var/log/proftpd/ban.log
BanTable /dev/shm/proftpd-ban.tab
BanOnEvent ClientConnectRate 20/00:01:00 00:01:30
</IfClass>
</IfModule>
The LoadModule order is similar on both servers (but the front has mod_proxy_protocol commented and the back has mod_proxy commented) :
LoadModule mod_ban.c
LoadModule mod_proxy.c
LoadModule mod_proxy_protocol.c
LoadModule mod_ifsession.c
Then after 20 connections from 195.124.11.238 through the reverse proxy, the backend triggers the ban :
added ClientConnectRate-triggered autoban for host '195.124.11.238'
Meanwhile, the whitelist works as expected on the reverse proxy : the IP is getting banned only if i comment it from the whitelist Class.
I found a way to avoid the ban by replacing <IfClass whitelist> with <IfClass AND !whitelist !expect-proxy-protocol> but in that case, any connection coming through the reverse proxy will be whitelisted, not only the ones originated from whitelisted IPs.