2 # Fichier de configuration de ProFTPd pour AlternC
3 # WARNING: Do not edit this file, edit the one in /etc/alternc/templates and launch alternc.install again.
6 # Includes required DSO modules. This is mandatory in proftpd 1.3
8 Include /etc/proftpd/modules.conf
10 ServerName "%%hosting%%"
11 ServerIdent on "FTP Server Ready"
29 DisplayLogin /etc/welcome.msg
31 #DisplayChdir .message
42 # Use the IANA registered ephemeral port range
43 # If you have a firewall, you should open this portrange
45 # since ip_conntrack_ftp cannot decrypt TLS session.
46 PassivePorts 50000 60000
52 <Directory %%ALTERNC_HTML%%>
61 MaxClientsPerHost 8 "Sorry, no more than 8 simultaneous connections"
62 AccessGrantMsg "Welcome on AlternC, %u"
64 # database@host:port login password
65 SQLConnectInfo %%dbname%%@%%dbhost%%:3306 %%dbuser%% %%dbpwd%%
67 SQLUserInfo ftpusers name encrypted_password uid uid homedir NULL
69 # Use mysql PASSWORD function
71 # Only mysql authentication enabled
75 # What this SQL query do :
76 # - check if there is IP limitation for this account. If there isn't, allow everyone (by returning a TRUE)
77 # - if there is some limitation :
78 # - convert ip to integer (if convert impossible, it's an ipv6. Mysql6 will have ipv6 function, for mysql5 alternc create some function)
79 # - calculate the last IP of the subnet. If the subnet is 32, return the original IP
80 # - check that the user's ip is in an allowed range
81 # - add the IP range who are defined as "always from everyone" (uid=0. Not uid=2000, because we could want to have some limitation for the root account)
82 SQLUserWhereClause " \
85 select if(count(*)>0,false,(select value from variable where name='auth_ip_ftp_default_yes')) \
86 from authorised_ip_affected aia, ftpusers f \
87 where cast(aia.parameters as signed integer)=f.id and f.name='%U'\
90 ifnull(inet_aton('%h'),inet_aton6('%h')) \
91 between ifnull(inet_aton(ip),inet_aton6(ip)) \
92 and ifnull( inet_aton(ip) + if(subnet=32,0,conv( lpad('',(32-subnet),'1'), 2 , 10)) , inet_aton6(ip) + conv( lpad('',(128-subnet),'1'), 2 , 10) ) \
93 from authorised_ip ai, authorised_ip_affected aia, ftpusers f \
94 where f.name='%U' and cast(aia.parameters as signed integer)=f.id and ai.id=aia.authorised_ip_id and aia.protocol='ftp' \
97 ifnull(inet_aton('%h'),inet_aton6('%h')) \
98 between ifnull(inet_aton(ip),inet_aton6(ip)) \
99 and ifnull( inet_aton(ip) + if(subnet=32,0,conv( lpad('',(32-subnet),'1'), 2 , 10)) , inet_aton6(ip) + conv( lpad('',(128-subnet),'1'), 2 , 10) ) \
100 from authorised_ip ai \
105 # Uncomment this line if you want to debug Proftpd's SQL
106 #SQLLogFile /var/log/proftpd/sql.log
108 # Default : www-data.www-data
111 # Minimum ID allowed to log in. Other users should use SFTP
114 # We don't use Unix rights managment on AlternC, so let's hide real owner/group/rights
115 DirFakeGroup on alternc
118 # Log file by default
119 SystemLog /var/log/proftpd/proftpd.log
120 TransferLog /var/log/proftpd/xferlog
121 # allow /lib or /etc /usr in chroots:
126 TLSLog /var/log/proftpd/tls.log
127 # TLSv1.3 has bugs before ProFTPd 1.3.6d and 1.3.7
128 #TLSProtocol TLSv1.2 TLSv1.3
131 #TLSProtocol TLSv1 TLSv1.1 TLSv1.2
133 # Are clients required to use FTP over TLS when talking to this server?
136 # Server's certificate
137 TLSRSACertificateFile /etc/ssl/certs/alternc-proftpd.pem
138 TLSRSACertificateKeyFile /etc/ssl/private/alternc-proftpd.key
140 # CA the server trusts
141 # TLSCACertificateFile /etc/ftpd/root.cert.pem
143 # Authenticate clients that want to use FTP over TLS?
146 # Allow SSL/TLS renegotiations when the client requests them, but
147 # do not force the renegotations. Some clients do not support
148 # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
149 # clients will close the data connection, or there will be a timeout
150 # on an idle data connection.
151 TLSRenegotiate required off
153 # As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections that reuse
154 # the SSL session of the control connection, as a security measure.
155 # Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
156 # To relax the requirement that the SSL session from the control connection
157 # be reused for data connections, use the following
158 TLSOptions NoSessionReuseRequired