latest/html/proftpd_8conf_source.html

#

# Fichier de configuration de ProFTPd pour AlternC

# WARNING: Do not edit this file, edit the one in /etc/alternc/templates and launch alternc.install again.


#

# Includes required DSO modules. This is mandatory in proftpd 1.3

#

Include /etc/proftpd/modules.conf


ServerName                      "%%hosting%%"

ServerIdent                     on "FTP Server Ready"

ServerType                      standalone

DeferWelcome                    on


ShowSymlinks                    on

MultilineRFC2228                on

DefaultServer                   on

AllowOverwrite                  on

AllowStoreRestart               on

DefaultRoot                     ~

UseReverseDNS                   off

IdentLookups                    off

UseIPv6        off


TimeoutNoTransfer               600

TimeoutStalled                  600

TimeoutIdle                     1200


DisplayLogin                    /etc/welcome.msg

# lenny-only

#DisplayChdir                    .message


ListOptions                     "-al"


DenyFilter                      \*.*/

Port                            21

MaxInstances                    30

User                            nobody

Group                           nogroup

RequireValidShell    off


# Use the IANA registered ephemeral port range

# If you have a firewall, you should open this portrange

# (or change it)

# since ip_conntrack_ftp cannot decrypt TLS session.

PassivePorts 50000 60000


<Directory /*>

        DenyAll

</Directory>


<Directory %%ALTERNC_HTML%%>

  Umask                         022  022

  AllowOverwrite                on

  AllowAll

  <Limit SITE_CHMOD>

    AllowAll

  </Limit>

</Directory>


MaxClientsPerHost 8 "Sorry, no more than 8 simultaneous connections"

AccessGrantMsg  "Welcome on AlternC, %u"


# database@host:port login password

SQLConnectInfo                  %%dbname%%@%%dbhost%%:3306 %%dbuser%% %%dbpwd%%

# Table :

SQLUserInfo ftpusers name encrypted_password uid uid homedir NULL


# Use mysql PASSWORD function

SQLAuthTypes                    Crypt

# Only mysql authentication enabled

SQLAuthenticate users

AuthPAM                         off


# What this SQL query do :

# - check if there is IP limitation for this account. If there isn't, allow everyone (by returning a TRUE)

# - if there is some limitation :

#    - convert ip to integer (if convert impossible, it's an ipv6. Mysql6 will have ipv6 function, for mysql5 alternc create some function)

#    - calculate the last IP of the subnet. If the subnet is 32, return the original IP

#    - check that the user's ip is in an allowed range

# - add the IP range who are defined as "always from everyone" (uid=0. Not uid=2000, because we could want to have some limitation for the root account)

SQLUserWhereClause " \

enabled = true and \

true in ( \

select if(count(*)>0,false,(select value from variable where name='auth_ip_ftp_default_yes')) \

from authorised_ip_affected aia, ftpusers f \

where cast(aia.parameters as signed integer)=f.id and f.name='%U'\

UNION \

select \

  ifnull(inet_aton('%h'),inet_aton6('%h')) \

    between ifnull(inet_aton(ip),inet_aton6(ip)) \

    and  ifnull( inet_aton(ip) + if(subnet=32,0,conv( lpad('',(32-subnet),'1'), 2 , 10)) ,   inet_aton6(ip) + conv( lpad('',(128-subnet),'1'), 2 , 10)  ) \

from authorised_ip ai, authorised_ip_affected aia, ftpusers f \

where f.name='%U' and cast(aia.parameters as signed integer)=f.id  and ai.id=aia.authorised_ip_id and aia.protocol='ftp' \

UNION \

select \

  ifnull(inet_aton('%h'),inet_aton6('%h')) \

    between ifnull(inet_aton(ip),inet_aton6(ip)) \

    and  ifnull( inet_aton(ip) + if(subnet=32,0,conv( lpad('',(32-subnet),'1'), 2 , 10)) ,   inet_aton6(ip) + conv( lpad('',(128-subnet),'1'), 2 , 10)  ) \

from authorised_ip ai \

where ai.uid=0 \

) \

"


# Uncomment this line if you want to debug Proftpd's SQL

#SQLLogFile /var/log/proftpd/sql.log


# Default : www-data.www-data

SQLDefaultGID                   33

SQLDefaultUID                   33

# Minimum ID allowed to log in. Other users should use SFTP

SQLMinID                        33


# We don't use Unix rights managment on AlternC, so let's hide real owner/group/rights

DirFakeGroup    on alternc

DirFakeUser     on ~


# Log file by default

SystemLog /var/log/proftpd/proftpd.log

TransferLog /var/log/proftpd/xferlog

# allow /lib or /etc /usr in chroots:

RLimitChroot off


<IfModule mod_tls.c>

       TLSEngine on

       TLSLog /var/log/proftpd/tls.log

       # TLSv1.3 has bugs before ProFTPd 1.3.6d and 1.3.7

       #TLSProtocol TLSv1.2 TLSv1.3

       TLSProtocol TLSv1.2

       # For old clients

       #TLSProtocol TLSv1 TLSv1.1 TLSv1.2


       # Are clients required to use FTP over TLS when talking to this server?

       TLSRequired off


       # Server's certificate

       TLSRSACertificateFile /etc/ssl/certs/alternc-proftpd.pem

       TLSRSACertificateKeyFile /etc/ssl/private/alternc-proftpd.key


       # CA the server trusts

       # TLSCACertificateFile /etc/ftpd/root.cert.pem


       # Authenticate clients that want to use FTP over TLS?

       TLSVerifyClient off


       # Allow SSL/TLS renegotiations when the client requests them, but

       # do not force the renegotations.  Some clients do not support

       # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these

       # clients will close the data connection, or there will be a timeout

       # on an idle data connection.

       TLSRenegotiate required off


       #  As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections that reuse

       # the SSL session of the control connection, as a security measure.

       # Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.

       #  To relax the requirement that the SSL session from the control connection

       # be reused for data connections, use the following

       TLSOptions NoSessionReuseRequired


</IfModule>