FTP Access

This service will install and configure ProFTPD and manage virtual users.


Nowadays, FTP is not required for your daily work anymore. Please use SSH/SCP which is already in place by default. See SSH for details.


  • adds a FTP User

  • password: crypt password as used in /etc/passwd

  • uid: Linux system user id of desired user. Lookup on server before adding.

  • gid: Linux system group id of desired group. Lookup on server before adding.

  • home: access is restricted to this directory

Configure the ftp::users hash within the Custom JSON Server Level Configuration:

  "ftp::users": {
    "alice": {
      "password": "$6$1sLLOf5.$GAZDHYXEjs0MpR5uHBAR5eD00MpUasTgbyIP27PZ8WprL98XeU01N502ogYn1JKrgqEiTXn1/lkFBNZ46zZHY/",
      "uid": "1005",
      "gid": "1005",
      "home": "/home/examplenet/www/webcam/"


The password has to be encrypted. Use the following command to encrypt your desired password: mkpasswd -m sha-512


Use the “id” command to determine the appropriate uid/gid


Configure the ftp::directories hash within the Custom JSON Server Level Configuration:

  "ftp::directories": {
    "/home/examplenet/tmp/": {
      "limit": {
        "WRITE": {
          "DenyAll": null,
          "AllowUser": "alice"

will led to this ProFTPD configuration:

<Directory /home/examplenet/tmp/>
    <Limit WRITE>
        DenyAll undef
        AllowUser alice

TLS Certificates

  • TLS is enabled and required by default


You can disable the TLS requirement by setting the ftp::wrapper::proftpd::tlsrequired string to off. As the FTP connection is not encrypted anymore, this option is strongly not recommended. Please contact us to find another solution.

Default Certificate

If not configured otherwise (see below), a self signed certificate bearing the hostname of the server will be created and used for ProFTPD.

Own Certificate

Specify your own certificate with the tls_key and tls_crt options.

Configure the ftp::wrapper::proftpd::tls_crt and ftp::wrapper::proftpd::tls_key strings within the Custom JSON Server Level Configuration:

  "ftp::wrapper::proftpd::tls_crt": "-----BEGIN CERTIFICATE-----\nMY-TLS-CERTIFICATE\n",
  "ftp::wrapper::proftpd::tls_key": "-----BEGIN PRIVATE KEY-----\nMY-TLS-KEY"

Own Certificate from File

Another option is to use existing certificates already in place on this server, for example one thats used with nginx already.

Configure the locations with the ftp::wrapper::proftpd::tls_crt_file and ftp::wrapper::proftpd::tls_key_file strings within the Custom JSON Server Level Configuration:

  "ftp::wrapper::proftpd::tls_crt_file": "/etc/nginx/ssl/<websitename>.crt",
  "ftp::wrapper::proftpd::tls_key_file": "/etc/nginx/ssl/<websitename>.key"


With this option, you can also use certificates issued through nginx by Let’s Encrypt.

Default Firewall Rule

By default, firewall rules to allow incoming ports 21 (FTP) and 49152-49162 (FTP data) will be added. To disable those default rules, set ftp::wrapper::proftpd::nftables to false within the Custom JSON Server Level Configuration:

  "ftp::wrapper::proftpd::nftables": false


Please make sure to allow access for our internal monitoring system manually (IPv4:, IPv6: 2a04:503:0:1008::112)