FTP
This service will install and configure ProFTPD and manage virtual users.
Warning
For your daily project work, FTP is not required. Access through SSH/SCP is far more superior and secure (see SSH). Use FTP only to transfer files from and to certain directories if the other side does not support SCP.
Users
adds a FTP User
password: crypt password as used in /etc/passwd
uid: Linux system user id of desired user. Lookup on server before adding.
gid: Linux system group id of desired group. Lookup on server before adding.
home: access is restricted to this directory
Configure the ftp::users
hash within the Custom JSON Server Level Configuration:
{
"ftp::users": {
"alice": {
"password": "$6$1sLLOf5.$GAZDHYXEjs0MpR5uHBAR5eD00MpUasTgbyIP27PZ8WprL98XeU01N502ogYn1JKrgqEiTXn1/lkFBNZ46zZHY/",
"uid": "1005",
"gid": "1005",
"home": "/home/examplenet/www/webcam/"
}
}
}
Tip
The password has to be encrypted. Use the following command to encrypt your desired password: mkpasswd -m sha-512
Tip
Use the “id” command to determine the appropriate uid/gid
Directories
add custom per directory options
see ProFTPD Documentation for Details: http://www.proftpd.org/docs/
Configure the ftp::directories
hash within the Custom JSON Server Level Configuration:
{
"ftp::directories": {
"/home/examplenet/tmp/": {
"limit": {
"WRITE": {
"DenyAll": null,
"AllowUser": "alice"
}
}
}
}
}
will led to this ProFTPD configuration:
<Directory /home/examplenet/tmp/>
<Limit WRITE>
DenyAll undef
AllowUser alice
</Limit>
</Directory>
TLS Certificates
TLS is enabled and required by default
Warning
You can disable the TLS requirement by setting the ftp::wrapper::proftpd::tlsrequired
string to off
.
As the FTP connection is not encrypted anymore, this option is strongly not recommended.
Please contact us to find another solution.
Default Certificate
If not configured otherwise (see below), a self signed certificate bearing the hostname of the server will be created and used for ProFTPD.
Own Certificate
Specify your own certificate with the tls_key
and tls_crt
options.
Configure the ftp::wrapper::proftpd::tls_crt
and ftp::wrapper::proftpd::tls_key
strings within the Custom JSON Server Level Configuration:
{
"ftp::wrapper::proftpd::tls_crt": "-----BEGIN CERTIFICATE-----\nMY-TLS-CERTIFICATE\n",
"ftp::wrapper::proftpd::tls_key": "-----BEGIN PRIVATE KEY-----\nMY-TLS-KEY"
}
Own Certificate from File
Another option is to use existing certificates already in place on this server,
for example one thats used with apache already.
Configure the locations with the ftp::wrapper::proftpd::tls_crt_file
and ftp::wrapper::proftpd::tls_key_file
strings within the Custom JSON Server Level Configuration.
For own certificates, you can use the following paths:
{
"ftp::wrapper::proftpd::tls_crt_file": "/etc/apache2/certs/<websitename>.crt",
"ftp::wrapper::proftpd::tls_key_file": "/etc/apache2/certs/<websitename>.key"
}
For Let’s Encrypt certificates, you can use the following paths:
{
"ftp::wrapper::proftpd::tls_crt_file": "/etc/apache2/md/domains/<domain>/pubcert.pem",
"ftp::wrapper::proftpd::tls_key_file": "/etc/apache2/md/domains/<domain>/privkey.pem"
}
Default Firewall Rule
By default, firewall rules to allow incoming ports 21 (FTP) and 49152-49162 (FTP data) will be added.
To disable those default rules, set ftp::wrapper::proftpd::nftables
to false
within the Custom JSON Server Level Configuration:
{
"ftp::wrapper::proftpd::nftables": false
}
Note
Please make sure to allow access for our internal monitoring system manually
(IPv4: 185.17.70.112
, IPv6: 2a04:503:0:1008::112
)