Created
March 27, 2018 18:08
-
-
Save irsl/03e47ce890ce3c3fae4fd37d62a9449d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ServerName "fqdn" | |
ServerType standalone | |
ServerIdent off | |
DefaultServer on | |
AllowForeignAddress on | |
UseReverseDNS off | |
PidFile /var/run/mc-proftpd.pid | |
SystemLog /var/log/proftpd/proftpd.log | |
# debuglevel 1 is needed, else successful login events wont be logged | |
DebugLevel 1 | |
ScoreboardFile /var/lib/proftpd/proftpd.scr | |
MaxHostsPerUser 2 | |
MaxClientsPerUser 10 | |
MaxLoginAttempts 2 | |
TimeoutStalled 60 | |
# Port 21 is the standard FTP port. | |
Port 21 | |
# Umask 022 is a good standard umask to prevent new dirs and files | |
# from being group and world writable. | |
Umask 022 | |
MaxInstances 50 | |
# Set the user and group under which the server will run. | |
User proftpd | |
Group proftpd | |
<IfModule mod_ctrls.c> | |
ControlsEngine on | |
ControlsACLs all allow group root | |
ControlsMaxClients 2 | |
ControlsLog /var/log/proftpd/controls.log | |
ControlsInterval 5 | |
ControlsSocket /var/lib/proftpd/ctrls.sock | |
ControlsSocketOwner root root | |
ControlsSocketACL allow group root | |
<IfModule mod_ctrls_admin.c> | |
AdminControlsEngine on | |
AdminControlsACLs all allow group root | |
</IfModule> | |
</IfModule> | |
<IfModule mod_ban.c> | |
BanEngine on | |
BanLog /var/log/proftpd/proftpd-ban.log | |
BanTable /var/lib/proftpd/ban.table | |
BanControlsACLs all allow group root | |
</IfModule> | |
<IfModule mod_tls.c> | |
TLSEngine on | |
# TLSLog /var/log/proftpd/tls.log | |
TLSProtocol TLSv1 | |
# Are clients required to use FTP over TLS when talking to this server? | |
TLSRequired off | |
# Server's certificate | |
TLSRSACertificateFile /var/lib/monster/cert/store/active/main.crt | |
TLSRSACertificateKeyFile /var/lib/monster/cert/store/active/main.key | |
TLSCertificateChainFile /var/lib/monster/cert/store/active/main.intermediate.crt | |
# and dh | |
TLSDHParamFile /var/lib/monster/cert/mc/dhparams.pem | |
TLSOptions NoSessionReuseRequired | |
# Authenticate clients that want to use FTP over TLS? | |
TLSVerifyClient off | |
</IfModule> | |
MasqueradeAddress fqdn | |
PassivePorts 50000 60000 | |
<Global> | |
<IfModule mod_sql_passwd.c> | |
SQLPasswordEngine on | |
SQLPasswordEncoding hex | |
SQLPasswordSaltEncoding hex | |
SQLPasswordUserSalt sql:/get-user-salt | |
SQLPasswordPBKDF2 sql:/get-user-pbkdf2 | |
</IfModule> | |
# Normally, we want files to be overwriteable. | |
AllowOverwrite on | |
TransferLog /var/log/proftpd/xfer.log | |
# To cause every FTP user to be "jailed" (chrooted) into their home directory, uncomment this line. | |
DefaultRoot ~ | |
WtmpLog off | |
TimeoutLogin 15 | |
AllowChrootSymlinks off | |
AllowStoreRestart on | |
AllowOverride off | |
RequireValidShell off | |
DirFakeUser on "~" | |
DirFakeGroup on "~" | |
IdentLookups off | |
ClamAV on | |
ClamServer 127.0.0.1 | |
ClamPort 3310 | |
ClamMaxSize 5 Mb | |
AuthOrder mod_sql.c | |
SQLBackend sqlite3 | |
SQLConnectInfo /var/lib/monster/ftp/db/ftp.sqlite | |
SQLAuthenticate users | |
SQLDefaultUID 65534 | |
SQLDefaultGID 65534 | |
# SQLLogFile /var/log/proftpd/sql.log | |
SQLAuthTypes pbkdf2 MysqlPassword | |
SQLUserInfo custom:/login | |
# SQLUserWhereClause " " | |
SQLNamedQuery get-user-pbkdf2 SELECT "fa_pbkdf2_hash_algo, fa_pbkdf2_iterations, fa_pbkdf2_output_length FROM ftpaccounts WHERE fa_username = '%{0}' | |
SQLNamedQuery get-user-salt SELECT "fa_salt FROM ftpaccounts WHERE fa_username = '%{0}'" | |
SQLNamedQuery login SELECT "fa_username, fa_password, fa_webhosting, 65533, wh_storage || fa_subdir, 'nope' \ | |
FROM ftpaccounts \ | |
LEFT JOIN webhostings ON webhostings.wh_webhosting = ftpaccounts.fa_webhosting \ | |
WHERE fa_username='%U' AND ((wh_public_login=1)OR(wh_last_admin_login_enabled=1 AND wh_last_admin_login_ip='%a')OR(wh_ip_acl_effective=1 AND wh_ip_acl_whitelist LIKE '%% %a %%')) " | |
SQLNamedQuery get-quota-limit SELECT "fa_username, 'user', 'false', 'hard', wh_quota_b, 0, 0, 0, 0, 0 \ | |
FROM ftpaccounts \ | |
LEFT JOIN webhostings ON webhostings.wh_webhosting = ftpaccounts.fa_webhosting \ | |
WHERE fa_username = '%{0}' AND 'user' = '%{1}'" | |
SQLNamedQuery get-quota-tally SELECT "fa_username, 'user', t_tally_sum_b, 0, 0, 0, 0, 0 \ | |
FROM ftpaccounts \ | |
LEFT JOIN tallies ON tallies.t_webhosting = ftpaccounts.fa_webhosting \ | |
WHERE fa_username = '%{0}' AND 'user' = '%{1}'" | |
SQLNamedQuery update-quota-tally FREEFORM "INSERT OR REPLACE INTO tallies (t_webhosting, t_tally_b, t_tally_sum_b, t_tally_updated) \ | |
SELECT fa_webhosting, t_tally_b + %{0}, t_tally_sum_b + %{0}, 1 \ | |
FROM ftpaccounts \ | |
LEFT JOIN tallies ON tallies.t_webhosting = ftpaccounts.fa_webhosting \ | |
WHERE fa_username = '%{6}' AND 'user' = '%{7}'" | |
SQLNamedQuery insert-quota-tally FREEFORM "INSERT OR REPLACE INTO tallies (t_webhosting, t_tally_b, t_tally_sum_b, t_tally_updated) \ | |
SELECT fa_webhosting, %{0}, %{0}, 1 \ | |
FROM ftpaccounts \ | |
LEFT JOIN tallies ON tallies.t_webhosting = ftpaccounts.fa_webhosting \ | |
WHERE fa_username = '%{0}' AND 'user' = '%{1}'" | |
QuotaLock /var/lib/proftpd/tally.lock | |
QuotaLimitTable sql:/get-quota-limit | |
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally | |
QuotaDisplayUnits Mb | |
QuotaEngine on | |
QuotaShowQuotas on | |
# QuotaLog /var/log/proftpd/quota.log | |
SQLNamedQuery count SELECT "ROUND(t_tally_sum_b/1024/1024) FROM ftpaccounts LEFT JOIN tallies ON tallies.t_webhosting = ftpaccounts.fa_webhosting WHERE fa_username='%u' " | |
SQLShowInfo PASS "230" "Current tally is: %{count} MB. Use SITE QUOTA for more info." | |
# we try avoiding update statements as much as possible, since it might lock the database | |
SQLLog PASS update_last_login | |
SQLNamedQuery update_last_login UPDATE "fa_last_login_ip='%a', fa_last_login_ts=datetime('now') WHERE fa_username='%u'" ftpaccounts | |
<Directory ~> | |
HideNoAccess on | |
HideUser root | |
</Directory> | |
<Directory ~/*> | |
HideFiles none | |
</Directory> | |
</Global> | |
<IfModule mod_sftp.c> | |
<VirtualHost ipaddress> | |
SFTPEngine on | |
Port 22 | |
# it is just way too verbose, turning off: | |
#SFTPLog /var/log/proftpd/sftp.log | |
# Configure both the RSA and DSA host keys, using the same host key | |
# files that OpenSSH uses. | |
SFTPHostKey /var/lib/monster/cert/mc/ssh_rsa_key | |
SFTPHostKey /var/lib/monster/cert/mc/ssh_ecdsa_key | |
SFTPAuthMethods password | |
# Enable compression (delayed is currently broken) | |
SFTPCompression off | |
</VirtualHost> | |
</IfModule> | |
LoadModule mod_proxy.c | |
ProxyTables /var/lib/proftpd/proxy.tables | |
<VirtualHost 127.0.0.1> | |
Port 2312 | |
ProxyEngine on | |
ProxyLog /var/log/proftpd/proxy.log | |
ProxyRole forward | |
ProxyForwardMethod user@host | |
ProxyForwardTo ^[^.]+\.domain\.tld: [NC] | |
</VirtualHost> | |
<Class forward-proxy> | |
From ipaddress/32 | |
ProxyForwardEnabled on | |
</Class> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment