2007-05-23 19:53:59 +00:00
#
# Fichier de configuration de ProFTPd pour AlternC
2012-10-15 15:10:24 +00:00
# WARNING: Do not edit this file, edit the one in /etc/alternc/templates and launch alternc.install again.
2007-08-22 22:32:12 +00:00
#
# Includes required DSO modules. This is mandatory in proftpd 1.3
#
Include /etc/proftpd/modules.conf
2007-05-23 19:53:59 +00:00
ServerName "%%hosting%%"
ServerIdent on "FTP Server Ready"
ServerType standalone
DeferWelcome on
ShowSymlinks on
MultilineRFC2228 on
DefaultServer on
AllowOverwrite on
AllowStoreRestart on
DefaultRoot ~
UseReverseDNS off
IdentLookups off
2007-08-22 22:32:12 +00:00
UseIPv6 off
2007-05-23 19:53:59 +00:00
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin /etc/welcome.msg
2009-08-04 17:58:55 +00:00
# lenny-only
#DisplayChdir .message
2007-05-23 19:53:59 +00:00
ListOptions "-al"
DenyFilter \*.*/
Port 21
MaxInstances 30
User nobody
Group nogroup
RequireValidShell off
2008-08-11 10:19:29 +00:00
# Use the IANA registered ephemeral port range
# If you have a firewall, you should open this portrange
# (or change it)
# since ip_conntrack_ftp cannot decrypt TLS session.
2015-04-20 17:16:23 +00:00
PassivePorts 50000 60000
2008-08-11 10:19:29 +00:00
2007-05-23 19:53:59 +00:00
<Directory /*>
DenyAll
</Directory>
2013-02-18 18:09:43 +00:00
<Directory %%ALTERNC_HTML%%>
2007-05-23 19:53:59 +00:00
Umask 022 022
AllowOverwrite on
AllowAll
2012-08-26 10:00:53 +00:00
<Limit SITE_CHMOD>
AllowAll
</Limit>
2007-05-23 19:53:59 +00:00
</Directory>
2012-08-26 10:00:53 +00:00
MaxClientsPerHost 8 "Sorry, no more than 8 simultaneous connections"
2007-05-23 19:53:59 +00:00
AccessGrantMsg "Welcome on AlternC, %u"
# database@host:port login password
SQLConnectInfo %%dbname%%@%%dbhost%%:3306 %%dbuser%% %%dbpwd%%
# Table :
2011-05-22 09:22:45 +00:00
SQLUserInfo ftpusers name encrypted_password uid uid homedir NULL
2007-05-23 19:53:59 +00:00
# Use mysql PASSWORD function
SQLAuthTypes Crypt
# Only mysql authentication enabled
SQLAuthenticate users
AuthPAM off
2011-04-27 15:44:19 +00:00
# What this SQL query do :
2013-09-25 09:50:53 +00:00
# - check if there is IP limitation for this account. If there isn't, allow everyone (by returning a TRUE)
# - if there is some limitation :
2011-04-27 15:44:19 +00:00
# - convert ip to integer (if convert impossible, it's an ipv6. Mysql6 will have ipv6 function, for mysql5 alternc create some function)
# - calculate the last IP of the subnet. If the subnet is 32, return the original IP
# - check that the user's ip is in an allowed range
# - add the IP range who are defined as "always from everyone" (uid=0. Not uid=2000, because we could want to have some limitation for the root account)
SQLUserWhereClause " \
2013-03-01 07:52:50 +00:00
enabled = true and \
2011-04-27 15:44:19 +00:00
true in ( \
select if(count(*)>0,false,(select value from variable where name='auth_ip_ftp_default_yes')) \
from authorised_ip_affected aia, ftpusers f \
where cast(aia.parameters as signed integer)=f.id and f.name='%U'\
UNION \
select \
ifnull(inet_aton('%h'),inet_aton6('%h')) \
between ifnull(inet_aton(ip),inet_aton6(ip)) \
and ifnull( inet_aton(ip) + if(subnet=32,0,conv( lpad('',(32-subnet),'1'), 2 , 10)) , inet_aton6(ip) + conv( lpad('',(128-subnet),'1'), 2 , 10) ) \
from authorised_ip ai, authorised_ip_affected aia, ftpusers f \
where f.name='%U' and cast(aia.parameters as signed integer)=f.id and ai.id=aia.authorised_ip_id and aia.protocol='ftp' \
UNION \
select \
ifnull(inet_aton('%h'),inet_aton6('%h')) \
between ifnull(inet_aton(ip),inet_aton6(ip)) \
and ifnull( inet_aton(ip) + if(subnet=32,0,conv( lpad('',(32-subnet),'1'), 2 , 10)) , inet_aton6(ip) + conv( lpad('',(128-subnet),'1'), 2 , 10) ) \
from authorised_ip ai \
where ai.uid=0 \
) \
"
# Uncomment this line if you want to debug Proftpd's SQL
#SQLLogFile /var/log/proftpd/sql.log
2007-05-23 19:53:59 +00:00
# Default : www-data.www-data
SQLDefaultGID 33
SQLDefaultUID 33
# Minimum ID allowed to log in. Other users should use SFTP
SQLMinID 33
# We don't use Unix rights managment on AlternC, so let's hide real owner/group/rights
DirFakeGroup on alternc
DirFakeUser on ~
2010-10-01 21:14:15 +00:00
# Log file by default
SystemLog /var/log/proftpd/proftpd.log
TransferLog /var/log/proftpd/xferlog
2008-10-14 23:14:42 +00:00
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off
# Server's certificate
2018-06-24 16:23:39 +00:00
TLSRSACertificateFile /etc/ssl/certs/alternc-proftpd.pem
TLSRSACertificateKeyFile /etc/ssl/private/alternc-proftpd.key
2008-10-14 23:14:42 +00:00
# CA the server trusts
# TLSCACertificateFile /etc/ftpd/root.cert.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate required off
2015-04-20 17:16:23 +00:00
# As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections that reuse
# the SSL session of the control connection, as a security measure.
# Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
# To relax the requirement that the SSL session from the control connection
# be reused for data connections, use the following
TLSOptions NoSessionReuseRequired
2008-10-14 23:14:42 +00:00
</IfModule>
