#
# Fichier de configuration de ProFTPd pour AlternC
# $Id: proftpd.conf,v 1.11 2006/01/17 12:04:14 benjamin Exp $
# 
# %%warning_message%%
# version ETCH

#
# Includes required DSO modules. This is mandatory in proftpd 1.3
#
Include /etc/proftpd/modules.conf

ServerName                      "%%hosting%%"
ServerIdent                     on "FTP Server Ready"
ServerType                      standalone
DeferWelcome                    on

ShowSymlinks                    on
MultilineRFC2228                on
DefaultServer                   on
AllowOverwrite                  on
AllowStoreRestart               on
DefaultRoot                     ~
UseReverseDNS                   off
IdentLookups                    off
UseIPv6 			off

TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200

DisplayLogin                    /etc/welcome.msg
# lenny-only
#DisplayChdir                    .message

ListOptions                     "-al"

DenyFilter                      \*.*/
Port                            21
MaxInstances                    30
User                            nobody
Group                           nogroup
RequireValidShell		off

# Use the IANA registered ephemeral port range
# If you have a firewall, you should open this portrange 
# (or change it)
# since ip_conntrack_ftp cannot decrypt TLS session.
PassivePorts 49152 65534

<Directory /*>
        DenyAll
</Directory>

<Directory /var/alternc/html>
  Umask                         022  022
  AllowOverwrite                on
# Limit the allowed bandwith for each connexion, prevent ressource hold-up ;) 
TransferRate RETR 64
TransferRate APPE,STOR 64

  AllowAll
</Directory>

MaxClientsPerHost 6 "Sorry, no more than 6 simultaneous connections"
AccessGrantMsg  "Welcome on AlternC, %u"

# database@host:port login password
SQLConnectInfo                  %%dbname%%@%%dbhost%%:3306 %%dbuser%% %%dbpwd%%
# Table :
SQLUserInfo ftpusers name encrypted_password 33 uid homedir NULL

# Use mysql PASSWORD function
SQLAuthTypes                    Crypt
# Only mysql authentication enabled
SQLAuthenticate users
AuthPAM                         off

# What this SQL query do :
# - check if there is IP limitation for this account. If there isn't, allow everyone (by returning a TRUE)
# - if there is some limitation :
#    - convert ip to integer (if convert impossible, it's an ipv6. Mysql6 will have ipv6 function, for mysql5 alternc create some function)
#    - calculate the last IP of the subnet. If the subnet is 32, return the original IP
#    - check that the user's ip is in an allowed range
# - add the IP range who are defined as "always from everyone" (uid=0. Not uid=2000, because we could want to have some limitation for the root account)
SQLUserWhereClause " \
true in ( \
select if(count(*)>0,false,(select value from variable where name='auth_ip_ftp_default_yes')) \
from authorised_ip_affected aia, ftpusers f \
where cast(aia.parameters as signed integer)=f.id and f.name='%U'\
UNION \
select \
  ifnull(inet_aton('%h'),inet_aton6('%h')) \
    between ifnull(inet_aton(ip),inet_aton6(ip)) \
    and  ifnull( inet_aton(ip) + if(subnet=32,0,conv( lpad('',(32-subnet),'1'), 2 , 10)) ,   inet_aton6(ip) + conv( lpad('',(128-subnet),'1'), 2 , 10)  ) \
from authorised_ip ai, authorised_ip_affected aia, ftpusers f \
where f.name='%U' and cast(aia.parameters as signed integer)=f.id  and ai.id=aia.authorised_ip_id and aia.protocol='ftp' \
UNION \
select \
  ifnull(inet_aton('%h'),inet_aton6('%h')) \
    between ifnull(inet_aton(ip),inet_aton6(ip)) \
    and  ifnull( inet_aton(ip) + if(subnet=32,0,conv( lpad('',(32-subnet),'1'), 2 , 10)) ,   inet_aton6(ip) + conv( lpad('',(128-subnet),'1'), 2 , 10)  ) \
from authorised_ip ai \
where ai.uid=0 \
) \
"

# Uncomment this line if you want to debug Proftpd's SQL
#SQLLogFile /var/log/proftpd/sql.log

# Default : www-data.www-data
SQLDefaultGID                   33
SQLDefaultUID                   33
# Minimum ID allowed to log in. Other users should use SFTP
SQLMinID                        33

# We don't use Unix rights managment on AlternC, so let's hide real owner/group/rights
DirFakeGroup    on alternc
DirFakeMode     0640
DirFakeUser     on ~

# And chmod command is forbidden too : 
<Limit SITE_CHMOD>
        DenyAll
</Limit>

UseIPv6 off

# Log file by default
SystemLog /var/log/proftpd/proftpd.log
TransferLog /var/log/proftpd/xferlog

<IfModule mod_tls.c>
       TLSEngine on
       TLSLog /var/log/proftpd/tls.log
       TLSProtocol TLSv1

       # Are clients required to use FTP over TLS when talking to this server?
       TLSRequired off

       # Server's certificate
       TLSRSACertificateFile /etc/alternc/apache.pem
       # TLSRSACertificateKeyFile /etc/ftpd/server.key.pem

       # CA the server trusts
       # TLSCACertificateFile /etc/ftpd/root.cert.pem

       # Authenticate clients that want to use FTP over TLS?
       TLSVerifyClient off

       # Allow SSL/TLS renegotiations when the client requests them, but
       # do not force the renegotations.  Some clients do not support
       # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
       # clients will close the data connection, or there will be a timeout
       # on an idle data connection.
       TLSRenegotiate required off
</IfModule>