AlternC/etc/alternc/templates/proftpd/proftpd.conf

158 lines
5.2 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#
# Fichier de configuration de ProFTPd pour AlternC
# $Id: proftpd.conf,v 1.11 2006/01/17 12:04:14 benjamin Exp $
#
# %%warning_message%%
# version ETCH
#
# Includes required DSO modules. This is mandatory in proftpd 1.3
#
Include /etc/proftpd/modules.conf
ServerName "%%hosting%%"
ServerIdent on "FTP Server Ready"
ServerType standalone
DeferWelcome on
ShowSymlinks on
MultilineRFC2228 on
DefaultServer on
AllowOverwrite on
AllowStoreRestart on
DefaultRoot ~
UseReverseDNS off
IdentLookups off
UseIPv6 off
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin /etc/welcome.msg
# lenny-only
#DisplayChdir .message
ListOptions "-al"
DenyFilter \*.*/
Port 21
MaxInstances 30
User nobody
Group nogroup
RequireValidShell off
# Use the IANA registered ephemeral port range
# If you have a firewall, you should open this portrange
# (or change it)
# since ip_conntrack_ftp cannot decrypt TLS session.
PassivePorts 49152 65534
<Directory /*>
DenyAll
</Directory>
<Directory /var/alternc/html>
Umask 022 022
AllowOverwrite on
# Limit the allowed bandwith for each connexion, prevent ressource hold-up ;)
TransferRate RETR 64
TransferRate APPE,STOR 64
AllowAll
</Directory>
MaxClientsPerHost 6 "Sorry, no more than 6 simultaneous connections"
AccessGrantMsg "Welcome on AlternC, %u"
# database@host:port login password
SQLConnectInfo %%dbname%%@%%dbhost%%:3306 %%dbuser%% %%dbpwd%%
# Table :
SQLUserInfo ftpusers name encrypted_password uid uid homedir NULL
# Use mysql PASSWORD function
SQLAuthTypes Crypt
# Only mysql authentication enabled
SQLAuthenticate users
AuthPAM off
# What this SQL query do :
# - check if there is IP limitation for this account. If there isn't, allow everyone (by returning a TRUE)
# - if there is some limitation :
# - convert ip to integer (if convert impossible, it's an ipv6. Mysql6 will have ipv6 function, for mysql5 alternc create some function)
# - calculate the last IP of the subnet. If the subnet is 32, return the original IP
# - check that the user's ip is in an allowed range
# - add the IP range who are defined as "always from everyone" (uid=0. Not uid=2000, because we could want to have some limitation for the root account)
SQLUserWhereClause " \
true in ( \
select if(count(*)>0,false,(select value from variable where name='auth_ip_ftp_default_yes')) \
from authorised_ip_affected aia, ftpusers f \
where cast(aia.parameters as signed integer)=f.id and f.name='%U'\
UNION \
select \
ifnull(inet_aton('%h'),inet_aton6('%h')) \
between ifnull(inet_aton(ip),inet_aton6(ip)) \
and ifnull( inet_aton(ip) + if(subnet=32,0,conv( lpad('',(32-subnet),'1'), 2 , 10)) , inet_aton6(ip) + conv( lpad('',(128-subnet),'1'), 2 , 10) ) \
from authorised_ip ai, authorised_ip_affected aia, ftpusers f \
where f.name='%U' and cast(aia.parameters as signed integer)=f.id and ai.id=aia.authorised_ip_id and aia.protocol='ftp' \
UNION \
select \
ifnull(inet_aton('%h'),inet_aton6('%h')) \
between ifnull(inet_aton(ip),inet_aton6(ip)) \
and ifnull( inet_aton(ip) + if(subnet=32,0,conv( lpad('',(32-subnet),'1'), 2 , 10)) , inet_aton6(ip) + conv( lpad('',(128-subnet),'1'), 2 , 10) ) \
from authorised_ip ai \
where ai.uid=0 \
) \
"
# Uncomment this line if you want to debug Proftpd's SQL
#SQLLogFile /var/log/proftpd/sql.log
# Default : www-data.www-data
SQLDefaultGID 33
SQLDefaultUID 33
# Minimum ID allowed to log in. Other users should use SFTP
SQLMinID 33
# We don't use Unix rights managment on AlternC, so let's hide real owner/group/rights
DirFakeGroup on alternc
DirFakeMode 0640
DirFakeUser on ~
# And chmod command is forbidden too :
<Limit SITE_CHMOD>
DenyAll
</Limit>
UseIPv6 off
# Log file by default
SystemLog /var/log/proftpd/proftpd.log
TransferLog /var/log/proftpd/xferlog
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off
# Server's certificate
TLSRSACertificateFile /etc/alternc/apache.pem
# TLSRSACertificateKeyFile /etc/ftpd/server.key.pem
# CA the server trusts
# TLSCACertificateFile /etc/ftpd/root.cert.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate required off
</IfModule>