diff --git a/README.md b/README.md index fb87566..08ed294 100644 --- a/README.md +++ b/README.md @@ -35,24 +35,25 @@ The image is based on `ubuntu:24.04`, providing a stable and up-to-date environm The following environment variables can be used to customize the ProFTPD server: -| Variable | Description | Default Value | -|----------|-------------|---------------| -| `FTP_DEBUG_LEVEL` | Sets the debug level for ProFTPD | 0 | -| `FTP_LOG_LEVEL` | Sets the syslog level for ProFTPD | warn | -| `FTP_MASQUERADE_ADDRESS` | IP address or hostname for passive mode connections | - | -| `FTP_PASSIVE_PORT_RANGE_START` | Start of the passive port range | 60000 | -| `FTP_PASSIVE_PORT_RANGE_END` | End of the passive port range | 60100 | -| `FTP_SQL_USERS_TABLE` | MySQL table to authenticate users against | ftpusers | -| `FTP_TLS_CERTIFICATE_FILE` | SSL certificate file | /etc/ssl/ftp/proftpd.crt | -| `FTP_TLS_CERTIFICATE_KEY_FILE` | SSL certificate key file | /etc/ssl/ftp/proftpd.key | -| `FTP_TLS_REQUIRED` | Require TLS | off | -| `FTP_TLS_WAIT_FOR_CERTIFICATE` | Wait for the SSL certificate to be generated (helpful if you're using something like Let's Encrypt to generate the certificate) | false | -| `FTP_TLS_WAIT_TIMEOUT` | Timeout for waiting for the SSL certificate to be generated | 60 | -| `MYSQL_DATABASE` | MySQL database name | ftpdb | -| `MYSQL_HOST` | MySQL host | mysql | -| `MYSQL_PASSWORD` | MySQL password | ftppassword | -| `MYSQL_PORT` | MySQL port | 3306 | -| `MYSQL_USER` | MySQL user | ftpuser | +| Variable | Description | Default Value | +|----------|---------------------------------------------------------------------------------------------------------------------------------|--------------------------| +| `FTP_DEBUG_LEVEL` | Sets the debug level for ProFTPD | 0 | +| `FTP_LOG_LEVEL` | Sets the syslog level for ProFTPD | warn | +| `FTP_MASQUERADE_ADDRESS` | IP address or hostname for passive mode connections | - | +| `FTP_PASSIVE_PORT_RANGE_START` | Start of the passive port range | 60000 | +| `FTP_PASSIVE_PORT_RANGE_END` | End of the passive port range | 60100 | +| `FTP_SQL_USERS_TABLE` | MySQL table to authenticate users against | ftpusers | +| `FTP_TLS_CERTIFICATE_FILE` | SSL certificate file | /etc/ssl/ftp/proftpd.crt | +| `FTP_TLS_CERTIFICATE_KEY_FILE` | SSL certificate key file | /etc/ssl/ftp/proftpd.key | +| `FTP_TLS_CERT_TYPE` | TLS certificate type (allowed: rsa, ec) | rsa | +| `FTP_TLS_REQUIRED` | Require TLS | off | +| `FTP_TLS_WAIT_FOR_CERTIFICATE` | Wait for the SSL certificate to be generated (helpful if you're using something like Let's Encrypt to generate the certificate) | false | +| `FTP_TLS_WAIT_TIMEOUT` | Timeout for waiting for the SSL certificate to be generated | 60 | +| `MYSQL_DATABASE` | MySQL database name | ftpdb | +| `MYSQL_HOST` | MySQL host | mysql | +| `MYSQL_PASSWORD` | MySQL password | ftppassword | +| `MYSQL_PORT` | MySQL port | 3306 | +| `MYSQL_USER` | MySQL user | ftpuser | ## Build Defaults diff --git a/src/Dockerfile b/src/Dockerfile index e275bda..bf72208 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -16,6 +16,7 @@ ENV DEBIAN_FRONTEND=noninteractive \ FTP_SQL_USERS_TABLE=ftpusers \ FTP_TLS_CERTIFICATE_FILE=/etc/ssl/ftp/proftpd.crt \ FTP_TLS_CERTIFICATE_KEY_FILE=/etc/ssl/ftp/proftpd.key \ + FTP_TLS_CERT_TYPE=rsa \ FTP_TLS_REQUIRED=off \ FTP_TLS_WAIT_FOR_CERTIFICATE=false \ FTP_TLS_WAIT_TIMEOUT=60 \ @@ -41,6 +42,7 @@ RUN apt-get update && apt-get install -y \ # Copy configuration files COPY proftpd.conf /etc/proftpd/proftpd.conf +COPY conf.d/ /etc/proftpd/conf.d/ # Create a user for ProFTPD RUN useradd -r -s /bin/false ${FTP_USER} @@ -67,4 +69,4 @@ HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD pgrep proftpd || exit 1 # Start ProFTPD -CMD ["proftpd", "--nodaemon"] \ No newline at end of file +CMD ["proftpd", "--nodaemon"] diff --git a/src/conf.d/tls-ec.conf b/src/conf.d/tls-ec.conf new file mode 100644 index 0000000..c776dcb --- /dev/null +++ b/src/conf.d/tls-ec.conf @@ -0,0 +1,2 @@ +TLSECCertificateFile %{env:FTP_TLS_CERTIFICATE_FILE} +TLSECCertificateKeyFile %{env:FTP_TLS_CERTIFICATE_KEY_FILE} diff --git a/src/conf.d/tls-rsa.conf b/src/conf.d/tls-rsa.conf new file mode 100644 index 0000000..3f246ab --- /dev/null +++ b/src/conf.d/tls-rsa.conf @@ -0,0 +1,2 @@ +TLSRSACertificateFile %{env:FTP_TLS_CERTIFICATE_FILE} +TLSRSACertificateKeyFile %{env:FTP_TLS_CERTIFICATE_KEY_FILE} diff --git a/src/proftpd.conf b/src/proftpd.conf index 593317e..538260e 100644 --- a/src/proftpd.conf +++ b/src/proftpd.conf @@ -57,8 +57,8 @@ AllowOverwrite on TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol TLSv1.2 TLSv1.3 -TLSRSACertificateFile %{env:FTP_TLS_CERTIFICATE_FILE} -TLSRSACertificateKeyFile %{env:FTP_TLS_CERTIFICATE_KEY_FILE} +# Select RSA vs EC certs via FTP_TLS_CERT_TYPE (rsa|ec) +Include /etc/proftpd/conf.d/tls-%{env:FTP_TLS_CERT_TYPE}.conf TLSRequired %{env:FTP_TLS_REQUIRED} # Logging @@ -130,4 +130,4 @@ AuthPAM off # Control connection policy BanControlsACLs all allow user proftpd_user BanMessage "Host %a has been banned" - \ No newline at end of file +