Skip to content

Add support for TLS certificate type selection (RSA/EC) #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
KleinertSystems wants to merge 1 commit into
base: main
from
Open

Add support for TLS certificate type selection (RSA/EC) #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 19 additions & 18 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,24 +35,25 @@ The image is based on `ubuntu:24.04`, providing a stable and up-to-date environm

The following environment variables can be used to customize the ProFTPD server:

| Variable | Description | Default Value |
|----------|-------------|---------------|
| `FTP_DEBUG_LEVEL` | Sets the debug level for ProFTPD | 0 |
| `FTP_LOG_LEVEL` | Sets the syslog level for ProFTPD | warn |
| `FTP_MASQUERADE_ADDRESS` | IP address or hostname for passive mode connections | - |
| `FTP_PASSIVE_PORT_RANGE_START` | Start of the passive port range | 60000 |
| `FTP_PASSIVE_PORT_RANGE_END` | End of the passive port range | 60100 |
| `FTP_SQL_USERS_TABLE` | MySQL table to authenticate users against | ftpusers |
| `FTP_TLS_CERTIFICATE_FILE` | SSL certificate file | /etc/ssl/ftp/proftpd.crt |
| `FTP_TLS_CERTIFICATE_KEY_FILE` | SSL certificate key file | /etc/ssl/ftp/proftpd.key |
| `FTP_TLS_REQUIRED` | Require TLS | off |
| `FTP_TLS_WAIT_FOR_CERTIFICATE` | Wait for the SSL certificate to be generated (helpful if you're using something like Let's Encrypt to generate the certificate) | false |
| `FTP_TLS_WAIT_TIMEOUT` | Timeout for waiting for the SSL certificate to be generated | 60 |
| `MYSQL_DATABASE` | MySQL database name | ftpdb |
| `MYSQL_HOST` | MySQL host | mysql |
| `MYSQL_PASSWORD` | MySQL password | ftppassword |
| `MYSQL_PORT` | MySQL port | 3306 |
| `MYSQL_USER` | MySQL user | ftpuser |
| Variable | Description | Default Value |
|----------|---------------------------------------------------------------------------------------------------------------------------------|--------------------------|
| `FTP_DEBUG_LEVEL` | Sets the debug level for ProFTPD | 0 |
| `FTP_LOG_LEVEL` | Sets the syslog level for ProFTPD | warn |
| `FTP_MASQUERADE_ADDRESS` | IP address or hostname for passive mode connections | - |
| `FTP_PASSIVE_PORT_RANGE_START` | Start of the passive port range | 60000 |
| `FTP_PASSIVE_PORT_RANGE_END` | End of the passive port range | 60100 |
| `FTP_SQL_USERS_TABLE` | MySQL table to authenticate users against | ftpusers |
| `FTP_TLS_CERTIFICATE_FILE` | SSL certificate file | /etc/ssl/ftp/proftpd.crt |
| `FTP_TLS_CERTIFICATE_KEY_FILE` | SSL certificate key file | /etc/ssl/ftp/proftpd.key |
| `FTP_TLS_CERT_TYPE` | TLS certificate type (allowed: rsa, ec) | rsa |
| `FTP_TLS_REQUIRED` | Require TLS | off |
| `FTP_TLS_WAIT_FOR_CERTIFICATE` | Wait for the SSL certificate to be generated (helpful if you're using something like Let's Encrypt to generate the certificate) | false |
| `FTP_TLS_WAIT_TIMEOUT` | Timeout for waiting for the SSL certificate to be generated | 60 |
| `MYSQL_DATABASE` | MySQL database name | ftpdb |
| `MYSQL_HOST` | MySQL host | mysql |
| `MYSQL_PASSWORD` | MySQL password | ftppassword |
| `MYSQL_PORT` | MySQL port | 3306 |
| `MYSQL_USER` | MySQL user | ftpuser |

## Build Defaults

Expand Down
4 changes: 3 additions & 1 deletion src/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ ENV DEBIAN_FRONTEND=noninteractive \
FTP_SQL_USERS_TABLE=ftpusers \
FTP_TLS_CERTIFICATE_FILE=/etc/ssl/ftp/proftpd.crt \
FTP_TLS_CERTIFICATE_KEY_FILE=/etc/ssl/ftp/proftpd.key \
FTP_TLS_CERT_TYPE=rsa \
FTP_TLS_REQUIRED=off \
FTP_TLS_WAIT_FOR_CERTIFICATE=false \
FTP_TLS_WAIT_TIMEOUT=60 \
Expand All @@ -41,6 +42,7 @@ RUN apt-get update && apt-get install -y \

# Copy configuration files
COPY proftpd.conf /etc/proftpd/proftpd.conf
COPY conf.d/ /etc/proftpd/conf.d/

# Create a user for ProFTPD
RUN useradd -r -s /bin/false ${FTP_USER}
Expand All @@ -67,4 +69,4 @@ HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD pgrep proftpd || exit 1

# Start ProFTPD
CMD ["proftpd", "--nodaemon"]
CMD ["proftpd", "--nodaemon"]
2 changes: 2 additions & 0 deletions src/conf.d/tls-ec.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
TLSECCertificateFile %{env:FTP_TLS_CERTIFICATE_FILE}
TLSECCertificateKeyFile %{env:FTP_TLS_CERTIFICATE_KEY_FILE}
2 changes: 2 additions & 0 deletions src/conf.d/tls-rsa.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
TLSRSACertificateFile %{env:FTP_TLS_CERTIFICATE_FILE}
TLSRSACertificateKeyFile %{env:FTP_TLS_CERTIFICATE_KEY_FILE}
6 changes: 3 additions & 3 deletions src/proftpd.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,8 @@ AllowOverwrite on
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2 TLSv1.3
TLSRSACertificateFile %{env:FTP_TLS_CERTIFICATE_FILE}
TLSRSACertificateKeyFile %{env:FTP_TLS_CERTIFICATE_KEY_FILE}
# Select RSA vs EC certs via FTP_TLS_CERT_TYPE (rsa|ec)
Include /etc/proftpd/conf.d/tls-%{env:FTP_TLS_CERT_TYPE}.conf
TLSRequired %{env:FTP_TLS_REQUIRED}

# Logging
Expand Down Expand Up @@ -130,4 +130,4 @@ AuthPAM off
# Control connection policy
BanControlsACLs all allow user proftpd_user
BanMessage "Host %a has been banned"
</IfModule>
</IfModule>