Initial release

Dockerfile

@@ -0,0 +1,13 @@
+FROM alpine:edge
+
+RUN  \
+    echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
+    apk -U add proftpd proftpd-mod_tls proftpd-mod_auth_file proftpd-utils openssl && \
+    mkdir -p /var/run/proftpd
+
+COPY custom.conf /etc/proftpd/conf.d/custom.conf
+COPY run.sh /run.sh
+
+RUN chmod +x /run.sh
+ 
+ENTRYPOINT ["/run.sh"]

README.md

@@ -1,3 +1,42 @@
 # docker-ftps
 
-Simple container for FTP+TLS+authentication
+Simple container for FTP+TLS+authentication
+
+## build
+
+```bash
+docker build . -t my-ftps
+```
+
+## run
+
+```bash
+docker run -d --name my-ftps \
+  -p 21:21 -p 20:20 -p 50000-50500:50000-50500 \
+  -e "MASQUERADE=ftp.mydomain.com" \
+  -v "$PWD/auth:/auth" -v "$PWD/ftpdata:/home" \
+  -v "$PWD/certs:/certs" \
+  my-ftps
+```
+
+The *MASQUERADE* parameter is the only required one. You can use an IP address (which is discouraged) or a DNS name.
+You must provide valid certificates for TLS; if you use Lets'Encrypt, you can mofify like this:
+
+```bash
+docker run -d --name my-ftps \
+  -p 21:21 -p 20:20 -p 50000-50500:50000-50500 \
+  -e "MASQUERADE=ftp.mydomain.com" \
+  -v "$PWD/auth:/auth" -v "$PWD/ftpdata:/home" \
+  -v "/etc/letsencrypt/live/ftp.mydomain.com:/certs" \
+  my-ftps
+```
+
+## users management
+
+To change/set a password, do like this (replace "paolo" with the correct username):
+
+```bash
+docker exec -ti my-ftps ftpasswd --passwd --name=paolo --uid=1000 --home=/home/paolo --shell=/bin/false --file=/auth/passwd
+```
+
+You also have to create and chown the user's home folder.

custom.conf

@@ -0,0 +1,12 @@
+AuthOrder mod_auth_file.c
+AuthUserFile /auth/passwd
+RequireValidShell off
+ScoreBoardFile /run/proftpd/scoreboard
+PassivePorts 50000 50500
+AllowOverwrite  on
+WtmpLog off
+UseReverseDNS off
+DefaultRoot ~
+Maxclients 30
+MaxClientsPerHost 5
+

run.sh

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+############ MASQUERADE
+
+MASQUERADE=${MASQUERADE:-127.0.0.1}
+echo "MasqueradeAddress ${MASQUERADE}" > /etc/proftpd/conf.d/masquerade.conf
+
+############ AUTH
+
+[ ! -f /auth/passwd ] && touch /auth/passwd
+
+chmod 0600 /auth/passwd
+chmod 0700 /auth
+
+############ TLS
+
+TLS_CERT=${TLS_CERT:-/certs/cert.pem}
+TLS_KEY=${TLS_KEY:-/certs/privkey.pem}
+TLS_CHAIN=${TLS_CHAIN:-/certs/chain.pem}
+
+cat <<EOF >/etc/proftpd/conf.d/tls.conf 
+<IfModule mod_tls.c>
+  TLSEngine                               on
+  TLSVerifyClient                         off
+  TLSRenegotiate                          none
+  TLSProtocol                             TLSv1.2
+  TLSRSACertificateFile                   $TLS_CERT
+  TLSRSACertificateKeyFile                $TLS_KEY
+  TLSCertificateChainFile                 $TLS_CHAIN
+  TLSCipherSuite                          "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" 
+  TLSOptions                              NoSessionReuseRequired AllowClientRenegotiations
+  TLSRequired                             on
+</IfModule>
+EOF
+
+
+############ START
+
+proftpd -n