paspo
/
docker-ftps
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Initial release

This commit is contained in:
Paolo Asperti 2019-05-18 00:41:50 +02:00
parent f8cfba8b9c
commit 6b93aae155
Signed by: paspo
GPG Key ID: 06D46905D19D5182
4 changed files with 104 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Dockerfile Normal file
View File

@ -0,0 +1,13 @@
FROM alpine:edge
RUN \
echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
apk -U add proftpd proftpd-mod_tls proftpd-mod_auth_file proftpd-utils openssl && \
mkdir -p /var/run/proftpd
COPY custom.conf /etc/proftpd/conf.d/custom.conf
COPY run.sh /run.sh
RUN chmod +x /run.sh
ENTRYPOINT ["/run.sh"]

41
README.md
View File

@ -1,3 +1,42 @@
# docker-ftps
Simple container for FTP+TLS+authentication
Simple container for FTP+TLS+authentication
## build
```bash
docker build . -t my-ftps
```
## run
```bash
docker run -d --name my-ftps \
-p 21:21 -p 20:20 -p 50000-50500:50000-50500 \
-e "MASQUERADE=ftp.mydomain.com" \
-v "$PWD/auth:/auth" -v "$PWD/ftpdata:/home" \
-v "$PWD/certs:/certs" \
my-ftps
```
The *MASQUERADE* parameter is the only required one. You can use an IP address (which is discouraged) or a DNS name.
You must provide valid certificates for TLS; if you use Lets'Encrypt, you can mofify like this:
```bash
docker run -d --name my-ftps \
-p 21:21 -p 20:20 -p 50000-50500:50000-50500 \
-e "MASQUERADE=ftp.mydomain.com" \
-v "$PWD/auth:/auth" -v "$PWD/ftpdata:/home" \
-v "/etc/letsencrypt/live/ftp.mydomain.com:/certs" \
my-ftps
```
## users management
To change/set a password, do like this (replace "paolo" with the correct username):
```bash
docker exec -ti my-ftps ftpasswd --passwd --name=paolo --uid=1000 --home=/home/paolo --shell=/bin/false --file=/auth/passwd
```
You also have to create and chown the user's home folder.

12
custom.conf Normal file
View File

@ -0,0 +1,12 @@
AuthOrder mod_auth_file.c
AuthUserFile /auth/passwd
RequireValidShell off
ScoreBoardFile /run/proftpd/scoreboard
PassivePorts 50000 50500
AllowOverwrite on
WtmpLog off
UseReverseDNS off
DefaultRoot ~
Maxclients 30
MaxClientsPerHost 5

39
run.sh Normal file
View File

@ -0,0 +1,39 @@
#!/bin/sh
############ MASQUERADE
MASQUERADE=${MASQUERADE:-127.0.0.1}
echo "MasqueradeAddress ${MASQUERADE}" > /etc/proftpd/conf.d/masquerade.conf
############ AUTH
[ ! -f /auth/passwd ] && touch /auth/passwd
chmod 0600 /auth/passwd
chmod 0700 /auth
############ TLS
TLS_CERT=${TLS_CERT:-/certs/cert.pem}
TLS_KEY=${TLS_KEY:-/certs/privkey.pem}
TLS_CHAIN=${TLS_CHAIN:-/certs/chain.pem}
cat <<EOF >/etc/proftpd/conf.d/tls.conf
<IfModule mod_tls.c>
TLSEngine on
TLSVerifyClient off
TLSRenegotiate none
TLSProtocol TLSv1.2
TLSRSACertificateFile $TLS_CERT
TLSRSACertificateKeyFile $TLS_KEY
TLSCertificateChainFile $TLS_CHAIN
TLSCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
TLSOptions NoSessionReuseRequired AllowClientRenegotiations
TLSRequired on
</IfModule>
EOF
############ START
proftpd -n