diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..c502d52 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,13 @@ +FROM alpine:edge + +RUN \ + echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \ + apk -U add proftpd proftpd-mod_tls proftpd-mod_auth_file proftpd-utils openssl && \ + mkdir -p /var/run/proftpd + +COPY custom.conf /etc/proftpd/conf.d/custom.conf +COPY run.sh /run.sh + +RUN chmod +x /run.sh + +ENTRYPOINT ["/run.sh"] diff --git a/README.md b/README.md index 769264b..860c29a 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,42 @@ # docker-ftps -Simple container for FTP+TLS+authentication +Simple container for FTP+TLS+authentication + +## build + +```bash +docker build . -t my-ftps +``` + +## run + +```bash +docker run -d --name my-ftps \ + -p 21:21 -p 20:20 -p 50000-50500:50000-50500 \ + -e "MASQUERADE=ftp.mydomain.com" \ + -v "$PWD/auth:/auth" -v "$PWD/ftpdata:/home" \ + -v "$PWD/certs:/certs" \ + my-ftps +``` + +The *MASQUERADE* parameter is the only required one. You can use an IP address (which is discouraged) or a DNS name. +You must provide valid certificates for TLS; if you use Lets'Encrypt, you can mofify like this: + +```bash +docker run -d --name my-ftps \ + -p 21:21 -p 20:20 -p 50000-50500:50000-50500 \ + -e "MASQUERADE=ftp.mydomain.com" \ + -v "$PWD/auth:/auth" -v "$PWD/ftpdata:/home" \ + -v "/etc/letsencrypt/live/ftp.mydomain.com:/certs" \ + my-ftps +``` + +## users management + +To change/set a password, do like this (replace "paolo" with the correct username): + +```bash +docker exec -ti my-ftps ftpasswd --passwd --name=paolo --uid=1000 --home=/home/paolo --shell=/bin/false --file=/auth/passwd +``` + +You also have to create and chown the user's home folder. diff --git a/custom.conf b/custom.conf new file mode 100644 index 0000000..a2a91ab --- /dev/null +++ b/custom.conf @@ -0,0 +1,12 @@ +AuthOrder mod_auth_file.c +AuthUserFile /auth/passwd +RequireValidShell off +ScoreBoardFile /run/proftpd/scoreboard +PassivePorts 50000 50500 +AllowOverwrite on +WtmpLog off +UseReverseDNS off +DefaultRoot ~ +Maxclients 30 +MaxClientsPerHost 5 + diff --git a/run.sh b/run.sh new file mode 100644 index 0000000..d21d352 --- /dev/null +++ b/run.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +############ MASQUERADE + +MASQUERADE=${MASQUERADE:-127.0.0.1} +echo "MasqueradeAddress ${MASQUERADE}" > /etc/proftpd/conf.d/masquerade.conf + +############ AUTH + +[ ! -f /auth/passwd ] && touch /auth/passwd + +chmod 0600 /auth/passwd +chmod 0700 /auth + +############ TLS + +TLS_CERT=${TLS_CERT:-/certs/cert.pem} +TLS_KEY=${TLS_KEY:-/certs/privkey.pem} +TLS_CHAIN=${TLS_CHAIN:-/certs/chain.pem} + +cat </etc/proftpd/conf.d/tls.conf + + TLSEngine on + TLSVerifyClient off + TLSRenegotiate none + TLSProtocol TLSv1.2 + TLSRSACertificateFile $TLS_CERT + TLSRSACertificateKeyFile $TLS_KEY + TLSCertificateChainFile $TLS_CHAIN + TLSCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" + TLSOptions NoSessionReuseRequired AllowClientRenegotiations + TLSRequired on + +EOF + + +############ START + +proftpd -n