From 8289114ee62e91381ab37d0cb58fc8c4b35a8f8a Mon Sep 17 00:00:00 2001 From: Paolo Asperti Date: Sun, 11 Feb 2024 21:09:40 +0100 Subject: [PATCH] sql auth and healthcheck --- Dockerfile | 7 +++- README.md | 52 +++++++++++++++++++++++++++ rootfs/app/entrypoint.sh | 36 +++++++++++++++++++ rootfs/app/healthcheck.sh | 7 ++++ rootfs/app/init.sql | 14 ++++++++ rootfs/etc/proftpd/conf.d/custom.conf | 25 ++++++++++++- 6 files changed, 139 insertions(+), 2 deletions(-) create mode 100755 rootfs/app/healthcheck.sh create mode 100644 rootfs/app/init.sql diff --git a/Dockerfile b/Dockerfile index ab583f3..28be26c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,14 @@ FROM alpine:latest RUN \ - apk -U add proftpd proftpd-mod_tls proftpd-mod_ifsession proftpd-utils openssl perl acme.sh && \ + apk -U add proftpd proftpd-mod_tls proftpd-mod_ifsession \ + proftpd-mod_deflate proftpd-mod_geoip proftpd-mod_sql_sqlite \ + proftpd-utils openssl perl acme.sh lftp sqlite && \ mkdir -p /var/run/proftpd /etc/proftpd/custom.conf.d/ COPY rootfs / +HEALTHCHECK --interval=2m --timeout=3s \ + CMD /app/healthcheck.sh || exit 1 + ENTRYPOINT ["/app/entrypoint.sh"] diff --git a/README.md b/README.md index 3501f63..86e4e50 100644 --- a/README.md +++ b/README.md @@ -144,3 +144,55 @@ docker exec -ti my-ftps ftpasswd --passwd --name=paolo --uid=1000 --home=/home/p ``` You also have to create and chown the user's home folder. + +## sql db for user authentication + +It is possible to use a sqlite db for user authentication, just add `SQLITE_AUTH=1` to the environment: + +```yaml +version: "3" +services: + ftps-server: + image: docker.asperti.com/paspo/ftps + restart: always + ports: + - "21:21" + - "20:20" + - "21210-21220:21210-21220" + volumes: + - "/srv/ftps/auth:/auth" + - "/srv/ftps/conf:/etc/proftpd/custom.conf.d:ro" + - "/srv/ftps/data:/home" + - "/etc/letsencrypt:/certs:ro" + environment: + - SQLITE_AUTH=1 + - MASQUERADE=ftp.mydomain.com + - PASSIVEPORTS_START=21210 + - PASSIVEPORTS_END=21220 + - MAXCLIENTS=500 + - MAXCLIENTSPERHOST=100 + - TLS_CERT=/certs/live/ftp.mydomain.com/cert.pem + - TLS_KEY=/certs/live/ftp.mydomain.com/privkey.pem + - TLS_CHAIN=/certs/live/ftp.mydomain.com/chain.pem +``` + +Now, instead of using `/auth/passwd`, proftpd is using `/auth/ftpd.db`. +To create a new user, you must now update this db. + +To create a new user: + +```bash +docker exec -ti my-ftps sqlite3 sqlite3 /auth/ftpd.db < /app/healthcheck.pwd +chmod 600 /app/healthcheck.pwd + +############ UPDATE HEALTHCHECK CREDS +HEALTHCHECK_UID=1999 +mkdir -p /home/healthcheck +chown ${HEALTHCHECK_UID}:${HEALTHCHECK_UID} /home/healthcheck +if [ "$SQLITE_AUTH" = "1" ] ; then + PASSWD_SHA=$(cat /app/healthcheck.pwd | mkpasswd -m sha512) + sqlite3 /auth/ftpd.db < /etc/prodtpd/conf.d/auth.conf +else + echo "AuthOrder mod_auth_file.c" > /etc/prodtpd/conf.d/auth.conf +fi + ############ START CRON crond -b diff --git a/rootfs/app/healthcheck.sh b/rootfs/app/healthcheck.sh new file mode 100755 index 0000000..4bc244a --- /dev/null +++ b/rootfs/app/healthcheck.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +USER=healthcheck +LFTP_PASSWORD=$(cat /app/healthcheck.pwd) + +lftp -e "set ssl-allow true; set ftp:ssl-force true; set ftp:passive-mode true;set ssl:verify-certificate false;open -u ${USER},${LFTP_PASSWORD} ftp://127.0.0.1; ls ; bye" > /dev/null +echo $? diff --git a/rootfs/app/init.sql b/rootfs/app/init.sql new file mode 100644 index 0000000..67611d2 --- /dev/null +++ b/rootfs/app/init.sql @@ -0,0 +1,14 @@ +CREATE TABLE `users` ( + userid VARCHAR(30) NOT NULL UNIQUE, + passwd VARCHAR(80) NOT NULL, + uid INTEGER UNIQUE, + gid INTEGER, + homedir VARCHAR(255), + shell VARCHAR(255), + last_accessed DATETIME +); +CREATE TABLE `groups` ( + groupname VARCHAR(30) NOT NULL UNIQUE, + gid INTEGER NOT NULL, + members VARCHAR(255) +); diff --git a/rootfs/etc/proftpd/conf.d/custom.conf b/rootfs/etc/proftpd/conf.d/custom.conf index 5556c65..57af025 100644 --- a/rootfs/etc/proftpd/conf.d/custom.conf +++ b/rootfs/etc/proftpd/conf.d/custom.conf @@ -1,4 +1,3 @@ -AuthOrder mod_auth_file.c AuthUserFile /auth/passwd RequireValidShell off ScoreBoardFile /run/proftpd/scoreboard @@ -23,4 +22,28 @@ DefaultRoot ~ DelayTable /run/proftpd/proftpd.delay + + DeflateEngine on + + + + + SQLBackend sqlite3 + SQLConnectInfo /auth/ftpd.db + SQLEngine On + SQLAuthenticate users + SQLAuthTypes OpenSSL Crypt + SQLUserInfo users userid passwd uid gid homedir shell + SQLGroupInfo groups groupname gid members + + SQLNamedQuery last_accessed UPDATE "last_accessed = DATETIME('now') WHERE userid='%u'" users + SQLLog PASS last_accessed + SQLMinId 33 + SQLDefaultUID 33 + SQLDefaultGID 33 + + RequireValidShell off + + + Include /etc/proftpd/custom.conf.d/