paspo/docker-ftps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases Wiki Activity

embedded cert.sh
Some checks failed
continuous-integration/drone/push Build was killed
Details
continuous-integration/drone/tag Build was killed
Details

Browse Source
This commit is contained in:
Paolo Asperti
2024-01-23 17:15:08 +01:00
parent 488acf16c1
commit 962624e294
13 changed files with 235 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
README.md
View File

@@ -22,7 +22,7 @@ docker run -d --name my-ftps \
```
The *MASQUERADE* parameter is the only required one. You can use an IP address (which is discouraged) or a DNS name.
You must provide valid certificates for TLS; if you use Lets'Encrypt, you can mofify like this:
You must provide valid certificates for TLS; if you use Lets'Encrypt, you can modify like this:
```bash
docker run -d --name my-ftps \
@@ -33,7 +33,7 @@ docker run -d --name my-ftps \
docker.asperti.com/paspo/ftps
```
## docker-compose
## docker-compose (external certificate)
```yaml
version: "3"
@@ -56,12 +56,66 @@ services:
- PASSIVEPORTS_START=21210
- PASSIVEPORTS_END=21220
- MAXCLIENTS=500
- MAXCLIENTSPERHOST=100
- MAXCLIENTSPERHOST=100
- TLS_CERT=/certs/live/ftp.mydomain.com/cert.pem
- TLS_KEY=/certs/live/ftp.mydomain.com/privkey.pem
- TLS_CHAIN=/certs/live/ftp.mydomain.com/chain.pem
```
## docker-compose (using internal acme.sh)
```yaml
version: "3"
services:
ftps-server:
image: docker.asperti.com/paspo/ftps
restart: always
ports:
- "21:21"
- "20:20"
- "21210-21220:21210-21220"
volumes:
- "/srv/ftps/auth:/auth"
- "/srv/ftps/conf:/etc/proftpd/custom.conf.d:ro"
- "/srv/ftps/data:/home"
- "/srv/ftps/acme:/acme"
environment:
- MASQUERADE=ftp.mydomain.com
- PASSIVEPORTS_START=21210
- PASSIVEPORTS_END=21220
- MAXCLIENTS=500
- MAXCLIENTSPERHOST=100
- ENABLE_ACME=1 # "1" will enable, anything else means external cert
- ACME_SERVER=letsencrypt # optional
- ACME_EMAIL=myemail@gmail.com # used by letsencrypt
- ACME_DNS=dns_ovh # see below
- OVH_END_POINT=ovh-eu
- OVH_AK=abc123abc123abc1 # application key
- OVH_AS=abc123abc123abc1abc123abc123abc1 # application secret
- OVH_CK=abc123abc123abc1abc123abc123abc1 # consumer key
```
## The rationale behind the acme.sh alternative
You normally use an external letsencrypt client to obtain the certificate and then pass it to the docker container. In some cases, you can't use an external acme client and/or you can't do HTTP-01 auth.
The included `acme.sh` client will help you to setup DNS-01 auth and in keeping the cert updated.
Please check [here](https://github.com/acmesh-official/acme.sh/wiki/dnsapi) for supported dns providers.
Each provider will use different environment variables, you have to add these variables to the container's environment.
### OVH
A quick way to create required credentials for OVH:
- login to your [OVH accuont](https://www.ovh.com/manager/)
- paste in your browser an URL like the following one:
```txt
https://api.ovh.com/createToken/?GET=/domain/zone/mydomain.com/*&POST=/domain/zone/mydomain.com/*&PUT=/domain/zone/mydomain.com/*&GET=/domain/zone/mydomain.com&DELETE=/domain/zone/mydomain.com/record/*
```
This will create some credentials that'll allow management only for that domain (`mydomain.com`).
## passive ports
If you want to change the passive ports range (which by default is 50000-50050), you can do so via environment variables (PASSIVEPORTS_START and PASSIVEPORTS_END).