more docs and fixed tls

This commit is contained in:
Paolo Asperti 2019-05-18 01:20:52 +02:00
parent 6b93aae155
commit bbaa8496eb
Signed by: paspo
GPG Key ID: 06D46905D19D5182
3 changed files with 43 additions and 18 deletions

View File

@ -5,7 +5,7 @@ Simple container for FTP+TLS+authentication
## build ## build
```bash ```bash
docker build . -t my-ftps docker build . -t docker.asperti.com/paspo/ftps
``` ```
## run ## run
@ -16,7 +16,7 @@ docker run -d --name my-ftps \
-e "MASQUERADE=ftp.mydomain.com" \ -e "MASQUERADE=ftp.mydomain.com" \
-v "$PWD/auth:/auth" -v "$PWD/ftpdata:/home" \ -v "$PWD/auth:/auth" -v "$PWD/ftpdata:/home" \
-v "$PWD/certs:/certs" \ -v "$PWD/certs:/certs" \
my-ftps docker.asperti.com/paspo/ftps
``` ```
The *MASQUERADE* parameter is the only required one. You can use an IP address (which is discouraged) or a DNS name. The *MASQUERADE* parameter is the only required one. You can use an IP address (which is discouraged) or a DNS name.
@ -28,9 +28,34 @@ docker run -d --name my-ftps \
-e "MASQUERADE=ftp.mydomain.com" \ -e "MASQUERADE=ftp.mydomain.com" \
-v "$PWD/auth:/auth" -v "$PWD/ftpdata:/home" \ -v "$PWD/auth:/auth" -v "$PWD/ftpdata:/home" \
-v "/etc/letsencrypt/live/ftp.mydomain.com:/certs" \ -v "/etc/letsencrypt/live/ftp.mydomain.com:/certs" \
my-ftps docker.asperti.com/paspo/ftps
``` ```
## docker-compose
```yaml
version: "3"
services:
ftps-server:
image: docker.asperti.com/paspo/ftps
restart: always
ports:
- "21:21"
- "20:20"
- "50000-50500:50000-50500"
volumes:
- "/srv/ftps/auth:/auth"
- "/srv/ftps/data:/home"
- "/etc/letsencrypt/live/ftp.mydomain.com:/certs"
environment:
- MASQUERADE=ftp.mydomain.com
```
## notes
Please note that you have to restart the container whenever the certificate is renewed.
## users management ## users management
To change/set a password, do like this (replace "paolo" with the correct username): To change/set a password, do like this (replace "paolo" with the correct username):

View File

@ -10,3 +10,15 @@ DefaultRoot ~
Maxclients 30 Maxclients 30
MaxClientsPerHost 5 MaxClientsPerHost 5
<IfModule mod_tls.c>
TLSEngine on
TLSVerifyClient off
TLSRenegotiate none
TLSProtocol TLSv1.2
TLSRSACertificateFile /etc/proftpd/cert.pem
TLSRSACertificateKeyFile /etc/proftpd/privkey.pem
TLSCertificateChainFile /etc/proftpd/chain.pem
TLSCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
TLSOptions NoSessionReuseRequired AllowClientRenegotiations
TLSRequired on
</IfModule>

18
run.sh
View File

@ -18,21 +18,9 @@ TLS_CERT=${TLS_CERT:-/certs/cert.pem}
TLS_KEY=${TLS_KEY:-/certs/privkey.pem} TLS_KEY=${TLS_KEY:-/certs/privkey.pem}
TLS_CHAIN=${TLS_CHAIN:-/certs/chain.pem} TLS_CHAIN=${TLS_CHAIN:-/certs/chain.pem}
cat <<EOF >/etc/proftpd/conf.d/tls.conf cat $TLS_CERT > /etc/proftpd/cert.pem
<IfModule mod_tls.c> cat $TLS_KEY > /etc/proftpd/privkey.pem
TLSEngine on cat $TLS_CHAIN > /etc/proftpd/chain.pem
TLSVerifyClient off
TLSRenegotiate none
TLSProtocol TLSv1.2
TLSRSACertificateFile $TLS_CERT
TLSRSACertificateKeyFile $TLS_KEY
TLSCertificateChainFile $TLS_CHAIN
TLSCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
TLSOptions NoSessionReuseRequired AllowClientRenegotiations
TLSRequired on
</IfModule>
EOF
############ START ############ START