more docs and fixed tls

README.md

@@ -5,7 +5,7 @@ Simple container for FTP+TLS+authentication
 ## build
 
 ```bash
-docker build . -t my-ftps
+docker build . -t docker.asperti.com/paspo/ftps
 ```
 
 ## run
@@ -16,7 +16,7 @@ docker run -d --name my-ftps \
   -e "MASQUERADE=ftp.mydomain.com" \
   -v "$PWD/auth:/auth" -v "$PWD/ftpdata:/home" \
   -v "$PWD/certs:/certs" \
-  my-ftps
+  docker.asperti.com/paspo/ftps
 ```
 
 The *MASQUERADE* parameter is the only required one. You can use an IP address (which is discouraged) or a DNS name.
@@ -28,9 +28,34 @@ docker run -d --name my-ftps \
   -e "MASQUERADE=ftp.mydomain.com" \
   -v "$PWD/auth:/auth" -v "$PWD/ftpdata:/home" \
   -v "/etc/letsencrypt/live/ftp.mydomain.com:/certs" \
-  my-ftps
+  docker.asperti.com/paspo/ftps
 ```
 
+## docker-compose
+
+```yaml
+version: "3"
+services:
+
+  ftps-server:
+    image: docker.asperti.com/paspo/ftps
+    restart: always
+    ports:
+      - "21:21"
+      - "20:20"
+      - "50000-50500:50000-50500"
+    volumes:
+      - "/srv/ftps/auth:/auth"
+      - "/srv/ftps/data:/home"
+      - "/etc/letsencrypt/live/ftp.mydomain.com:/certs"
+    environment:
+      - MASQUERADE=ftp.mydomain.com
+```
+
+## notes
+
+Please note that you have to restart the container whenever the certificate is renewed.
+
 ## users management
 
 To change/set a password, do like this (replace "paolo" with the correct username):

custom.conf

@@ -10,3 +10,15 @@ DefaultRoot ~
 Maxclients 30
 MaxClientsPerHost 5
 
+<IfModule mod_tls.c>
+  TLSEngine                               on
+  TLSVerifyClient                         off
+  TLSRenegotiate                          none
+  TLSProtocol                             TLSv1.2
+  TLSRSACertificateFile                   /etc/proftpd/cert.pem
+  TLSRSACertificateKeyFile                /etc/proftpd/privkey.pem
+  TLSCertificateChainFile                 /etc/proftpd/chain.pem
+  TLSCipherSuite                          "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" 
+  TLSOptions                              NoSessionReuseRequired AllowClientRenegotiations
+  TLSRequired                             on
+</IfModule>

run.sh

@@ -18,21 +18,9 @@ TLS_CERT=${TLS_CERT:-/certs/cert.pem}
 TLS_KEY=${TLS_KEY:-/certs/privkey.pem}
 TLS_CHAIN=${TLS_CHAIN:-/certs/chain.pem}
 
-cat <<EOF >/etc/proftpd/conf.d/tls.conf 
+cat $TLS_CERT > /etc/proftpd/cert.pem
-<IfModule mod_tls.c>
+cat $TLS_KEY > /etc/proftpd/privkey.pem
-  TLSEngine                               on
+cat $TLS_CHAIN > /etc/proftpd/chain.pem
-  TLSVerifyClient                         off
-  TLSRenegotiate                          none
-  TLSProtocol                             TLSv1.2
-  TLSRSACertificateFile                   $TLS_CERT
-  TLSRSACertificateKeyFile                $TLS_KEY
-  TLSCertificateChainFile                 $TLS_CHAIN
-  TLSCipherSuite                          "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" 
-  TLSOptions                              NoSessionReuseRequired AllowClientRenegotiations
-  TLSRequired                             on
-</IfModule>
-EOF
-
 
 ############ START