ProFTPD: enable TLS by default. Fixes #1522
This commit is contained in:
Johannes Feichtner
@@ -3276,6 +3276,11 @@ plugin {
|
|||||||
<!-- Proftpd -->
|
<!-- Proftpd -->
|
||||||
<daemon name="proftpd" title="ProFTPd" default="true">
|
<daemon name="proftpd" title="ProFTPd" default="true">
|
||||||
<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
|
<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
|
||||||
|
<commands>
|
||||||
|
<command><![CDATA[[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
|
||||||
|
<command><![CDATA[[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
|
||||||
|
<command><![CDATA[chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key]]></command>
|
||||||
|
</commands>
|
||||||
<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
|
<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
|
||||||
backup="true">
|
backup="true">
|
||||||
<content><![CDATA[
|
<content><![CDATA[
|
||||||
@@ -3416,7 +3421,7 @@ Include /etc/proftpd/sql.conf
|
|||||||
#
|
#
|
||||||
# This is used for FTPS connections
|
# This is used for FTPS connections
|
||||||
#
|
#
|
||||||
#Include /etc/proftpd/tls.conf
|
Include /etc/proftpd/tls.conf
|
||||||
|
|
||||||
#
|
#
|
||||||
# Useful to keep VirtualHost/VirtualRoot directives separated
|
# Useful to keep VirtualHost/VirtualRoot directives separated
|
||||||
@@ -3635,6 +3640,33 @@ SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_
|
|||||||
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
|
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
|
||||||
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
|
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
|
||||||
|
|
||||||
|
</IfModule>
|
||||||
|
]]>
|
||||||
|
</content>
|
||||||
|
</file>
|
||||||
|
<file name="/etc/proftpd/tls.conf" chown="root:root" chmod="0644" backup="true">
|
||||||
|
<content><![CDATA[
|
||||||
|
<IfModule mod_tls.c>
|
||||||
|
TLSEngine on
|
||||||
|
TLSLog /var/log/proftpd/tls.log
|
||||||
|
TLSProtocol TLSv1 TLSv1.1 TLSv1.2
|
||||||
|
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
|
||||||
|
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
|
||||||
|
TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt
|
||||||
|
TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key
|
||||||
|
TLSOptions NoCertRequest NoSessionReuseRequired
|
||||||
|
TLSVerifyClient off
|
||||||
|
|
||||||
|
# Are clients required to use FTP over TLS when talking to this server?
|
||||||
|
#TLSRequired on
|
||||||
|
|
||||||
|
# Allow SSL/TLS renegotiations when the client requests them, but
|
||||||
|
# do not force the renegotations. Some clients do not support
|
||||||
|
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
|
||||||
|
# clients will close the data connection, or there will be a timeout
|
||||||
|
# on an idle data connection.
|
||||||
|
#
|
||||||
|
#TLSRenegotiate required off
|
||||||
</IfModule>
|
</IfModule>
|
||||||
]]>
|
]]>
|
||||||
</content>
|
</content>
|
||||||
|
|||||||
@@ -1098,6 +1098,11 @@ MYSQL_AUXOPTIONS_FIELD CONCAT("allowimap=",imap,",allowpop3=",pop3)
|
|||||||
<!-- Proftpd -->
|
<!-- Proftpd -->
|
||||||
<daemon name="proftpd" title="ProFTPd" default="true">
|
<daemon name="proftpd" title="ProFTPd" default="true">
|
||||||
<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
|
<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
|
||||||
|
<commands>
|
||||||
|
<command><![CDATA[[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
|
||||||
|
<command><![CDATA[[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
|
||||||
|
<command><![CDATA[chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key]]></command>
|
||||||
|
</commands>
|
||||||
<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
|
<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
|
||||||
backup="true">
|
backup="true">
|
||||||
<content><![CDATA[
|
<content><![CDATA[
|
||||||
@@ -1230,7 +1235,7 @@ Include /etc/proftpd/sql.conf
|
|||||||
#
|
#
|
||||||
# This is used for FTPS connections
|
# This is used for FTPS connections
|
||||||
#
|
#
|
||||||
#Include /etc/proftpd/tls.conf
|
Include /etc/proftpd/tls.conf
|
||||||
]]>
|
]]>
|
||||||
</content>
|
</content>
|
||||||
</file>
|
</file>
|
||||||
@@ -1337,6 +1342,33 @@ SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_
|
|||||||
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
|
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
|
||||||
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
|
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
|
||||||
|
|
||||||
|
</IfModule>
|
||||||
|
]]>
|
||||||
|
</content>
|
||||||
|
</file>
|
||||||
|
<file name="/etc/proftpd/tls.conf" chown="root:root" chmod="0644" backup="true">
|
||||||
|
<content><![CDATA[
|
||||||
|
<IfModule mod_tls.c>
|
||||||
|
TLSEngine on
|
||||||
|
TLSLog /var/log/proftpd/tls.log
|
||||||
|
TLSProtocol TLSv1 TLSv1.1 TLSv1.2
|
||||||
|
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
|
||||||
|
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
|
||||||
|
TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt
|
||||||
|
TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key
|
||||||
|
TLSOptions NoCertRequest NoSessionReuseRequired
|
||||||
|
TLSVerifyClient off
|
||||||
|
|
||||||
|
# Are clients required to use FTP over TLS when talking to this server?
|
||||||
|
#TLSRequired on
|
||||||
|
|
||||||
|
# Allow SSL/TLS renegotiations when the client requests them, but
|
||||||
|
# do not force the renegotations. Some clients do not support
|
||||||
|
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
|
||||||
|
# clients will close the data connection, or there will be a timeout
|
||||||
|
# on an idle data connection.
|
||||||
|
#
|
||||||
|
#TLSRenegotiate required off
|
||||||
</IfModule>
|
</IfModule>
|
||||||
]]>
|
]]>
|
||||||
</content>
|
</content>
|
||||||
|
|||||||
@@ -1101,6 +1101,11 @@ MYSQL_AUXOPTIONS_FIELD CONCAT("allowimap=",imap,",allowpop3=",pop3)
|
|||||||
<!-- Proftpd -->
|
<!-- Proftpd -->
|
||||||
<daemon name="proftpd" title="ProFTPd" default="true">
|
<daemon name="proftpd" title="ProFTPd" default="true">
|
||||||
<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
|
<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
|
||||||
|
<commands>
|
||||||
|
<command><![CDATA[[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
|
||||||
|
<command><![CDATA[[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
|
||||||
|
<command><![CDATA[chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key]]></command>
|
||||||
|
</commands>
|
||||||
<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
|
<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
|
||||||
backup="true">
|
backup="true">
|
||||||
<content><![CDATA[
|
<content><![CDATA[
|
||||||
@@ -1233,7 +1238,7 @@ Include /etc/proftpd/sql.conf
|
|||||||
#
|
#
|
||||||
# This is used for FTPS connections
|
# This is used for FTPS connections
|
||||||
#
|
#
|
||||||
#Include /etc/proftpd/tls.conf
|
Include /etc/proftpd/tls.conf
|
||||||
]]>
|
]]>
|
||||||
</content>
|
</content>
|
||||||
</file>
|
</file>
|
||||||
@@ -1340,6 +1345,33 @@ SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_
|
|||||||
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
|
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
|
||||||
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
|
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
|
||||||
|
|
||||||
|
</IfModule>
|
||||||
|
]]>
|
||||||
|
</content>
|
||||||
|
</file>
|
||||||
|
<file name="/etc/proftpd/tls.conf" chown="root:root" chmod="0644" backup="true">
|
||||||
|
<content><![CDATA[
|
||||||
|
<IfModule mod_tls.c>
|
||||||
|
TLSEngine on
|
||||||
|
TLSLog /var/log/proftpd/tls.log
|
||||||
|
TLSProtocol TLSv1 TLSv1.1 TLSv1.2
|
||||||
|
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
|
||||||
|
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
|
||||||
|
TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt
|
||||||
|
TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key
|
||||||
|
TLSOptions NoCertRequest NoSessionReuseRequired
|
||||||
|
TLSVerifyClient off
|
||||||
|
|
||||||
|
# Are clients required to use FTP over TLS when talking to this server?
|
||||||
|
#TLSRequired on
|
||||||
|
|
||||||
|
# Allow SSL/TLS renegotiations when the client requests them, but
|
||||||
|
# do not force the renegotations. Some clients do not support
|
||||||
|
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
|
||||||
|
# clients will close the data connection, or there will be a timeout
|
||||||
|
# on an idle data connection.
|
||||||
|
#
|
||||||
|
#TLSRenegotiate required off
|
||||||
</IfModule>
|
</IfModule>
|
||||||
]]>
|
]]>
|
||||||
</content>
|
</content>
|
||||||
|
|||||||
@@ -4381,6 +4381,11 @@ MYSQL_AUXOPTIONS_FIELD CONCAT("allowimap=",imap,",allowpop3=",pop3)
|
|||||||
<!-- Proftpd -->
|
<!-- Proftpd -->
|
||||||
<daemon name="proftpd" title="ProFTPd" default="true">
|
<daemon name="proftpd" title="ProFTPd" default="true">
|
||||||
<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
|
<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
|
||||||
|
<commands>
|
||||||
|
<command><![CDATA[[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
|
||||||
|
<command><![CDATA[[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
|
||||||
|
<command><![CDATA[chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key]]></command>
|
||||||
|
</commands>
|
||||||
<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
|
<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
|
||||||
backup="true">
|
backup="true">
|
||||||
<content><![CDATA[
|
<content><![CDATA[
|
||||||
@@ -4521,7 +4526,7 @@ Include /etc/proftpd/sql.conf
|
|||||||
#
|
#
|
||||||
# This is used for FTPS connections
|
# This is used for FTPS connections
|
||||||
#
|
#
|
||||||
#Include /etc/proftpd/tls.conf
|
Include /etc/proftpd/tls.conf
|
||||||
|
|
||||||
#
|
#
|
||||||
# Useful to keep VirtualHost/VirtualRoot directives separated
|
# Useful to keep VirtualHost/VirtualRoot directives separated
|
||||||
@@ -4716,6 +4721,33 @@ SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_
|
|||||||
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
|
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
|
||||||
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
|
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
|
||||||
|
|
||||||
|
</IfModule>
|
||||||
|
]]>
|
||||||
|
</content>
|
||||||
|
</file>
|
||||||
|
<file name="/etc/proftpd/tls.conf" chown="root:root" chmod="0644" backup="true">
|
||||||
|
<content><![CDATA[
|
||||||
|
<IfModule mod_tls.c>
|
||||||
|
TLSEngine on
|
||||||
|
TLSLog /var/log/proftpd/tls.log
|
||||||
|
TLSProtocol TLSv1 TLSv1.1 TLSv1.2
|
||||||
|
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
|
||||||
|
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
|
||||||
|
TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt
|
||||||
|
TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key
|
||||||
|
TLSOptions NoCertRequest NoSessionReuseRequired
|
||||||
|
TLSVerifyClient off
|
||||||
|
|
||||||
|
# Are clients required to use FTP over TLS when talking to this server?
|
||||||
|
#TLSRequired on
|
||||||
|
|
||||||
|
# Allow SSL/TLS renegotiations when the client requests them, but
|
||||||
|
# do not force the renegotations. Some clients do not support
|
||||||
|
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
|
||||||
|
# clients will close the data connection, or there will be a timeout
|
||||||
|
# on an idle data connection.
|
||||||
|
#
|
||||||
|
#TLSRenegotiate required off
|
||||||
</IfModule>
|
</IfModule>
|
||||||
]]>
|
]]>
|
||||||
</content>
|
</content>
|
||||||
|
|||||||
Reference in New Issue
Block a user