|
@@ -0,0 +1,63 @@
|
|
|
|
|
+#
|
|
|
|
|
+# Proftpd sample configuration for FTPS connections.
|
|
|
|
|
+#
|
|
|
|
|
+# Note that FTPS impose some limitations in NAT traversing.
|
|
|
|
|
+# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
|
|
|
|
|
+# for more information.
|
|
|
|
|
+#
|
|
|
|
|
+<IfModule mod_dso.c>
|
|
|
|
|
+ # If mod_tls was built as a shared/DSO module, load it
|
|
|
|
|
+ LoadModule mod_tls.c
|
|
|
|
|
+</IfModule>
|
|
|
|
|
+<IfModule mod_tls.c>
|
|
|
|
|
+TLSEngine on
|
|
|
|
|
+TLSLog /var/log/proftpd/tls.log
|
|
|
|
|
+# this is an example of protocols, proftp works witl all, but use only the most secure ones like TLSv1.1 and TLSv1.2
|
|
|
|
|
+TLSProtocol TLSv1.1 TLSv1.2
|
|
|
|
|
+#
|
|
|
|
|
+# Server SSL certificate. You can generate a self-signed certificate using
|
|
|
|
|
+# a command like:
|
|
|
|
|
+#
|
|
|
|
|
+# openssl req -x509 -newkey rsa:1024 \
|
|
|
|
|
+# -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
|
|
|
|
|
+# -nodes -days 365
|
|
|
|
|
+#
|
|
|
|
|
+# The proftpd.key file must be readable by root only. The other file can be
|
|
|
|
|
+# readable by anyone.
|
|
|
|
|
+#
|
|
|
|
|
+# chmod 0600 /etc/ssl/private/proftpd.key
|
|
|
|
|
+# chmod 0640 /etc/ssl/private/proftpd.key
|
|
|
|
|
+#
|
|
|
|
|
+TLSRSACertificateFile /usr/local/hestia/ssl/certificate.crt
|
|
|
|
|
+TLSRSACertificateKeyFile /usr/local/hestia/ssl/certificate.key
|
|
|
|
|
+#
|
|
|
|
|
+# CA the server trusts...
|
|
|
|
|
+#TLSCACertificateFile /etc/ssl/certs/CA.pem
|
|
|
|
|
+# ...or avoid CA cert and be verbose
|
|
|
|
|
+#TLSOptions NoCertRequest EnableDiags
|
|
|
|
|
+# ... or the same with relaxed session use for some clients (e.g. FireFtp)
|
|
|
|
|
+#TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
|
|
|
|
|
+#
|
|
|
|
|
+#
|
|
|
|
|
+# Per default drop connection if client tries to start a renegotiate
|
|
|
|
|
+# This is a fix for CVE-2009-3555 but could break some clients.
|
|
|
|
|
+#
|
|
|
|
|
+#TLSOptions AllowClientRenegotiations
|
|
|
|
|
+#
|
|
|
|
|
+TLSOptions NoSessionReuseRequired AllowClientRenegotiations
|
|
|
|
|
+# Authenticate clients that want to use FTP over TLS?
|
|
|
|
|
+#
|
|
|
|
|
+#TLSVerifyClient off
|
|
|
|
|
+#
|
|
|
|
|
+# Are clients required to use FTP over TLS when talking to this server?
|
|
|
|
|
+#
|
|
|
|
|
+TLSRequired off
|
|
|
|
|
+#
|
|
|
|
|
+# Allow SSL/TLS renegotiations when the client requests them, but
|
|
|
|
|
+# do not force the renegotations. Some clients do not support
|
|
|
|
|
+# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
|
|
|
|
|
+# clients will close the data connection, or there will be a timeout
|
|
|
|
|
+# on an idle data connection.
|
|
|
|
|
+#
|
|
|
|
|
+TLSRenegotiate required off
|
|
|
|
|
+</IfModule>
|
Jaap Marcus