h0tmann/alpine_proftpd_db

By h0tmann

Updated about 1 month ago

Image

2.7K

Alpine ProFTPD

Minimal alpine ProFTPD Docker-Image with Configuration-Template

Pkg Source: https://pkgs.alpinelinux.org/packages?name=proftpd

docker compose snippet:

  alpine_proftpd:
    container_name: alpine_proftpd
    image: h0tmann/alpine_proftpd_db:latest
    hostname: alpine_proftpd
    network_mode: host
    logging:
      options:
        max-file: "3"
        max-size: "128m"
        compress: "true"
    cap_add:
      - NET_ADMIN                                       # you can remove this capability if you dont have any firewall on your host
#    ports:
#      - 20-21:20-21                                     # FTP    Ports
#      - 22:22                                           # sFTP   Port
#      - 49152-65534:49152-65534                         # FTP    Ephemeral Ports (better choose a smaller range!)
#      - 127.0.0.1:8003:8003                             # Admin  Port
    environment:
      # System Variablen
      - TZ=Europe/Berlin                                # German time it alays good 🇩🇪
      - LANG=de_DE.UTF-8                                # German locale it alays good 🇩🇪
      # basic proFTPd Einstellungen
#      - DEFAULT_ADDRESS=0.0.0.0                         # default: "0.0.0.0" | http://www.proftpd.org/docs/modules/mod_core.html#DefaultAddress
#      - PUBLIC_IP=0.0.0.0                               # default: "0.0.0.0" - Required in "network_mode: host". Use "0.0.0.0 ::" for IPv4 and IPv6
#      - FTP_PORT=21                                     # default: "21"
#      - SFTP_PORT=22                                    # default: "22" (if any value is set SFTP will be activated - if unset it will not be activated)
      # proFTPd App Variablen
#      - APP_UID=850                                     # UID which the app (proftpd) runs with (default is "850")
#      - APP_GID=850                                     # GID which the app (proftpd) runs with (default is "850")
      # optionale proFTPd Variablen
#      - PASSIVE_PORT_MIN=49152                          # default: "49152"  (depending on how many virtual servers you use you might want to limit this)
#      - PASSIVE_PORT_MAX=65534                          # default: "65534"  (depending on how many virtual servers you use you might want to limit this)
#      - MAX_INSTANCES=1001                              # default: "1001" | http://www.proftpd.org/docs/modules/mod_core.html#MaxInstances
#      - MAX_CLIENTS=1000 "Sorry max %m users, try again"# default: "1000 "Sorry max %m users, try again"" | http://www.proftpd.org/docs/modules/mod_auth.html#MaxClients
#      - MAX_CONNECTION_RATE="none"                      # default: "none"  | http://www.proftpd.org/docs/modules/mod_auth.html#MaxClients
#      - ALLOW_OVERWRITE=off                             # on|off        | http://www.proftpd.org/docs/modules/mod_xfer.html#AllowOverwrite
#      - ALLOW_UPLOAD_RESTART=on                         # on|off        | http://www.proftpd.org/docs/modules/mod_xfer.html#AllowStoreRestart
#      - ALLOW_DOWNLOAD_RESTART=on                       # on|off        | http://www.proftpd.org/docs/modules/mod_xfer.html#AllowRetrieveRestart
#      - DEFAULT_TRANSFER_MODE=binary                    # ascii|binary  | http://www.proftpd.org/docs/modules/mod_xfer.html#DefaultTransferMode
#      - CREATE_HOME=on 770 skel /etc/proftpd/data/skel uid ~ gid ~ dirmode 770 NoRootPrivs # http://www.proftpd.org/docs/modules/mod_auth.html#CreateHome
#      - USE_REVERSE_DNS=on                              # on|off        | http://www.proftpd.org/docs/modules/mod_core.html#UseReverseDNS
#      - SFTP_AUTH_METHODS=publickey password            # hostbased|keyboard-interactive|password|publickey | http://www.proftpd.org/docs/contrib/mod_sftp.html#SFTPAuthMethods
#      - SFTP_COMPRESSION=delayed                        # on|off|delayed     | http://www.proftpd.org/docs/contrib/mod_sftp.html#SFTPCompression
      # LIMIT Folders
#      - LIMIT_USER_HOME=false                           # default: "false"   - true|false | resonable limits the users homedirectory for increased security
#      - LIMIT_USER_SUBDIRS=false                        # default: "false"   - true|false | resonable limits the users subdirectories for increased security
      # FTP SSL Einstellungen
#      - ENABLE_FTP_SSL_TLS=false                        # default: false | if true will require "/etc/proftpd/ssl/cert.pem" & "/etc/proftpd/ssl/key.pem" (CA would be here: "/etc/proftpd/ssl/ca.pem")
#      - FTP_TLS_PROTOCOL=ALL -TLSv1 -TLSv1.1 -SSLv3     # default: "ALL -TLSv1 -TLSv1.1 -SSLv3" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSProtocol
#      - FTP_TLS_CERT=cert.pem                           # default: "cert.pem" | Certificate filename in    "/etc/proftpd/ssl/"
#      - FTP_TLS_KEY=key.pem                             # default: "key.pem"  | Key filename in            "/etc/proftpd/ssl/"
#      - FTP_TLS_CIPHER_SUITE=DEFAULT:!ADH:!EXPORT:!DES:!NULL # default: "DEFAULT:!ADH:!EXPORT:!DES:!NULL" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSCipherSuite
#      - FTP_TLS_OPTIONS=NoSessionReuseRequired AllowClientRenegotiations # default: "NoSessionReuseRequired AllowClientRenegotiations" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSOptions
#      - FTP_TLS_VERIFY_CLIENT=optional                  # default: "optional" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSVerifyClient
#      - FTP_TLS_REQUIRED=off                            # default: "off" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSRequired
#      - FTP_TLS_RENEGOTIATE=required off                # default: "required off" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSRenegotiate
#      - FTP_TLS_SERVER_CIPHER_PREFERENCE=on             # default: "on"  | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSServerCipherPreference
#      - FTP_TLS_STAPLING=off                            # default: "off"  | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSStapling
      # LOG Einstellungen
#      - ENABLE_LOGS=true                                # default: "true" [boolean] enable General   Logging
#      - ENABLE_EXT_LOGS=true                            # default: "true" [boolean] enable Extended  Logging
#      - ENABLE_SFTP_LOGS=true                           # default: "true" [boolean] enable sftp      Logging
#      - ENABLE_TRANS_LOGS=true                          # default: "true" [boolean] enable transfer  Logging
#      - ENABLE_SSL_TLS_LOGS=true                        # default: "true" [boolean] enable SSL&TLS   Logging
#      - LOG_WTMP=off                                    # default: "off" | http://www.proftpd.org/docs/modules/mod_auth.html#WtmpLog
#      - LOG_EXT_FILE=extended_sftp_read_write.log       # default: "extended_sftp_read_write.log" [filename string]
#      - LOG_EXT_ATTR=                                   # default: "" [filename string]
#      - LOG_SFTP_FILE=sftp.log                          # default: "sftp.log" | http://www.proftpd.org/docs/contrib/mod_sftp.html#SFTPLog
#      - LOG_TRANS_FILE=xfer.log                         # default: "xfer.log" | http://www.proftpd.org/docs/modules/mod_core.html#TransferLog
#      - LOG_SSL_TLS_FILE=tls.log                        # default: "tls.log"  | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSLog
      # ADMIN WEB-UI KONFIG
#      - ADMIN_IP=                                       # default ""          | any string ip
#      - ADMIN_PORT=8003                                 # default "8003"      | any UINT number
#      - ADMIN_PASS=                                     # default "Hy2i3kBw4q8Z4zmNVKWHPGV5eC9roeN3" >= 32 characters
#      - ADMIN_MIN_ID=1000                               # default "1000"      | any UINT number
#      - ADMIN_JWT_SIGN=                                 # default "dy8ECoA0z1aLvLqXDRjanaRSABzuzi4e" >= 32 characters | JWT Token
#      - ADMIN_JWT_ENC=                                  # default "po35XsS8jpEIg708VV4d4TyEDBkSocUH" >= 32 characters | JWT Token
#      - ADMIN_COOKIE_TTL=86400                          # default "86400"
#      - ADMIN_COOKIE_SLL=true                           # default "true"
#      - ADMIN_COOKIE_HTTPONLY=true                      # default "true"
#      - ADMIN_COOKIE_PATH=/                             # default "/"
      # LOGROTATE
#      - LOGROTATE_SIZE=100M                             # default "100M" ([int]K, [int]M, [int]G)
#      - LOGROTATE_ROTATE=10                             # default "10" [uint]
#      - LOGROTATE_MAX_AGE=15                            # default "15" [uint]
    volumes:
      - "/etc/timezone:/etc/timezone:ro"                # sets "/etc/timezone" to the same as the host
      - "./folder/log/:/var/log/proftpd/:rw"            # folder for logs
      - "./folder/data/:/etc/proftpd/data/:rw"          # folder for Config-Data
      - "/mnt/ftpusers/:/mnt/ftpusers/:rw"              # folder for User-Data
    deploy:
      resources:
        limits:
          memory: 512M                                  # adjust to your needs (be generous, as this is just max)
    restart: unless-stopped

Note:

you can also run this docker-compose with specific ports - but it is not recommended if you want to use FTP:

    ports:
      - 20-21:20-21                                     # FTP    Ports
                                                        # Port 20 = ftp controll port
                                                        # Port 21 = ftp connection port
      - 22:22                                           # sFTP   Port
      - 49152-65534:49152-65534                         # FTP    Ephemeral Ports (better choose a smaller range!)
                                                        # ftp ephemeral port-range

JWT-Token:

The used JWT Token are fully encrypted and are RFC7519 compliant. Please make sure you set a unique ADMIN_JWT_SIGN & ADMIN_JWT_ENC for every installation!

IPTABLES / NFTABLES:

On newer Systems you explizitely need to create the file /etc/modprobe.d/iptables.conf with this content:

options nf_conntrack_ftp ports=21

(change Port according to the Port you specified - on older Systems use options ip_conntrack_ftp ports=21) Now run the command modprobe nf_conntrack_ftp or on older Systems modprobe ip_conntrack_ftp. Highports now should open automatically and Passive Mode should work flawlessly.

Please keep in mind, that without network_mode: host, the rules in the config may need to be altered to have the wanted effect. As all requests are comming through the docker-network your docker-container is in. I personally recommend network_mode: host, as it also makes it way more easy to migrate from a plain installation to this dockerized version. If you know what you do - feel free to use mapped ports.

PUBLIC KEYS:

proFTPd needs public keys in the RFC4716-Format. In ordert to convert to this format use this command:

ssh-keygen -e -f ~/.ssh/id_rsa.pub -m RFC4716 > ~/.ssh/id_rsa.rfc4716.pub

Other than this use the buildin function in the Admin Web-UI.

Create the container and have fun!

Docker Pull Command

docker pull h0tmann/alpine_proftpd_db