h0tmann/alpine_proftpd_db
Minimal alpine ProFTPD Docker-Image with Configuration-Template
Pkg Source: https://pkgs.alpinelinux.org/packages?name=proftpd
alpine_proftpd:
container_name: alpine_proftpd
image: h0tmann/alpine_proftpd_db:latest
hostname: alpine_proftpd
network_mode: host
logging:
options:
max-file: "3"
max-size: "128m"
compress: "true"
cap_add:
- NET_ADMIN # you can remove this capability if you dont have any firewall on your host
# ports:
# - 20-21:20-21 # FTP Ports
# - 22:22 # sFTP Port
# - 49152-65534:49152-65534 # FTP Ephemeral Ports (better choose a smaller range!)
# - 127.0.0.1:8003:8003 # Admin Port
environment:
# System Variablen
- TZ=Europe/Berlin # German time it alays good 🇩🇪
- LANG=de_DE.UTF-8 # German locale it alays good 🇩🇪
# basic proFTPd Einstellungen
# - DEFAULT_ADDRESS=0.0.0.0 # default: "0.0.0.0" | http://www.proftpd.org/docs/modules/mod_core.html#DefaultAddress
# - PUBLIC_IP=0.0.0.0 # default: "0.0.0.0" - Required in "network_mode: host". Use "0.0.0.0 ::" for IPv4 and IPv6
# - FTP_PORT=21 # default: "21"
# - SFTP_PORT=22 # default: "22" (if any value is set SFTP will be activated - if unset it will not be activated)
# proFTPd App Variablen
# - APP_UID=850 # UID which the app (proftpd) runs with (default is "850")
# - APP_GID=850 # GID which the app (proftpd) runs with (default is "850")
# optionale proFTPd Variablen
# - PASSIVE_PORT_MIN=49152 # default: "49152" (depending on how many virtual servers you use you might want to limit this)
# - PASSIVE_PORT_MAX=65534 # default: "65534" (depending on how many virtual servers you use you might want to limit this)
# - MAX_INSTANCES=1001 # default: "1001" | http://www.proftpd.org/docs/modules/mod_core.html#MaxInstances
# - MAX_CLIENTS=1000 "Sorry max %m users, try again"# default: "1000 "Sorry max %m users, try again"" | http://www.proftpd.org/docs/modules/mod_auth.html#MaxClients
# - MAX_CONNECTION_RATE="none" # default: "none" | http://www.proftpd.org/docs/modules/mod_auth.html#MaxClients
# - ALLOW_OVERWRITE=off # on|off | http://www.proftpd.org/docs/modules/mod_xfer.html#AllowOverwrite
# - ALLOW_UPLOAD_RESTART=on # on|off | http://www.proftpd.org/docs/modules/mod_xfer.html#AllowStoreRestart
# - ALLOW_DOWNLOAD_RESTART=on # on|off | http://www.proftpd.org/docs/modules/mod_xfer.html#AllowRetrieveRestart
# - DEFAULT_TRANSFER_MODE=binary # ascii|binary | http://www.proftpd.org/docs/modules/mod_xfer.html#DefaultTransferMode
# - CREATE_HOME=on 770 skel /etc/proftpd/data/skel uid ~ gid ~ dirmode 770 NoRootPrivs # http://www.proftpd.org/docs/modules/mod_auth.html#CreateHome
# - USE_REVERSE_DNS=on # on|off | http://www.proftpd.org/docs/modules/mod_core.html#UseReverseDNS
# - SFTP_AUTH_METHODS=publickey password # hostbased|keyboard-interactive|password|publickey | http://www.proftpd.org/docs/contrib/mod_sftp.html#SFTPAuthMethods
# - SFTP_COMPRESSION=delayed # on|off|delayed | http://www.proftpd.org/docs/contrib/mod_sftp.html#SFTPCompression
# LIMIT Folders
# - LIMIT_USER_HOME=false # default: "false" - true|false | resonable limits the users homedirectory for increased security
# - LIMIT_USER_SUBDIRS=false # default: "false" - true|false | resonable limits the users subdirectories for increased security
# FTP SSL Einstellungen
# - ENABLE_FTP_SSL_TLS=false # default: false | if true will require "/etc/proftpd/ssl/cert.pem" & "/etc/proftpd/ssl/key.pem" (CA would be here: "/etc/proftpd/ssl/ca.pem")
# - FTP_TLS_PROTOCOL=ALL -TLSv1 -TLSv1.1 -SSLv3 # default: "ALL -TLSv1 -TLSv1.1 -SSLv3" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSProtocol
# - FTP_TLS_CERT=cert.pem # default: "cert.pem" | Certificate filename in "/etc/proftpd/ssl/"
# - FTP_TLS_KEY=key.pem # default: "key.pem" | Key filename in "/etc/proftpd/ssl/"
# - FTP_TLS_CIPHER_SUITE=DEFAULT:!ADH:!EXPORT:!DES:!NULL # default: "DEFAULT:!ADH:!EXPORT:!DES:!NULL" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSCipherSuite
# - FTP_TLS_OPTIONS=NoSessionReuseRequired AllowClientRenegotiations # default: "NoSessionReuseRequired AllowClientRenegotiations" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSOptions
# - FTP_TLS_VERIFY_CLIENT=optional # default: "optional" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSVerifyClient
# - FTP_TLS_REQUIRED=off # default: "off" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSRequired
# - FTP_TLS_RENEGOTIATE=required off # default: "required off" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSRenegotiate
# - FTP_TLS_SERVER_CIPHER_PREFERENCE=on # default: "on" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSServerCipherPreference
# - FTP_TLS_STAPLING=off # default: "off" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSStapling
# LOG Einstellungen
# - ENABLE_LOGS=true # default: "true" [boolean] enable General Logging
# - ENABLE_EXT_LOGS=true # default: "true" [boolean] enable Extended Logging
# - ENABLE_SFTP_LOGS=true # default: "true" [boolean] enable sftp Logging
# - ENABLE_TRANS_LOGS=true # default: "true" [boolean] enable transfer Logging
# - ENABLE_SSL_TLS_LOGS=true # default: "true" [boolean] enable SSL&TLS Logging
# - LOG_WTMP=off # default: "off" | http://www.proftpd.org/docs/modules/mod_auth.html#WtmpLog
# - LOG_EXT_FILE=extended_sftp_read_write.log # default: "extended_sftp_read_write.log" [filename string]
# - LOG_EXT_ATTR= # default: "" [filename string]
# - LOG_SFTP_FILE=sftp.log # default: "sftp.log" | http://www.proftpd.org/docs/contrib/mod_sftp.html#SFTPLog
# - LOG_TRANS_FILE=xfer.log # default: "xfer.log" | http://www.proftpd.org/docs/modules/mod_core.html#TransferLog
# - LOG_SSL_TLS_FILE=tls.log # default: "tls.log" | http://www.proftpd.org/docs/contrib/mod_tls.html#TLSLog
# ADMIN WEB-UI KONFIG
# - ADMIN_IP= # default "" | any string ip
# - ADMIN_PORT=8003 # default "8003" | any UINT number
# - ADMIN_PASS= # default "Hy2i3kBw4q8Z4zmNVKWHPGV5eC9roeN3" >= 32 characters
# - ADMIN_MIN_ID=1000 # default "1000" | any UINT number
# - ADMIN_JWT_SIGN= # default "dy8ECoA0z1aLvLqXDRjanaRSABzuzi4e" >= 32 characters | JWT Token
# - ADMIN_JWT_ENC= # default "po35XsS8jpEIg708VV4d4TyEDBkSocUH" >= 32 characters | JWT Token
# - ADMIN_COOKIE_TTL=86400 # default "86400"
# - ADMIN_COOKIE_SLL=true # default "true"
# - ADMIN_COOKIE_HTTPONLY=true # default "true"
# - ADMIN_COOKIE_PATH=/ # default "/"
# LOGROTATE
# - LOGROTATE_SIZE=100M # default "100M" ([int]K, [int]M, [int]G)
# - LOGROTATE_ROTATE=10 # default "10" [uint]
# - LOGROTATE_MAX_AGE=15 # default "15" [uint]
volumes:
- "/etc/timezone:/etc/timezone:ro" # sets "/etc/timezone" to the same as the host
- "./folder/log/:/var/log/proftpd/:rw" # folder for logs
- "./folder/data/:/etc/proftpd/data/:rw" # folder for Config-Data
- "/mnt/ftpusers/:/mnt/ftpusers/:rw" # folder for User-Data
deploy:
resources:
limits:
memory: 512M # adjust to your needs (be generous, as this is just max)
restart: unless-stopped
you can also run this docker-compose with specific ports - but it is not recommended if you want to use FTP:
ports:
- 20-21:20-21 # FTP Ports
# Port 20 = ftp controll port
# Port 21 = ftp connection port
- 22:22 # sFTP Port
- 49152-65534:49152-65534 # FTP Ephemeral Ports (better choose a smaller range!)
# ftp ephemeral port-range
The used JWT Token are fully encrypted and are RFC7519
compliant.
Please make sure you set a unique ADMIN_JWT_SIGN
& ADMIN_JWT_ENC
for every installation!
On newer Systems you explizitely need to create the file /etc/modprobe.d/iptables.conf
with this content:
options nf_conntrack_ftp ports=21
(change Port according to the Port you specified - on older Systems use options ip_conntrack_ftp ports=21
)
Now run the command modprobe nf_conntrack_ftp
or on older Systems modprobe ip_conntrack_ftp
.
Highports now should open automatically and Passive Mode should work flawlessly.
Please keep in mind, that without network_mode: host
, the rules in the config may need to be altered to have the wanted effect.
As all requests are comming through the docker-network your docker-container is in.
I personally recommend network_mode: host
, as it also makes it way more easy to migrate from a plain installation to this dockerized version.
If you know what you do - feel free to use mapped ports.
proFTPd needs public keys in the RFC4716
-Format.
In ordert to convert to this format use this command:
ssh-keygen -e -f ~/.ssh/id_rsa.pub -m RFC4716 > ~/.ssh/id_rsa.rfc4716.pub
Other than this use the buildin function in the Admin Web-UI.
Create the container and have fun!
docker pull h0tmann/alpine_proftpd_db