Merge pull request hestiacp#1089 from skullwritter/patch-1

jaapmarcus · web-flow · commit 62774d84e73b · 2020-08-29T10:45:38.000+02:00
Add Proftpd TLS configs
diff --git a/install/deb/proftpd/proftpd.conf b/install/deb/proftpd/proftpd.conf
@@ -4,6 +4,8 @@ ServerAdmin                     root@localhost
 DefaultServer                   on
 DefaultRoot                  ~ !adm
 
+Include /etc/proftpd/tls.conf
+
 <IfModule mod_vroot.c>
     VRootEngine                 on
     VRootAlias                  /etc/security/pam_env.conf etc/security/pam_env.conf
diff --git a/install/deb/proftpd/tls.conf b/install/deb/proftpd/tls.conf
@@ -0,0 +1,63 @@
+#
+# Proftpd sample configuration for FTPS connections.
+#
+# Note that FTPS impose some limitations in NAT traversing.
+# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
+# for more information.
+#
+<IfModule mod_dso.c>
+    # If mod_tls was built as a shared/DSO module, load it
+    LoadModule mod_tls.c
+</IfModule>
+<IfModule mod_tls.c>
+TLSEngine                               on
+TLSLog                                  /var/log/proftpd/tls.log
+# this is an example of protocols, proftp works witl all, but use only the most secure ones like TLSv1.1 and TLSv1.2
+TLSProtocol                             TLSv1.1 TLSv1.2
+#
+# Server SSL certificate. You can generate a self-signed certificate using
+# a command like:
+#
+# openssl req -x509 -newkey rsa:1024 \
+#          -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
+#          -nodes -days 365
+#
+# The proftpd.key file must be readable by root only. The other file can be
+# readable by anyone.
+#
+# chmod 0600 /etc/ssl/private/proftpd.key
+# chmod 0640 /etc/ssl/private/proftpd.key
+#
+TLSRSACertificateFile                   /usr/local/hestia/ssl/certificate.crt
+TLSRSACertificateKeyFile                /usr/local/hestia/ssl/certificate.key
+#
+# CA the server trusts...
+#TLSCACertificateFile                    /etc/ssl/certs/CA.pem
+# ...or avoid CA cert and be verbose
+#TLSOptions                      NoCertRequest EnableDiags
+# ... or the same with relaxed session use for some clients (e.g. FireFtp)
+#TLSOptions                      NoCertRequest EnableDiags NoSessionReuseRequired
+#
+#
+# Per default drop connection if client tries to start a renegotiate
+# This is a fix for CVE-2009-3555 but could break some clients.
+#
+#TLSOptions                                                     AllowClientRenegotiations
+#
+TLSOptions                       NoSessionReuseRequired AllowClientRenegotiations
+# Authenticate clients that want to use FTP over TLS?
+#
+#TLSVerifyClient                         off
+#
+# Are clients required to use FTP over TLS when talking to this server?
+#
+TLSRequired                             off
+#
+# Allow SSL/TLS renegotiations when the client requests them, but
+# do not force the renegotations.  Some clients do not support
+# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
+# clients will close the data connection, or there will be a timeout
+# on an idle data connection.
+#
+TLSRenegotiate                          required off
+</IfModule>
