reviewing var names, adding file volume for /etc/proftpd/tls.conf

ebarault · Oct 4, 2017 · 5876e39 · 5876e39
1 parent 5bc3a10
commit 5876e39
Show file tree

Hide file tree

Showing 15 changed files with 72 additions and 37 deletions.
diff --git a/.env.tpl b/.env.tpl
@@ -8,8 +8,9 @@ LOGS=           # /path/to/log/dir, optional, defaults to /var/log/proftpd
 SALT=           # /path/to/salt/dir, optional, defaults to `./salt`
 MASQ_ADDR=			#	ipv4_addr, hostname or "AWS", optional
 
-MOD_SSL=        # ON/OFF, activate/deactivate module mod_tls, optional, defaults to OFF
-SSL_CERTS=      # /path/to/ssl/certs/dir, optional, defaults to `./ssl`
+MOD_TLS=        # ON/OFF, activate/deactivate module mod_tls, optional, defaults to OFF
+MOD_TLS_CONF=		# /path/to/tls.conf configuration file, defaults to ./tls.conf
+CERTS=      		# /path/to/tls/certs/dir, optional, defaults to `./certs`
 
 MOD_EXEC=       # ON/OFF, activate/deactivate module mod_exec, optional, defaults to OFF
 MOD_EXEC_CONF=  # /path/to/mod/exec/dir, optional, defaults to `./exec`

diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,5 @@
 *.pem
 salt/*
 !salt/.gitkeep
+var_log_proftpd
+data_ftp_root
diff --git a/Dockerfile b/Dockerfile
@@ -40,12 +40,15 @@ VOLUME /var/log/proftpd
 # FTP ROOT
 VOLUME /srv/ftp
 
-# SSL CERTS
-VOLUME /etc/proftpd/ssl
+# TLS CERTS
+VOLUME /etc/proftpd/certs
 
 # SQL PASSWORD SALT
 VOLUME /etc/proftpd/salt
 
+# OVERRIDING MOD TLS CONF
+VOLUME /etc/proftpd/tls.conf
+
 # MOD EXEC CONF
 VOLUME /etc/proftpd/exec
 

diff --git a/Dockerfile-alpine b/Dockerfile-alpine
@@ -48,12 +48,15 @@ VOLUME /var/log/proftpd
 # FTP ROOT
 VOLUME /srv/ftp
 
-# SSL CERTS
-VOLUME /etc/proftpd/ssl
+# TLS CERTS
+VOLUME /etc/proftpd/certs
 
 # SQL PASSWORD SALT
 VOLUME /etc/proftpd/salt
 
+# OVERRIDING MOD TLS CONF
+VOLUME /etc/proftpd/tls.conf
+
 # MOD EXEC CONF
 VOLUME /etc/proftpd/exec
 

diff --git a/Makefile b/Makefile
@@ -14,8 +14,8 @@ run:
 		-v $$FTP_ROOT:/srv/ftp \
 		-v $$LOGS:/var/log/proftpd \
 		-v $$(pwd)/salt:/etc/proftpd/salt \
-		-e MOD_SSL=ON \
-		-v $$(pwd)/ssl:/etc/proftpd/ssl \
+		-e MOD_TLS=ON \
+		-v $$(pwd)/certs:/etc/proftpd/certs \
 		-e MOD_EXEC=ON \
 		-v $$(pwd)/exec:/etc/proftpd/exec \
 		-e MOD_VROOT=ON \

diff --git a/README.md b/README.md
@@ -24,8 +24,9 @@ The required/optional parameters are described here after:
 - **FTP_ROOT**: /path/to/ftp/root, optional, defaults to /data/ftp_root
 - **LOGS**: /path/to/log/dir, optional, defaults to /var/log/proftpd
 - **SALT**: /path/to/salt/dir, optional, defaults to `./salt`
-- **MOD_SSL**: ON/OFF, activate/deactivate module mod_tls, optional, defaults to OFF
-- **SSL_CERTS**: /path/to/ssl/certs/dir, optional, defaults to `./ssl`
+- **MOD_TLS**: ON/OFF, activate/deactivate module mod_tls, optional, defaults to OFF
+- **MOD_TLS_CONF**: /path/to/mod/tls/conf/file, optional, defaults to included tls.conf
+- **CERTS**: /path/to/tls/certs/dir, optional, defaults to `./certs`
 - **MOD_EXEC**: ON/OFF, activate/deactivate module mod_exec, optional, defaults to OFF
 - **MOD_EXEC_CONF**: /path/to/mod/exec/dir, optional, defaults to `./exec`
 - **MOD_VROOT**: ON/OFF, activate/desactivate module_vroot, optional, default to OFF
@@ -77,11 +78,17 @@ The `SALT` env var let you define the directory where the `.salt` file is stored
 
 To generate an encrypted password use the following command:
 ```sh
-{ echo -n myPassword; echo -n $(cat .salt); } | openssl dgst -binary -sha256 | openssl enc -base64 -A
+{ echo -n myPassword; echo -n $(cat salt/.salt); } | openssl dgst -binary -sha256 | openssl enc -base64 -A
 ```
 
 where `.salt` is a file containing the **salt**.
 
+The helper script `genpass.sh` is also provided in this distribution:
+The usage is as follows:
+```sh
+package -s path/to/salt password
+```
+
 ### Server address masquerading
 The server can be instructed to send back to the client a specified IP address, or hostname. This is useful when dealing with NAT gateways, or boad balancers where passive mode is required.
 
@@ -94,9 +101,9 @@ The ftp root (home for all user's directories) can be configured using the `FTP_
 The ftp root (home for all user's directories) can be configured using the `LOGS` env variable. Otherwise it default to the directory `/var/log/proftpd` of the docker's host.
 
 ### Module mod_tls
-When enabling the module with env var MOD_EXEC=ON, a SSL certificate `proftpd.cert.pem` and it's key file `proftpd.key.pem` should be provided.
+When enabling the module with env var MOD_TLS=ON, a module configuration file and associated certificates should be provided as binded volumes. Default included configuration expects a self-signed TLS certificate `proftpd.cert.pem` and it's key file `proftpd.key.pem`.
 
-These file should be stored in a directory accessible by the docker image, whose path is to be provided as the `SSL_CERTS` env var.
+Certificates should be stored in a directory accessible by the docker image, whose path is to be provided as the `CERTS` env var.
 
 ### Module mod_exec
 When enabling the module with env var MOD_EXEC=ON, a `exec.conf` file containing the module configuration should be provided, as per the [module's documentation](http://www.proftpd.org/docs/contrib/mod_exec.html).
@@ -141,14 +148,15 @@ Following the previous sections, a number a env vars and volumes needs to be spe
   - `FTP_DB_USER`
   - `FTP_DB_PASS`
   - `MASQ_ADDR`
-  - `MOD_SSL`
+  - `MOD_TLS`
   - `MOD_EXEC`
   - `MOD_VROOT`
 - **Volumes**:
   - **/srv/ftp** (_ftp root containing users' homes_)
   - **/var/log/proftpd** (_server's logs_)
   - **/etc/proftpd/salt** (_dir containing `.salt` file_)
-  - **/etc/proftpd/ssl** (_dir containing server's certificates_)
+  - **/etc/proftpd/tls.conf** (_mod_tls config file_)
+  - **/etc/proftpd/certs** (_dir containing server's certificates_)
   - **/etc/proftpd/exec** (_dir containing server's mod_exec conf and scripts_)
   - **/etc/proftpd/vroot** (_dir containing server's mod_vroot conf_)
 
@@ -167,8 +175,9 @@ docker run --name proftpd --net=host \
   -v /data/ftp_root:/srv/ftp \
   -v /var/log/proftpd:/var/log/proftpd \
   -v $(pwd)/salt:/etc/proftpd/salt \
-  -e MOD_SSL=ON \
-  -v $(pwd)/ssl:/etc/proftpd/ssl \
+  -e MOD_TLS=ON \
+  -v $(pwd)/tls.conf:/etc/proftpd/tls.conf \
+  -v $(pwd)/certs:/etc/proftpd/certs \
   -e MOD_EXEC=ON \
   -v $(pwd)/exec:/etc/proftpd/exec \
   -e MOD_VROOT=ON \

diff --git a/ssl/.gitkeep → certs/.gitkeep b/ssl/.gitkeep → certs/.gitkeep
diff --git a/docker-compose-alpine-image.yml b/docker-compose-alpine-image.yml
@@ -1,6 +1,7 @@
 version: '3.2'
 services:
   proftpd:
+    container_name: proftpd
     env_file: .env
     image: ebarault/proftpd-docker:alpine-latest
     network_mode: host
@@ -12,8 +13,11 @@ services:
         source: "${FTP_ROOT:-/data/ftp_root}"
         target: /srv/ftp
       - type: bind
-        source: "${SSL_CERTS:-./ssl}"
-        target: /etc/proftpd/ssl
+        source: "${MOD_TLS_CONF:-./tls.conf}"
+        target: /etc/proftpd/tls.conf
+      - type: bind
+        source: "${CERTS:-./certs}"
+        target: /etc/proftpd/certs
       - type: bind
         source: "${MOD_EXEC_CONF:-./exec}"
         target: "/etc/proftpd/exec"

diff --git a/docker-compose-alpine.yml b/docker-compose-alpine.yml
@@ -1,6 +1,7 @@
 version: '3.2'
 services:
   proftpd:
+    container_name: proftpd
     env_file: .env
     build:
       context: ./
@@ -14,8 +15,11 @@ services:
         source: "${FTP_ROOT:-/data/ftp_root}"
         target: /srv/ftp
       - type: bind
-        source: "${SSL_CERTS:-./ssl}"
-        target: /etc/proftpd/ssl
+        source: "${MOD_TLS_CONF:-./tls.conf}"
+        target: /etc/proftpd/tls.conf
+      - type: bind
+        source: "${CERTS:-./certs}"
+        target: /etc/proftpd/certs
       - type: bind
         source: "${MOD_EXEC_CONF:-./exec}"
         target: "/etc/proftpd/exec"

diff --git a/docker-compose-image.yml b/docker-compose-image.yml
@@ -1,6 +1,7 @@
 version: '3.2'
 services:
   proftpd:
+    container_name: proftpd
     env_file: .env
     image: ebarault/proftpd-docker:latest
     network_mode: host
@@ -12,8 +13,11 @@ services:
         source: "${FTP_ROOT:-/data/ftp_root}"
         target: /srv/ftp
       - type: bind
-        source: "${SSL_CERTS:-./ssl}"
-        target: /etc/proftpd/ssl
+        source: "${MOD_TLS_CONF:-./tls.conf}"
+        target: /etc/proftpd/tls.conf
+      - type: bind
+        source: "${CERTS:-./certs}"
+        target: /etc/proftpd/certs
       - type: bind
         source: "${MOD_EXEC_CONF:-./exec}"
         target: "/etc/proftpd/exec"

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,6 +1,7 @@
 version: '3.2'
 services:
   proftpd:
+    container_name: proftpd
     env_file: .env
     build: .
     network_mode: host
@@ -12,8 +13,11 @@ services:
         source: "${FTP_ROOT:-/data/ftp_root}"
         target: /srv/ftp
       - type: bind
-        source: "${SSL_CERTS:-./ssl}"
-        target: /etc/proftpd/ssl
+        source: "${MOD_TLS_CONF:-./tls.conf}"
+        target: /etc/proftpd/tls.conf
+      - type: bind
+        source: "${CERTS:-./certs}"
+        target: /etc/proftpd/certs
       - type: bind
         source: "${MOD_EXEC_CONF:-./exec}"
         target: "/etc/proftpd/exec"

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-PROFTPD_ARGS="-DMOD_EXEC=$MOD_EXEC -DMOD_SSL=$MOD_SSL -DMOD_VROOT=$MOD_VROOT"
+PROFTPD_ARGS="-DMOD_EXEC=$MOD_EXEC -DMOD_TLS=$MOD_TLS -DMOD_VROOT=$MOD_VROOT"
 
 if [ "$MASQ_ADDR" = "AWS" ]; then
 	MASQ_ADDR=`curl -f -s http://169.254.169.254/latest/meta-data/public-ipv4`

diff --git a/genpass.sh b/genpass.sh
@@ -8,8 +8,8 @@ function help {
   echo "password formula is: [ SHA256( SALT + password ) ].hex64"
   echo " "
   echo "usage:"
-  echo "$package -s salt/.sh password"
-  echo "$package --salt salt/.sh password"
+  echo "$package -s path/to/salt password"
+  echo "$package --salt path/to/salt password"
 }
 
 
@@ -21,7 +21,7 @@ if [ "${1}" != '-s' ] && [ "${1}" != '-h' ]; then
   echo " "
   echo "Please specify the path to the salt file"
   echo " "
-  echo "Example : $package -s salt/.sh password"
+  echo "Example : $package -s path/to/salt password"
   echo " "
   exit -1
 else

diff --git a/proftpd.conf b/proftpd.conf
@@ -49,7 +49,7 @@ SystemLog           /var/log/proftpd/proftpd.log
   CreateHome          on dirmode 755
   TransferLog         /var/log/proftpd/xferlog.log
   WtmpLog             off
-  
+
   AllowForeignAddress on
 
 
@@ -81,7 +81,7 @@ SystemLog           /var/log/proftpd/proftpd.log
 
 Include /etc/proftpd/sql.conf
 
-<IfDefine MOD_SSL=ON>
+<IfDefine MOD_TLS=ON>
   Include /etc/proftpd/tls.conf
 </IfDefine>
 

diff --git a/tls.conf b/tls.conf
@@ -1,7 +1,8 @@
+# adapt this file to match your needs and bind it as a volume on /etc/proftpd/tls.conf
+
 <IfModule mod_tls.c>
   TLSEngine on
   TLSLog /var/log/proftpd/tls.log
-  #TLSOptions NoCertRequest
 
   # Support both SSLv3 and TLSv1
   TLSProtocol SSLv3 TLSv1
@@ -10,15 +11,15 @@
   TLSRequired on
 
   # Server's RSA certificate
-  TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
-  TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
+  TLSRSACertificateFile /etc/proftpd/certs/proftpd.cert.pem
+  TLSRSACertificateKeyFile /etc/proftpd/certs/proftpd.key.pem
 
   # Server's EC certificate
-  # TLSECCertificateFile /etc/ftpd/server-ec.cert.pem
-  # TLSECCertificateKeyFile /etc/ftpd/server-ec.key.pem
+  # TLSECCertificateFile /etc/proftpd/certs/proftpd-ec.cert.pem
+  # TLSECCertificateKeyFile /etc/proftpd/certs/proftpd-ec.key.pem
 
   # CA the server trusts
-  # TLSCACertificateFile /etc/ftpd/root.cert.pem
+  # TLSCACertificateFile /etc/proftpd/certs/proftpd.root.cert.pem
 
   # Authenticate clients that want to use FTP over TLS?
   TLSVerifyClient off