Skip to content

Releases: serversideup/docker-proftpd

v1.0.2

10 Jan 17:47
Compare
Choose a tag to compare

🐛 Bug fix

  • Remove aggressive path deny filter

Full Changelog: v1.0.1...v1.0.2

v1.0.1

10 Jan 16:00
Compare
Choose a tag to compare

What's new

  • Added more security configurations to improve security out of the box

Full Changelog: v1.0.0...v1.0.1

v1.0.0

09 Jan 17:28
Compare
Choose a tag to compare

🥳 Initial release

Base Image

The image is based on ubuntu:24.04, providing a stable and up-to-date environment for running ProFTPD.

Features

  • ProFTPD server with MySQL authentication
  • TLS encryption support
  • Customizable configuration via environment variables
  • Self-signed SSL certificate generation
  • IP address banning (bans IP addresses for 1 hour that fail authentication 5 times in 10 minutes)
  • Native Docker health checks to ensure the server is running

Environment Variables

The following environment variables can be used to customize the ProFTPD server:

Variable Description Default Value
FTP_DEBUG_LEVEL Sets the debug level for ProFTPD 0
FTP_LOG_LEVEL Sets the syslog level for ProFTPD warn
FTP_MASQUERADE_ADDRESS IP address or hostname for passive mode connections -
FTP_PASSIVE_PORT_RANGE_START Start of the passive port range 60000
FTP_PASSIVE_PORT_RANGE_END End of the passive port range 60100
FTP_SQL_USERS_TABLE MySQL table to authenticate users against ftpusers
FTP_TLS_CERTIFICATE_FILE SSL certificate file /etc/ssl/ftp/proftpd.crt
FTP_TLS_CERTIFICATE_KEY_FILE SSL certificate key file /etc/ssl/ftp/proftpd.key
FTP_TLS_REQUIRED Require TLS off
FTP_TLS_WAIT_FOR_CERTIFICATE Wait for the SSL certificate to be generated (helpful if you're using something like Let's Encrypt to generate the certificate) false
FTP_TLS_WAIT_TIMEOUT Timeout for waiting for the SSL certificate to be generated 60
MYSQL_DATABASE MySQL database name ftpdb
MYSQL_HOST MySQL host mysql
MYSQL_PASSWORD MySQL password ftppassword
MYSQL_PORT MySQL port 3306
MYSQL_USER MySQL user ftpuser

Build Defaults

The following build arguments are used during the image build process:

Build Argument Description Value
FTP_USER The user under which ProFTPD will run proftpd_user
FTP_GROUP The group under which ProFTPD will run nogroup
FTP_SSL_CERTS_DIR Directory for SSL certificates /etc/ssl/ftp
FTP_USERS_DIR Base directory for user homes /var/ftp/users

Usage

If you want to use Let's Encrypt with ProFTPD + CloudFlare + MySQL authentication, you can also include our other image serversideup/certbot-dns-cloudflare to automatically generate the SSL certificates and share it with the ProFTPD container.

Here is an a full example configuration of how to use the ProFTPD image with Let's Encrypt. Just set your the environment variables to match your set up and you're good to go:

services:
  certbot:
    image: serversideup/certbot-dns-cloudflare:latest
    volumes:
      - certbot_data:/etc/letsencrypt
    environment:
      CLOUDFLARE_API_TOKEN: "${CERTBOT_CLOUDFLARE_API_TOKEN}"
      CERTBOT_EMAIL: "${CERTBOT_EMAIL}"
      CERTBOT_DOMAINS: "${FTP_SERVER}"
      CERTBOT_KEY_TYPE: "rsa"
      PUID: "999"
      PGID: "999"
  ftp:
    volumes:
      - ftp_data:/var/ftp/users
      - ftp_logs:/var/log/proftpd
      - certbot_data:/etc/letsencrypt
    environment:
      FTP_DEBUG_LEVEL: "0" # 0-10 (10 = most verbose)
      FTP_LOG_LEVEL: "info" # debug, info, warn, error
      FTP_MASQUERADE_ADDRESS: "${FTP_SERVER}"
      FTP_PASSIVE_PORT_RANGE_START: "60000"
      FTP_PASSIVE_PORT_RANGE_END: "60049"
      FTP_SQL_USERS_TABLE: "users"
      FTP_TLS_CERTIFICATE_FILE: "/etc/letsencrypt/live/${FTP_SERVER}/fullchain.pem"
      FTP_TLS_CERTIFICATE_KEY_FILE: "/etc/letsencrypt/live/${FTP_SERVER}/privkey.pem"
      FTP_TLS_REQUIRED: "on"
      FTP_TLS_WAIT_FOR_CERTIFICATE: "true"
      MYSQL_DATABASE: "${FTPUSER_DATABASE}"
      MYSQL_HOST: "${FTPUSER_HOST}"
      MYSQL_PASSWORD: "${FTPUSER_PASSWORD}"
      MYSQL_PORT: "${FTPUSER_PORT}"
      MYSQL_USER: "${FTPUSER_USERNAME}"
    depends_on:
      - certbot
    ports:
      - target: 21
        published: 21
        protocol: tcp
        mode: host
      - target: 990
        published: 990
        protocol: tcp
        mode: host
      - target: 60000
        published: 60000
        protocol: tcp
        mode: host
      - target: 60001
        published: 60001
        protocol: tcp
        mode: host
      - target: 60002
        published: 60002
        protocol: tcp
        mode: host
volumes:
  ftp_logs:
  ftp_data:
  certbot_data:

Make sure to replace the MySQL connection details with your own.

Configuration

The ProFTPD configuration file (proftpd.conf) is included in the image. It sets up the following:

  • FTP and FTPS (TLS) support
  • MySQL authentication
  • Passive port range: 60000-60100
  • TLS Protocol: TLSv1.2 and TLSv1.3
  • Logging configuration
  • Home directory creation for users
  • Anonymous access disabled
  • IP address banning (bans IP addresses for 1 hour that fail authentication 5 times in 10 minutes)
    You can modify the proftpd.conf file to further customize the ProFTPD server according to your needs.

Security Considerations

  • The image generates a self-signed SSL certificate for FTPS. For production use, replace it with a valid SSL certificate.
  • Ensure to use strong passwords for MySQL authentication.
  • Review and adjust the proftpd.conf file to match your security requirements.
  • Consider using Docker secrets or a secure method to pass sensitive information like database credentials.