proftpd: add FTPS and SFTP support
This commit is contained in:
parent
af896fe1fc
commit
2c874afb3c
|
@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release.
|
|||
* redis: add a variable for renamed/disabled commands
|
||||
* redis: add a variable to disable the restart handler
|
||||
* redis: add a variable to force a restart (even with no change)
|
||||
* proftpd: add FTPS and SFTP support
|
||||
|
||||
### Changed
|
||||
* redis: distinction between main and master password
|
||||
|
|
|
@ -2,6 +2,13 @@
|
|||
proftpd_hostname: "{{ ansible_hostname }}"
|
||||
proftpd_fqdn: "{{ ansible_fqdn }}"
|
||||
proftpd_default_address: []
|
||||
proftpd_port: "21"
|
||||
proftpd_ftp_enable: True
|
||||
proftpd_port: 21
|
||||
proftpd_ftps_enable: False
|
||||
proftpd_ftps_port: 990
|
||||
proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
|
||||
proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
|
||||
proftpd_sftp_enable: False
|
||||
proftpd_sftp_port: 2222
|
||||
proftpd_accounts: []
|
||||
proftpd_accounts_final: []
|
||||
|
|
|
@ -25,7 +25,7 @@
|
|||
tags:
|
||||
- proftpd
|
||||
|
||||
- name: Allow FTP account
|
||||
- name: Allow FTP account (FTP)
|
||||
lineinfile:
|
||||
dest: /etc/proftpd/conf.d/z-evolinux.conf
|
||||
state: present
|
||||
|
@ -33,5 +33,30 @@
|
|||
insertbefore: "DenyAll"
|
||||
with_items: "{{ proftpd_accounts_final }}"
|
||||
notify: restart proftpd
|
||||
when: proftpd_ftp_enable
|
||||
tags:
|
||||
- proftpd
|
||||
|
||||
- name: Allow FTP account (FTPS)
|
||||
lineinfile:
|
||||
dest: /etc/proftpd/conf.d/ftps.conf
|
||||
state: present
|
||||
line: "\tAllowUser {{ item.name }}"
|
||||
insertbefore: "DenyAll"
|
||||
with_items: "{{ proftpd_accounts_final }}"
|
||||
notify: restart proftpd
|
||||
when: proftpd_ftps_enable
|
||||
tags:
|
||||
- proftpd
|
||||
|
||||
- name: Allow FTP account (SFTP)
|
||||
lineinfile:
|
||||
dest: /etc/proftpd/conf.d/sftp.conf
|
||||
state: present
|
||||
line: "\tAllowUser {{ item.name }}"
|
||||
insertbefore: "DenyAll"
|
||||
with_items: "{{ proftpd_accounts_final }}"
|
||||
notify: restart proftpd
|
||||
when: proftpd_sftp_enable
|
||||
tags:
|
||||
- proftpd
|
||||
|
|
|
@ -15,13 +15,36 @@
|
|||
tags:
|
||||
- proftpd
|
||||
|
||||
- name: local jail is installed
|
||||
- name: FTP jail is installed
|
||||
template:
|
||||
src: evolinux.conf.j2
|
||||
dest: /etc/proftpd/conf.d/z-evolinux.conf
|
||||
mode: "0644"
|
||||
force: no
|
||||
notify: restart proftpd
|
||||
when: proftpd_ftp_enable
|
||||
tags:
|
||||
- proftpd
|
||||
|
||||
- name: FTPS jail is installed
|
||||
template:
|
||||
src: ftps.conf.j2
|
||||
dest: /etc/proftpd/conf.d/ftps.conf
|
||||
mode: "0644"
|
||||
force: no
|
||||
notify: restart proftpd
|
||||
when: proftpd_ftps_enable
|
||||
tags:
|
||||
- proftpd
|
||||
|
||||
- name: SFTP jail is installed
|
||||
template:
|
||||
src: sftp.conf.j2
|
||||
dest: /etc/proftpd/conf.d/sftp.conf
|
||||
mode: "0644"
|
||||
force: no
|
||||
notify: restart proftpd
|
||||
when: proftpd_sftp_enable
|
||||
tags:
|
||||
- proftpd
|
||||
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
<IfModule !mod_tls.c>
|
||||
LoadModule mod_tls.c
|
||||
</IfModule>
|
||||
|
||||
<VirtualHost 0.0.0.0>
|
||||
TLSEngine on
|
||||
TLSLog /var/log/proftpd/ftps.log
|
||||
TLSProtocol TLSv1
|
||||
|
||||
TLSRSACertificateFile {{ proftpd_ftps_cert }}
|
||||
TLSRSACertificateKeyFile {{ proftpd_ftps_key }}
|
||||
|
||||
#TLSOptions AllowClientRenegotiations
|
||||
|
||||
TLSOptions AllowPerUser
|
||||
TLSVerifyClient off
|
||||
TLSRequired off
|
||||
|
||||
TLSRenegotiate required off
|
||||
TLSOptions NoSessionReuseRequired
|
||||
|
||||
RequireValidShell off
|
||||
Port {{ proftpd_ftps_port }}
|
||||
AuthUserFile /etc/proftpd/vpasswd
|
||||
DefaultRoot ~
|
||||
|
||||
PassivePorts 60000 61000
|
||||
|
||||
<Limit LOGIN>
|
||||
AllowGroup ftpusers
|
||||
DenyAll
|
||||
</Limit>
|
||||
</VirtualHost>
|
|
@ -0,0 +1,28 @@
|
|||
<IfModule !mod_tls.c>
|
||||
LoadModule mod_tls.c
|
||||
</IfModule>
|
||||
|
||||
<IfModule !mod_sftp.c>
|
||||
LoadModule mod_sftp.c
|
||||
</IfModule>
|
||||
|
||||
<VirtualHost 0.0.0.0>
|
||||
SFTPEngine on
|
||||
Port {{ proftpd_sftp_port }}
|
||||
DefaultRoot ~
|
||||
|
||||
SFTPLog /var/log/proftpd/sftp.log
|
||||
|
||||
SFTPAuthMethods password
|
||||
SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
SFTPHostKey /etc/ssh/ssh_host_rsa_key
|
||||
|
||||
RequireValidShell off
|
||||
|
||||
AuthUserFile /etc/proftpd/vpasswd
|
||||
|
||||
<Limit LOGIN>
|
||||
AllowGroup ftpusers
|
||||
DenyAll
|
||||
</Limit>
|
||||
</VirtualHost>
|
Loading…
Reference in New Issue