proftpd: add FTPS and SFTP support
This commit is contained in:
parent
af896fe1fc
commit
2c874afb3c
|
@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release.
|
||||||
* redis: add a variable for renamed/disabled commands
|
* redis: add a variable for renamed/disabled commands
|
||||||
* redis: add a variable to disable the restart handler
|
* redis: add a variable to disable the restart handler
|
||||||
* redis: add a variable to force a restart (even with no change)
|
* redis: add a variable to force a restart (even with no change)
|
||||||
|
* proftpd: add FTPS and SFTP support
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
* redis: distinction between main and master password
|
* redis: distinction between main and master password
|
||||||
|
|
|
@ -2,6 +2,13 @@
|
||||||
proftpd_hostname: "{{ ansible_hostname }}"
|
proftpd_hostname: "{{ ansible_hostname }}"
|
||||||
proftpd_fqdn: "{{ ansible_fqdn }}"
|
proftpd_fqdn: "{{ ansible_fqdn }}"
|
||||||
proftpd_default_address: []
|
proftpd_default_address: []
|
||||||
proftpd_port: "21"
|
proftpd_ftp_enable: True
|
||||||
|
proftpd_port: 21
|
||||||
|
proftpd_ftps_enable: False
|
||||||
|
proftpd_ftps_port: 990
|
||||||
|
proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
|
||||||
|
proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
|
||||||
|
proftpd_sftp_enable: False
|
||||||
|
proftpd_sftp_port: 2222
|
||||||
proftpd_accounts: []
|
proftpd_accounts: []
|
||||||
proftpd_accounts_final: []
|
proftpd_accounts_final: []
|
||||||
|
|
|
@ -25,7 +25,7 @@
|
||||||
tags:
|
tags:
|
||||||
- proftpd
|
- proftpd
|
||||||
|
|
||||||
- name: Allow FTP account
|
- name: Allow FTP account (FTP)
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/proftpd/conf.d/z-evolinux.conf
|
dest: /etc/proftpd/conf.d/z-evolinux.conf
|
||||||
state: present
|
state: present
|
||||||
|
@ -33,5 +33,30 @@
|
||||||
insertbefore: "DenyAll"
|
insertbefore: "DenyAll"
|
||||||
with_items: "{{ proftpd_accounts_final }}"
|
with_items: "{{ proftpd_accounts_final }}"
|
||||||
notify: restart proftpd
|
notify: restart proftpd
|
||||||
|
when: proftpd_ftp_enable
|
||||||
|
tags:
|
||||||
|
- proftpd
|
||||||
|
|
||||||
|
- name: Allow FTP account (FTPS)
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/proftpd/conf.d/ftps.conf
|
||||||
|
state: present
|
||||||
|
line: "\tAllowUser {{ item.name }}"
|
||||||
|
insertbefore: "DenyAll"
|
||||||
|
with_items: "{{ proftpd_accounts_final }}"
|
||||||
|
notify: restart proftpd
|
||||||
|
when: proftpd_ftps_enable
|
||||||
|
tags:
|
||||||
|
- proftpd
|
||||||
|
|
||||||
|
- name: Allow FTP account (SFTP)
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/proftpd/conf.d/sftp.conf
|
||||||
|
state: present
|
||||||
|
line: "\tAllowUser {{ item.name }}"
|
||||||
|
insertbefore: "DenyAll"
|
||||||
|
with_items: "{{ proftpd_accounts_final }}"
|
||||||
|
notify: restart proftpd
|
||||||
|
when: proftpd_sftp_enable
|
||||||
tags:
|
tags:
|
||||||
- proftpd
|
- proftpd
|
||||||
|
|
|
@ -15,13 +15,36 @@
|
||||||
tags:
|
tags:
|
||||||
- proftpd
|
- proftpd
|
||||||
|
|
||||||
- name: local jail is installed
|
- name: FTP jail is installed
|
||||||
template:
|
template:
|
||||||
src: evolinux.conf.j2
|
src: evolinux.conf.j2
|
||||||
dest: /etc/proftpd/conf.d/z-evolinux.conf
|
dest: /etc/proftpd/conf.d/z-evolinux.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: no
|
force: no
|
||||||
notify: restart proftpd
|
notify: restart proftpd
|
||||||
|
when: proftpd_ftp_enable
|
||||||
|
tags:
|
||||||
|
- proftpd
|
||||||
|
|
||||||
|
- name: FTPS jail is installed
|
||||||
|
template:
|
||||||
|
src: ftps.conf.j2
|
||||||
|
dest: /etc/proftpd/conf.d/ftps.conf
|
||||||
|
mode: "0644"
|
||||||
|
force: no
|
||||||
|
notify: restart proftpd
|
||||||
|
when: proftpd_ftps_enable
|
||||||
|
tags:
|
||||||
|
- proftpd
|
||||||
|
|
||||||
|
- name: SFTP jail is installed
|
||||||
|
template:
|
||||||
|
src: sftp.conf.j2
|
||||||
|
dest: /etc/proftpd/conf.d/sftp.conf
|
||||||
|
mode: "0644"
|
||||||
|
force: no
|
||||||
|
notify: restart proftpd
|
||||||
|
when: proftpd_sftp_enable
|
||||||
tags:
|
tags:
|
||||||
- proftpd
|
- proftpd
|
||||||
|
|
||||||
|
|
33
proftpd/templates/ftps.conf.j2
Normal file
33
proftpd/templates/ftps.conf.j2
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
<IfModule !mod_tls.c>
|
||||||
|
LoadModule mod_tls.c
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
<VirtualHost 0.0.0.0>
|
||||||
|
TLSEngine on
|
||||||
|
TLSLog /var/log/proftpd/ftps.log
|
||||||
|
TLSProtocol TLSv1
|
||||||
|
|
||||||
|
TLSRSACertificateFile {{ proftpd_ftps_cert }}
|
||||||
|
TLSRSACertificateKeyFile {{ proftpd_ftps_key }}
|
||||||
|
|
||||||
|
#TLSOptions AllowClientRenegotiations
|
||||||
|
|
||||||
|
TLSOptions AllowPerUser
|
||||||
|
TLSVerifyClient off
|
||||||
|
TLSRequired off
|
||||||
|
|
||||||
|
TLSRenegotiate required off
|
||||||
|
TLSOptions NoSessionReuseRequired
|
||||||
|
|
||||||
|
RequireValidShell off
|
||||||
|
Port {{ proftpd_ftps_port }}
|
||||||
|
AuthUserFile /etc/proftpd/vpasswd
|
||||||
|
DefaultRoot ~
|
||||||
|
|
||||||
|
PassivePorts 60000 61000
|
||||||
|
|
||||||
|
<Limit LOGIN>
|
||||||
|
AllowGroup ftpusers
|
||||||
|
DenyAll
|
||||||
|
</Limit>
|
||||||
|
</VirtualHost>
|
28
proftpd/templates/sftp.conf.j2
Normal file
28
proftpd/templates/sftp.conf.j2
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
<IfModule !mod_tls.c>
|
||||||
|
LoadModule mod_tls.c
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
<IfModule !mod_sftp.c>
|
||||||
|
LoadModule mod_sftp.c
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
<VirtualHost 0.0.0.0>
|
||||||
|
SFTPEngine on
|
||||||
|
Port {{ proftpd_sftp_port }}
|
||||||
|
DefaultRoot ~
|
||||||
|
|
||||||
|
SFTPLog /var/log/proftpd/sftp.log
|
||||||
|
|
||||||
|
SFTPAuthMethods password
|
||||||
|
SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
SFTPHostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
|
||||||
|
RequireValidShell off
|
||||||
|
|
||||||
|
AuthUserFile /etc/proftpd/vpasswd
|
||||||
|
|
||||||
|
<Limit LOGIN>
|
||||||
|
AllowGroup ftpusers
|
||||||
|
DenyAll
|
||||||
|
</Limit>
|
||||||
|
</VirtualHost>
|
Loading…
Reference in a new issue