ProFTPD+MariaDB服务器配置记录
以下为ProFTPD服务器的配置记录。
需求清单
- 用户组:
ftpadmin、ftpuser、ftpadvuser、upload、uploadadminftpadmin是管理员,有所有目录的读写权限,不限速ftpuser是其他用户,只有只读权限,下载限速2MB/s,上传不限速ftpadvuser是有Private和Alternatives目录访问权限的用户,其他同ftpuserupload组只有upload用户- 如果可能的话IPv6所有用户不限速
- 最终没做到
- 目录访问
upload目录可以给upload用户写,不允许下载Private和Alternatives目录只能ftpadmin和ftpadvuser用户组访问- 如果用户无法访问某一文件夹,那就在他的目录里隐藏掉
系统配置
- 主板:华擎J3455-ITX
- 硬盘:东芝DT01ACA300,安装系统;西数WD60EJRX
- 操作系统:Rocky Linux 8
配置步骤
服务器配置略。
软件包安装
安装ProFTPD、ProFTPD MySQL验证支持模块、MariaDB数据库服务器。
sudo dnf install proftpd proftpd-mysql mariadb-server
- ProFTPd版本:1.3.6e
- MariaDB版本:10.3
系统服务配置
自动启动MariaDB和ProFTPD服务。
sudo systemctl enable --now mariadb
sudo systemctl enable --now proftpd
数据库配置
- 为ProFTPD单独设置数据库用户和权限
create database proftpd;
create user 'proftpd'@'%' identified by '[REDACTED]';
grant all on proftpd.* to 'proftpd'@'%';
flush privileges;
- 用户数据表
CREATE TABLE `users` (
userid VARCHAR(30) NOT NULL UNIQUE,
passwd VARCHAR(80) NOT NULL,
uid INTEGER,
gid INTEGER,
homedir VARCHAR(255),
shell VARCHAR(255),
LoginAllowed BOOLEAN
);
CREATE INDEX users_userid_idx ON users (userid);
- 用户组数据表
- 此处和官方文档并不相同,没有
members列,因此后文需要重写根据用户名查询用户组的SQL语句
- 此处和官方文档并不相同,没有
CREATE TABLE `groups` (
groupname VARCHAR(30) NOT NULL,
gid INTEGER NOT NULL
);
CREATE INDEX groups_gid_idx ON groups (gid);
- 用户组表的数据
insert into groups values("ftpadmin", 5000);
insert into groups values("ftpuser", 5001);
insert into groups values("ftpadvuser", 5002);
insert into groups values("upload", 5003);
insert into groups values("uploadadmin", 5004);
- 用户表的数据(以ftpuser用户组为例)
insert into users values("<USERNAME>", TO_BASE64(UNHEX(SHA2(UNHEX(SHA2('<PASSWORD>',256)),256))), 5001, 5001, "/var/ftproot", "", true);
用户组配置
分别创建用户、用户组,指定对应的ID。不创建用户主目录,禁止用户登录。在不设置密码的情况下用户默认被禁止登录。
sudo groupadd -g 5000 ftpadmin
sudo useradd -u 5000 -g ftpadmin -M -s /sbin/nologin ftpadmin
sudo groupadd -g 5001 ftpuser
sudo useradd -u 5001 -g ftpuser -M -s /sbin/nologin ftpuser
sudo groupadd -g 5002 ftpadvuser
sudo useradd -u 5002 -g ftpadvuser -M -s /sbin/nologin ftpadvuser
sudo groupadd -g 5003 upload
sudo useradd -u 5003 -g upload -M -s /sbin/nologin upload
sudo groupadd -g 5004 uploadadmin
sudo useradd -u 5004 -g uploadadmin -M -s /sbin/nologin uploadadmin
TLS证书配置
sudo openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -nodes -days 7300 -out /etc/proftpd/cert.pem -keyout /etc/proftpd/key.pem
curl https://ssl-config.mozilla.org/ffdhe2048.txt >> dhparam
sudo mv dhparam /etc/proftpd
配置文件
/etc/proftpd.conf- 没有使用virtual host,也没有使用分隔的配置文件
# Written by th1r5bvn23 on Feb 13 2024
# Reference: http://proftpd.org/docs/
# mod_dso module
# http://proftpd.org/docs/modules/mod_dso.html
ModuleControlsACLs insmod,rmmod allow user root
ModuleControlsACLs lsmod allow user *
LoadModule mod_sql.c
LoadModule mod_sql_passwd.c
LoadModule mod_sql_mysql.c
LoadModule mod_ctrls_admin.c
LoadModule mod_tls_shmcache.c
LoadModule mod_vroot.c
LoadModule mod_ifsession.c
# Debug options
#DebugLevel 10
#SyslogLevel Debug
#TraceLog /var/log/proftpd/trace.log
#Trace DEFAULT:10
# mod_auth module
# http://proftpd.org/docs/modules/mod_auth.html
CreateHome off
DefaultRoot /var/ftproot ftpadmin
DefaultRoot /var/ftproot ftpadvuser
DefaultRoot /var/ftproot ftpuser
DefaultRoot /var/upload upload
DefaultRoot /var/upload uploadadmin
#MaxClientsPerHost 4
#MaxClientsPerUser 4
#MaxConnectionsPerHost 1
#MaxHostsPerUser 1
RequireValidShell off
RootRevoke on
UseFtpUsers off
# mod_auth_pam module
# http://proftpd.org/docs/modules/mod_auth_pam.html
AuthPAM off
# mod_core module
# http://proftpd.org/docs/modules/mod_core.html
AllowForeignAddress off
AllowOverride off
AuthOrder mod_sql.c
DefaultServer on
DefaultAddress ftp.betaworld.cn
<Directory />
HideNoAccess on
</Directory>
<Directory /Alternatives>
<Limit ALL>
AllowGroup OR ftpadmin,ftpadvuser
DenyAll
</Limit>
</Directory>
<Directory /Private>
<Limit ALL>
AllowGroup OR ftpadmin,ftpadvuser
DenyAll
</Limit>
</Directory>
<Limit DELE RMD XRMD>
AllowGroup ftpadmin
</Limit>
<Limit RETR>
DenyGroup upload
</Limit>
MasqueradeAddress ftp.betaworld.cn
#MaxCommandRate 10
#MaxConnectionRate 5
MaxInstances 100
PassivePorts 60000 65534
Port 30000
Protocols ftps
ServerAdmin zhenghe@betaworld.cn
ServerIdent on "ProFTPD %{version}"
ServerName "BetaWorld FTP"
#TransferLog /var/log/proftpd/transfer.log
Umask 0022
User nobody
Group nobody
UseReverseDNS off
# mod_ctrls module
# http://proftpd.org/docs/modules/mod_ctrls.html
ControlsEngine on
ControlsACLs all allow user root
ControlsSocketACL allow user *
ControlsLog /var/log/proftpd/controls.log
# mod_ctrls_admin module
# http://proftpd.org/docs/contrib/mod_ctrls_admin.html
AdminControlsEngine on
AdminControlsACLs all allow user root
# mod_facts module
# http://proftpd.org/docs/modules/mod_facts.html
FactsOptions UseSlink
# mod_ident module
# http://www.proftpd.org/docs/modules/mod_ident.html
IdentLookups off
# mod_log module
# http://proftpd.org/docs/modules/mod_log.html
ExtendedLog syslog:info ALL default
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogOptions -Timestamp -Hostname +RoleBasedProcessLabels
# mod_ls module
# http://proftpd.org/docs/modules/mod_ls.html
DirFakeGroup on ~
DirFakeMode 0644
DirFakeUser on ~
#ShowSymlinks off
UseGlobbing off
# mod_sql module
# http://proftpd.org/docs/contrib/mod_sql.html
SQLPasswordEngine on
SQLPasswordEncoding base64
SQLPasswordOptions HashPassword
SQLAuthTypes SHA256
SQLBackend mysql
SQLConnectInfo proftpd@localhost:3306 proftpd [REDACTED]
SQLLogFile /var/log/proftpd/sql.log
SQLUserWhereClause "LoginAllowed = 1"
SQLNamedQuery get-group-by-name SELECT "groupname, gid FROM groups WHERE groupname = '%{0}'"
SQLNamedQuery get-group-by-id SELECT "groupname, gid FROM groups WHERE gid = %{0}"
SQLNamedQuery get-group-by-member SELECT "groupname, gid FROM groups WHERE gid = (SELECT gid FROM users WHERE userid = '%{0}')"
SQLNamedQuery get-all-groupnames SELECT "groupname FROM groups"
SQLNamedQuery get-all-groups SELECT "groupname, gid FROM groups"
SQLGroupInfo custom:/get-group-by-name/get-group-by-id/get-group-by-member/get-all-groupnames/get-all-groups
# mod_tls module
# http://proftpd.org/docs/contrib/mod_tls.html
# Generated with Mozilla SSL configurator
TLSEngine on
TLSRequired on
TLSECCertificateFile /etc/proftpd/cert.pem
TLSECCertificateKeyFile /etc/proftpd/key.pem
TLSDHParamFile /etc/proftpd/dhparam
TLSProtocol TLSv1.2
TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
TLSServerCipherPreference off
TLSSessionTickets off
TLSStapling on
TLSStaplingCache shm:/file=/var/ftpd/ocsp_pcache
TLSOptions NoSessionReuseRequired
# mod_xfer module
# http://proftpd.org/docs/modules/mod_xfer.html
AllowOverwrite on
AllowStoreRestart on
DefaultTransferMode binary
MaxTransfersPerHost RETR 4
MaxTransfersPerUser RETR 4
TransferOptions IgnoreASCII
<IfGroup ftpuser>
TransferRate RETR 2252
</IfGroup>
<IfGroup ftpadvuser>
TransferRate RETR 4506
</IfGroup>
UseSendfile off
# mod_vroot module
# http://www.castaglia.org/proftpd/modules/mod_vroot.html
VRootEngine on
#VRootAlias SOURCE_ABSOLUTE_PATH CHROOT_RELATIVE_PATH
防火墙配置
添加控制端口30000和数据端口60000-65534。在路由器中也需要配置相应端口转发才能公网访问。
sudo firewall-cmd --zone=public --add-port=30000/tcp --permanent
sudo firewall-cmd --zone=public --add-port=60000-65534/tcp --permanent
sudo firewall-cmd --reload
SELinux配置
非RHEL/Fedora用户可以忽略。这些命令在默认的/etc/proftpd.conf配置文件中有,本文只使用了用得到的部分,NFS、CIFS等没有进行配置。
sudo setsebool -P ftpd_full_access=1
sudo setsebool -P ftpd_use_fusefs=1
sudo setsebool -P ftpd_connect_all_unreserved=1
sudo setsebool -P ftpd_connect_db=1
sudo setsebool -P ftpd_use_passive_mode=1
已知问题
- 没有实现IPv6用户不限速的需求
- 只能外网访问,无法内网访问
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗?
· 【译】Visual Studio 中新的强大生产力特性
· 2025年我用 Compose 写了一个 Todo App
· 张高兴的大模型开发实战:(一)使用 Selenium 进行网页爬虫