add support for ftps

[mkhmylife]

I tried to use ftps but I found that your version of pure-ftpd simply won't run at all. After checking with pure-ftpd's tls readme file, it said:

To support TLS, the OpenSSL library must already be installed on your system. This is a common requirement so your operating system probably already ships with it.

Pure-FTPd also has to be configured with the --with-tls switch before compilation :
./configure --with-tls ...

In order to support ftps, you may need to add a line in your build from source section:

# build from source
RUN mkdir /tmp/pure-ftpd/ && \
    cd /tmp/pure-ftpd/ && \
    apt-get source pure-ftpd && \
    cd pure-ftpd-* && \
    ./configure --with-tls && \    # to add tls support
    sed -i '/^optflags=/ s/$/ --without-capabilities/g' ./debian/rules && \
    dpkg-buildpackage -b -uc

and the startup CMD should become:

# startup
CMD /usr/sbin/pure-ftpd -c 50 -C 10 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P $PUBLICHOST -p 30000:30009 --tls=2

[stilliard]

Thanks for finding this @mkhmylife,
Would you like to put together a pull request for the change?

[nomandera]

As I understand it due to the nature of how docker works this will result in every user having an identical SSL certificate (which obviously negates all SSL security).

I believe to add this we also need:

• Generation of a unique SSL certificate per deployment. Likely this will necessitate the "creation of of run on first boot" start script in the docker container.
• A means to ensure certificates are not volatile with recommendations to the users on how to backup and restore i.e. mount the certificate externally via a VOLUME along with all the sanity checks to ensure we dont blindly erase existing certificates
• Allow the use of purchased SSL or seperatly generated self signed
• Letsencrypt support. Anyone deploying SSL needs to take into account this new service as when out of beta (soon) it will be the go to provider for most of the internet.

[mkhmylife]

the location for default ssl cert for pure-ftpd is /etc/ssl/private/pure-ftpd.pem, a simple VOLUME /etc/ssl/private/pure-ftpd.pem should do the trick.

Also, I think we need a startup script and put all the sanity checks and pure-ftpd startup commend there.

[OmgImAlexis]

Is there any news on this?

[stilliard]

Hi @OmgImAlexis, No news from me on this sorry, but if you or anyone would like to put together any ideas or a pull request i'd be happy to review 👍

[nuschk]

Guys, I went on and added FTPs support, see #23. It's a simple solution, adding the bits described by @mkhmylife . I hope that works for you. Feedback welcome.

[stilliard]

Thanks @nuschk , tested your pull request this morning and it works perfectly! This is now merged in and available on master and the hardened branch.

[nuschk]

Thank you!