Accepting request 477361 from home:computersalat:devel:network

fix and update proftpd-basic.conf.patch, limit include sample, tls sample config OBS-URL: https://build.opensuse.org/request/show/477361 OBS-URL: https://build.opensuse.org/package/show/network/proftpd?expand=0&rev=45
2017-03-06 23:22:35 +00:00 · 2017-03-06 23:22:35 +00:00 · 22772ddef5
commit 22772ddef5
parent 9d1b4648b1
6 changed files with 106 additions and 7 deletions
--- a/proftpd-basic.conf.patch
+++ b/proftpd-basic.conf.patch
@ -38,7 +38,7 @@ Index: sample-configurations/basic.conf
 
 # To prevent DoS attacks, set the maximum number of child processes
 # to 30.  If you need to allow more than 30 concurrent connections
-@@ -23,43 +33,192 @@ Umask				022
+@@ -23,43 +33,210 @@ Umask				022
 # in standalone mode, in inetd mode you should use an inetd server
 # that allows you to limit maximum number of processes per service
 # (such as xinetd).
@ -170,7 +170,7 @@ Index: sample-configurations/basic.conf
 </Limit>
 
 +#####
-+# Include other confs
+# Include other confs, e.g. tls.conf
 +#Include			/etc/proftpd/conf.d/*.conf
 +
 +#####
@ -206,6 +206,14 @@ Index: sample-configurations/basic.conf
 +	#	Deny from All
 +	#</Limit>
 +
+	## or 'Include' a limit file with rules
+	## include one file and use more than once ;)
+	#<Limit LOGIN>
+	#	Order Allow,Deny
+	#	Include /etc/proftpd/includes/limit.conf
+	#	Deny from All
+	#</Limit>
+
 +	# Limit WRITE everywhere in the anonymous chroot
 +	<Limit WRITE>
 +		DenyAll
@ -246,14 +254,24 @@ Index: sample-configurations/basic.conf
 +	#  </Limit>
 +	#</Directory>
 +
+	## or 'Include' a limit file with rules
+	## include one file and use more than once ;)
+	#<Directory pub>
+	#  <Limit ALL>
+	#	Order Allow,Deny
+	#	Include /etc/proftpd/includes/limit.conf
+	#	Deny from All
+	#  </Limit>
+	#</Directory>
+
 +	# An upload directory that allows storing files but not retrieving
 +	# or creating directories.
 +	#<Directory uploads/*>
 +	#  <Limit READ>
-+		DenyAll
+	#	DenyAll
 +	#  </Limit>
 +	#  <Limit STOR>
-+		AllowAll
+	#	AllowAll
 +	#  </Limit>
 +	#</Directory>
 </Anonymous>
--- a/proftpd-limit.template
+++ b/proftpd-limit.template
@ -0,0 +1,6 @@
+### when you use spaces as separator then you can use it also with apache ;)
+### just some examples
+    Allow from localhost 127.0.0.1 ::1
+    Allow from 1.2.3.4 5.6.7.8
+    Allow from .example.com .test.org
+    Allow from 2.3.4.5 11:22:33:44::/64
--- a/proftpd-ssl.README
+++ b/proftpd-ssl.README
@ -0,0 +1,16 @@
+Place your CA.crt, crt and key file here and create sysmlinks like following ...
+
+ssl
+├── proftpd.cacert.pem -> CA.crt
+├── proftpd.cert.pem -> wildcard.example.com.crt
+├── proftpd.key.pem -> wildcard.example.com.pem
+├── CA.crt
+├── wildcard.example.com.crt
+└── wildcard.example.com.pem
+
+then:
+copy conf.d/tls.template to conf.d/tls.conf
+
+finally:
+uncomment '#Include  /etc/proftpd/conf.d/*.conf' in proftp.conf
+
--- a/proftpd-tls.template
+++ b/proftpd-tls.template
@ -0,0 +1,38 @@
+###############################################################################
+# http://www.proftpd.org/docs/contrib/mod_tls.html
+###############################################################################
+<IfModule mod_dso.c>
+    # If mod_tls was built as a shared/DSO module, load it
+    LoadModule mod_tls.c
+</IfModule>
+
+<IfModule mod_tls.c>
+    TLSEngine                  on
+    TLSLog                     /var/log/proftpd/tls.log
+
+    # Support both SSLv3 and TLSv1
+    TLSProtocol                SSLv3 TLSv1
+
+    # Are clients required to use FTP over TLS when talking to this server?
+    TLSRequired                off
+
+    # Server's RSA certificate
+    TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
+    TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
+
+    # CA (or CA chain) the server trusts
+    TLSCACertificateFile        /etc/proftpd/ssl/proftpd.cacert.pem
+
+    # Authenticate clients that want to use FTP over TLS?
+    TLSVerifyClient            off
+
+    # Allow SSL/TLS renegotiations when the client requests them, but
+    # do not force the renegotations.  Some clients do not support
+    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
+    # clients will close the data connection, or there will be a timeout
+    # on an idle data connection.
+    TLSRenegotiate none
+
+    # Should Server request a Clients Certificate and send valid CA list ?
+    TLSOptions                 NoCertRequest NoSessionReuseRequired
+</IfModule>
--- a/proftpd.changes
+++ b/proftpd.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Mar  6 22:32:07 UTC 2017 - chris@computersalat.de
+
+- fix and update proftpd-basic.conf.patch
+- add some sample config and templates for tls
+  * proftpd-tls.template
+  * proftpd-limit.conf
+  * proftpd-ssl.README
+
 -------------------------------------------------------------------
 Sun Feb  5 20:03:18 UTC 2017 - chris@computersalat.de

--- a/proftpd.spec
+++ b/proftpd.spec
@ -32,6 +32,9 @@ Source12:       %{name}.passwd
 Source13:       %{name}.service
 Source14:       %{name}.tmpfile
 Source15:       %{name}.keyring
+Source16:       %{name}-tls.template
+Source17:       %{name}-limit.template
+Source18:       %{name}-ssl.README
 #PATCH-FIX-openSUSE: pam, logrotate, xinet
 Patch100:       %{name}-dist.patch
 #PATCH-FIX-openSUSE: provide a useful default config
@ -190,8 +193,11 @@ export CXXFLAGS="$CFLAGS"
 %{__install} -D -m 0755 contrib/ftpasswd $RPM_BUILD_ROOT%{_sbindir}/

 # some needed dirs
-%{__install} -d $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/{conf.d,auth}
-%{__install} -m 0440 %{S:12} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/auth/passwd
+%{__install} -D -m 0440 %{S:12} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/auth/passwd
+%{__install} -D -m 0644 %{S:16} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/conf.d/tls.template
+%{__install} -D -m 0644 %{S:18} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/conf.d/README
+%{__install} -D -m 0644 %{S:17} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/includes/limit.template
+%{__install} -D -m 0644 %{S:18} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/ssl/README
 %{__install} -d -m 0750 $RPM_BUILD_ROOT/var/log/%{name}

 # systemd vs SysVinit
@ -261,9 +267,15 @@ export CXXFLAGS="$CFLAGS"
 %dir %attr(0755,root,root) %{_sysconfdir}/%{name}/
 %dir %attr(0750,ftp,ftp) %{_sysconfdir}/%{name}/auth/
 %config(noreplace) %attr(0440,root,ftp) %{_sysconfdir}/%{name}/auth/passwd
-%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/conf.d
+%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/conf.d/
+%config %{_sysconfdir}/%{name}/conf.d/tls.template
+%config %{_sysconfdir}/%{name}/conf.d/README
+%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/includes/
+%config %{_sysconfdir}/%{name}/includes/limit.template
 %config(noreplace) %attr(0640,root,root) %{_sysconfdir}/%{name}/%{name}.conf
 %{_sysconfdir}/%{name}/PROFTPD-MIB.txt
+%dir %attr(0700,ftp,ftp) %{_sysconfdir}/%{name}/ssl/
+%config %{_sysconfdir}/%{name}/ssl/README
 %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
 %config(noreplace) %{_sysconfdir}/pam.d/%{name}
 %config(noreplace) %{_sysconfdir}/xinetd.d/%{name}