Proftpd TLS configuration
This commit is contained in:
VirtuBox
@@ -13,6 +13,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||
- MySQL configuration tuning
|
||||
- Cronjob to optimize MySQL databases weekly
|
||||
- WO-kernel systemd service to automatically apply kernel tweaks on server startup
|
||||
- Proftpd stack now secured with TLS
|
||||
- New Nginx package built with Brotli from operating system libraries
|
||||
- Brotli configuration with only well compressible MIME types
|
||||
|
||||
#### Changed
|
||||
|
||||
@@ -1325,10 +1325,10 @@ def site_url_https(self, wo_domain):
|
||||
if not (test_url[0] == 'https'):
|
||||
try:
|
||||
WOShellExec.cmd_exec(self, "php {0} option update siteurl "
|
||||
"\"https://{1}\" --allow-root".format(
|
||||
"\'https://{1}\' --allow-root".format(
|
||||
WOVariables.wo_wpcli_path, wo_domain))
|
||||
WOShellExec.cmd_exec(self, "php {0} option update home "
|
||||
"\"https://{1}\" --allow-root".format(
|
||||
"\'https://{1}\' --allow-root".format(
|
||||
WOVariables.wo_wpcli_path, wo_domain))
|
||||
except CommandExecutionError as e:
|
||||
Log.debug(self, "{0}".format(e))
|
||||
|
||||
@@ -1042,6 +1042,49 @@ class WOStackController(CementBaseController):
|
||||
"PassivePorts "
|
||||
" "
|
||||
" 49000 50000")
|
||||
# proftpd TLS configuration
|
||||
if not os.path.isdir("/etc/proftpd/ssl"):
|
||||
os.makedirs("/etc/proftpd/ssl")
|
||||
try:
|
||||
WOShellExec.cmd_exec(self, "openssl genrsa -out "
|
||||
"/etc/proftpd/ssl/proftpd.key 2048")
|
||||
WOShellExec.cmd_exec(self, "openssl req -new -batch "
|
||||
"-subj /commonName=localhost/ "
|
||||
"-key /etc/proftpd/ssl/proftpd.key "
|
||||
"-out /etc/proftpd/ssl/proftpd.csr")
|
||||
WOFileUtils.mvfile(self, "/etc/proftpd/ssl/proftpd.key",
|
||||
"/etc/proftpd/ssl/proftpd.key.org")
|
||||
WOShellExec.cmd_exec(self, "openssl rsa -in "
|
||||
"/etc/proftpd/ssl/proftpd.key.org"
|
||||
"-out /etc/proftpd/ssl/"
|
||||
"proftpd/proftpd.key")
|
||||
WOShellExec.cmd_exec(self, "openssl x509 -req -days "
|
||||
"3652 -in /etc/proftpd/ssl/"
|
||||
"proftpd.csr"
|
||||
"-signkey /etc/proftpd/ssl/"
|
||||
"proftpd.key"
|
||||
" -out /etc/proftpd/ssl/proftpd.crt")
|
||||
except CommandExecutionError as e:
|
||||
Log.debug(self, "{0}".format(e))
|
||||
Log.error(
|
||||
self, "Failed to generate SSL "
|
||||
"certificate for Proftpd")
|
||||
WOFileUtils.chmod(self, "/etc/proftpd/ssl/proftpd.key", 0o600)
|
||||
WOFileUtils.chmod(self, "/etc/proftpd/ssl/proftpd.crt", 0o600)
|
||||
data = dict()
|
||||
Log.debug(self, 'Writting the proftpd configuration to '
|
||||
'file /etc/proftpd/tls.conf')
|
||||
wo_proftpdconf = open('/etc/proftpd/tls.conf',
|
||||
encoding='utf-8', mode='w')
|
||||
self.app.render((data), 'proftpd-tls.mustache',
|
||||
out=wo_proftpdconf)
|
||||
wo_proftpdconf.close()
|
||||
WOFileUtils.searchreplace(self, "/etc/proftpd/"
|
||||
"proftpd.conf",
|
||||
"#Include /etc/proftpd/tls.conf",
|
||||
"Include /etc/proftpd/tls.conf")
|
||||
WOService.restart_service(self, 'proftpd')
|
||||
|
||||
# add rule for proftpd with UFW
|
||||
if WOAptGet.is_installed(self, 'ufw'):
|
||||
try:
|
||||
|
||||
12
wo/cli/templates/proftpd-tls.mustache
Normal file
12
wo/cli/templates/proftpd-tls.mustache
Normal file
@@ -0,0 +1,12 @@
|
||||
<IfModule mod_tls.c>
|
||||
TLSEngine on
|
||||
TLSLog /var/log/proftpd/tls.log
|
||||
TLSProtocol TLSv1.2
|
||||
TLSCipherSuite AES256+EECDH:AES256+EDH
|
||||
TLSOptions NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
|
||||
TLSRSACertificateFile /etc/proftpd/ssl/proftpd.crt
|
||||
TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key
|
||||
TLSVerifyClient off
|
||||
TLSRequired on
|
||||
RequireValidShell no
|
||||
</IfModule>
|
||||
Reference in New Issue
Block a user