Proftpd TLS configuration

CHANGELOG.md

@@ -13,6 +13,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - MySQL configuration tuning
 - Cronjob to optimize MySQL databases weekly
 - WO-kernel systemd service to automatically apply kernel tweaks on server startup
+- Proftpd stack now secured with TLS
+- New Nginx package built with Brotli from operating system libraries
 - Brotli configuration with only well compressible MIME types
 
 #### Changed

wo/cli/plugins/site_functions.py

@@ -1325,10 +1325,10 @@ def site_url_https(self, wo_domain):
         if not (test_url[0] == 'https'):
             try:
                 WOShellExec.cmd_exec(self, "php {0} option update siteurl "
-                                     "\"https://{1}\" --allow-root".format(
+                                     "\'https://{1}\' --allow-root".format(
                                          WOVariables.wo_wpcli_path, wo_domain))
                 WOShellExec.cmd_exec(self, "php {0} option update home "
-                                     "\"https://{1}\" --allow-root".format(
+                                     "\'https://{1}\' --allow-root".format(
                                          WOVariables.wo_wpcli_path, wo_domain))
             except CommandExecutionError as e:
                 Log.debug(self, "{0}".format(e))

wo/cli/plugins/stack.py

@@ -1042,6 +1042,49 @@ class WOStackController(CementBaseController):
                                           "PassivePorts "
                                           "             "
                                           "    49000 50000")
+            # proftpd TLS configuration
+            if not os.path.isdir("/etc/proftpd/ssl"):
+                os.makedirs("/etc/proftpd/ssl")
+                try:
+                    WOShellExec.cmd_exec(self, "openssl genrsa -out "
+                                         "/etc/proftpd/ssl/proftpd.key 2048")
+                    WOShellExec.cmd_exec(self, "openssl req -new -batch  "
+                                         "-subj /commonName=localhost/ "
+                                         "-key /etc/proftpd/ssl/proftpd.key "
+                                         "-out /etc/proftpd/ssl/proftpd.csr")
+                    WOFileUtils.mvfile(self, "/etc/proftpd/ssl/proftpd.key",
+                                       "/etc/proftpd/ssl/proftpd.key.org")
+                    WOShellExec.cmd_exec(self, "openssl rsa -in "
+                                         "/etc/proftpd/ssl/proftpd.key.org"
+                                         "-out /etc/proftpd/ssl/"
+                                         "proftpd/proftpd.key")
+                    WOShellExec.cmd_exec(self, "openssl x509 -req -days "
+                                         "3652 -in /etc/proftpd/ssl/"
+                                         "proftpd.csr"
+                                         "-signkey /etc/proftpd/ssl/"
+                                         "proftpd.key"
+                                         " -out /etc/proftpd/ssl/proftpd.crt")
+                except CommandExecutionError as e:
+                    Log.debug(self, "{0}".format(e))
+                    Log.error(
+                        self, "Failed to generate SSL "
+                        "certificate for Proftpd")
+            WOFileUtils.chmod(self, "/etc/proftpd/ssl/proftpd.key", 0o600)
+            WOFileUtils.chmod(self, "/etc/proftpd/ssl/proftpd.crt", 0o600)
+            data = dict()
+            Log.debug(self, 'Writting the proftpd configuration to '
+                      'file /etc/proftpd/tls.conf')
+            wo_proftpdconf = open('/etc/proftpd/tls.conf',
+                                  encoding='utf-8', mode='w')
+            self.app.render((data), 'proftpd-tls.mustache',
+                                    out=wo_proftpdconf)
+            wo_proftpdconf.close()
+            WOFileUtils.searchreplace(self, "/etc/proftpd/"
+                                      "proftpd.conf",
+                                      "#Include /etc/proftpd/tls.conf",
+                                      "Include /etc/proftpd/tls.conf")
+            WOService.restart_service(self, 'proftpd')
+
             # add rule for proftpd with UFW
             if WOAptGet.is_installed(self, 'ufw'):
                 try:

wo/cli/templates/proftpd-tls.mustache

@@ -0,0 +1,12 @@
+<IfModule mod_tls.c>
+TLSEngine                  on
+TLSLog                     /var/log/proftpd/tls.log
+TLSProtocol TLSv1.2
+TLSCipherSuite AES256+EECDH:AES256+EDH
+TLSOptions                 NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
+TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.crt
+TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key
+TLSVerifyClient            off
+TLSRequired                on
+RequireValidShell          no
+</IfModule>