Virtual Apache/FTP Hosting with forced FTP over SSL in Ubuntu 10.04

This solution will provide a virtual hosting solution using Virtual Name-Based Apache, and vsftpd with virtual users
and forced SSL Connections.

EDIT: I changed the VSFTPD daemon to run as www-data instead so the virtual directories could be written to by apache.

First, we must install the necessary packages:

apt-get update
apt-get install vsftpd mysql-server apache2 libpam-mysql

(Optional packages for a full LAMP stack – php5 php5-mysql)

Then, we create a self-signed SSL Cert for the VSFTPD connections. You may use other signed certs, this is just a basis.

 openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Next we create the authentication table for the virtual users. Be sure to change the vsftpdpassword:

 mysql -u root -p

CREATE DATABASE vsftpd;
GRANT SELECT ON vsftpd.* TO 'vsftpd'@'localhost' IDENTIFIED BY 'vsftpdpassword';
FLUSH PRIVILEGES;
USE vsftpd;
CREATE TABLE `accounts` (
`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`username` VARCHAR( 30 ) NOT NULL ,
`pass` VARCHAR( 50 ) NOT NULL ,
UNIQUE ( `username` )
) ENGINE = MYISAM ;
exit;

Next, we back up the original vsftpd config, and create our own:

 cp -v /etc/vsftpd.conf /etc/vsftpd.conf-orig
cat /dev/null > /etc/vsftpd/vsftpd.conf
vi /etc/vsftpd.conf

Copy and paste this into VIM (or your favorite editor):

 # VSFTPD Configuration
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
nopriv_user=vsftpd
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
guest_enable=YES
guest_username=www-data
local_root=/home/vsftpd/$USER
user_sub_token=$USER
virtual_use_local_privs=YES

# Only necessary if you want to do per-user configs
#user_config_dir=/etc/vsftpd_user_conf

# SSL Related paramaters
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/private/vsftpd.pem

Next we configure PAM to authenticate virtual FTP users against the MySQL Database:

cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd-orig
cat /dev/null > /etc/pam.d/vsftpd
vi /etc/pam.d/vsftpd

Paste the following, making sure to change the ftpdpass

 auth required pam_mysql.so user=vsftpd passwd=ftpdpass host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=2
account required pam_mysql.so user=vsftpd passwd=ftpdpass host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=2

And it’s all set up! I’ve attached a handy Perl script to make provisioning users much easier. It takes 2 arguments when run:

First, the site name. This is the ROOT domain name, without www or anything (example.com)
Second, the FTP User password

So running the script would look like this: ./provision.pl example.com password

The ftp login information would then be:
Server: example.com
Username: example.com
Password: password

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>