fauria#41 Add support for SSL

Dockerfile

@@ -4,7 +4,7 @@ ARG USER_ID=14
 ARG GROUP_ID=50
 
 MAINTAINER Fer Uria <[email protected]>
-LABEL Description="vsftpd Docker image based on Centos 7. Supports passive mode and virtual users." \
+LABEL Description="vsftpd Docker image based on Centos 7. Supports passive mode, SSL and virtual users." \
 	License="Apache License 2.0" \
 	Usage="docker run -d -p [HOST PORT NUMBER]:21 -v [HOST FTP HOME]:/home/vsftpd fauria/vsftpd" \
 	Version="1.0"
@@ -30,6 +30,9 @@ ENV LOG_STDOUT **Boolean**
 ENV FILE_OPEN_MODE 0666
 ENV LOCAL_UMASK 077
 ENV REVERSE_LOOKUP_ENABLE YES
+ENV SSL_ENABLE NO
+ENV TLS_CERT cert.pem
+ENV TLS_KEY key.pem
 
 COPY vsftpd.conf /etc/vsftpd/
 COPY vsftpd_virtual /etc/pam.d/
@@ -41,6 +44,7 @@ RUN chown -R ftp:ftp /home/vsftpd/
 
 VOLUME /home/vsftpd
 VOLUME /var/log/vsftpd
+VOLUME /etc/vsftpd/cert
 
 EXPOSE 20 21
 

README.md

@@ -125,10 +125,31 @@ This image uses environment variables to allow the configuration of some paramet
 
 ----
 
+* Variable name: `SSL_ENABLE`
+* Default value: NO
+* Accepted values: YES or NO.
+* Description: Set to YES if you want to enable SSL encryption - make FTPS server.
+
+----
+
+* Variable name: `TLS_CERT`
+* Default value: cert.pem
+* Accepted values: Any string represanting filename with extension
+* Description: Certificate filename which should be located in `/etc/vsftpd/cert/` of container.
+
+----
+
+* Variable name: `TLS_KEY`
+* Default value: key.pem
+* Accepted values: Any string represanting filename with extension
+* Description: Key filename which should be located in `/etc/vsftpd/cert/` of container.
+
+----
+
 Exposed ports and volumes
 ----
 
-The image exposes ports `20` and `21`. Also, exports two volumes: `/home/vsftpd`, which contains users home directories, and `/var/log/vsftpd`, used to store logs.
+The image exposes ports `20` and `21`. Also, exports three volumes: `/home/vsftpd`, which contains users home directories, `/var/log/vsftpd`, used to store logs and `/etc/vsftpd/cert`, to provide SSL certificate to container.
 
 When sharing a homes directory between the host and the container (`/home/vsftpd`) the owner user id and group id should be 14 and 80 respectively. This corresponds to ftp user and ftp group on the container, but may match something else on the host.
 
@@ -149,12 +170,13 @@ docker run -d -p 21:21 -v /my/data/directory:/home/vsftpd --name vsftpd fauria/v
 docker logs vsftpd
 ```
 
-3) Create a **production container** with a custom user account, binding a data directory and enabling both active and passive mode:
+3) Create a **production container** with a custom user account, SSL enabled, binding a data directory and enabling both active and passive mode:
 
 ```bash
 docker run -d -v /my/data/directory:/home/vsftpd \
 -p 20:20 -p 21:21 -p 21100-21110:21100-21110 \
 -e FTP_USER=myuser -e FTP_PASS=mypass \
+-e SSL_ENABLE=YES -e TLS_CERT=ftps_localhost.crt -e TLS_KEY=ftps_localhost.key \
 -e PASV_ADDRESS=127.0.0.1 -e PASV_MIN_PORT=21100 -e PASV_MAX_PORT=21110 \
 --name vsftpd --restart=always fauria/vsftpd
 ```

docker-compose.yml

@@ -17,3 +17,4 @@ services:
     volumes:
       - ./home:/home/vsftpd
       - ./logs:/var/log/vsftpd
+      - ./cert:/etc/vsftpd/cert

run-vsftpd.sh

@@ -39,6 +39,22 @@ echo "local_umask=${LOCAL_UMASK}" >> /etc/vsftpd/vsftpd.conf
 echo "xferlog_std_format=${XFERLOG_STD_FORMAT}" >> /etc/vsftpd/vsftpd.conf
 echo "reverse_lookup_enable=${REVERSE_LOOKUP_ENABLE}" >> /etc/vsftpd/vsftpd.conf
 
+# Add ssl options
+if [ "$SSL_ENABLE" = "YES" ]; then
+	echo "ssl_enable=YES" >> /etc/vsftpd/vsftpd.conf
+	echo "allow_anon_ssl=NO" >> /etc/vsftpd/vsftpd.conf
+	echo "force_local_data_ssl=YES" >> /etc/vsftpd/vsftpd.conf
+	echo "force_local_logins_ssl=YES" >> /etc/vsftpd/vsftpd.conf
+	echo "ssl_tlsv1=YES" >> /etc/vsftpd/vsftpd.conf
+	# Disable SSL v2 and SSL v3
+	echo "ssl_sslv2=NO" >> /etc/vsftpd/vsftpd.conf
+	echo "ssl_sslv3=NO" >> /etc/vsftpd/vsftpd.conf
+	echo "require_ssl_reuse=YES" >> /etc/vsftpd/vsftpd.conf
+	echo "ssl_ciphers=HIGH" >> /etc/vsftpd/vsftpd.conf
+	echo "rsa_cert_file=/etc/vsftpd/cert/$TLS_CERT" >> /etc/vsftpd/vsftpd.conf
+	echo "rsa_private_key_file=/etc/vsftpd/cert/$TLS_KEY" >> /etc/vsftpd/vsftpd.conf
+fi
+
 # Get log file path
 export LOG_FILE=`grep xferlog_file /etc/vsftpd/vsftpd.conf|cut -d= -f2`