|
|
virtual ftp servers - proftpd
10 November 1999
|
|
After I installed proftpd, I decided to play
around with virtual ftp servers.
If you want to know more about virtual machines, see http://cybernut.com/guides/virtual.html
|
|
|
Virtual server restrictions
|
| The first warning is that each virtual server must have a different IP address or run
on a different port. See the proftpd
FAQ for more detail. And I actually have only one public IP address. So
all of my testing was with private addresses. |
|
|
Adding IP aliases
|
My first step was to add additional IP addresses to my network cards. This is
covered by the FreeBSD FAQ.
Here's what I did:
ifconfig ed1 alias 192.168.0.200 netmask 255.255.255.255
ifconfig ed1 alias 192.168.0.201 netmask 255.255.255.255
You may think that the netmask is wrong. You might be thinking you want
255.255.255.0 but if you use that, here's the error you will get:
ifconfig: ioctl (SIOCAIFADDR): File exists
|
|
Configuring virtual servers
|
| Here are the virtual servers I added to /usr/local/etc/proftpd.conf.
These examples were taken straight from /usr/ports/ftp/proftpd/work/proftpd-1.2.0pre8/sample-configurations/. The
main changes are:
- Turned off PAM (my box isn't new enough)
- Set the server name
- Set the default root.
You'll also see that the two servers have files in different places. This is the
main reasons for running virtual servers. You can have them answer to different IP
addresses (i.e. different hostnames) and present different file sets according to the
server in question.
After modifying the config file, don't forget to HUP proftpd!
killall -HUP proftpd
Here are the configuration settings:
# First virtual server
<VirtualHost 192.168.0.200>
AuthPAMAuthoritative off
ServerName "This is the Virtual Server 192.168.0.200"
DefaultRoot /pub/ftp.192.168.0.200
MaxClients 10
# Next, create a "guest" account (which could be used
# by a customer to allow private access to their web site, etc)
<Anonymous /pub/ftp.192.168.0.200>
User ftp
Group ftp
# ### We want clients to be able to login with "anonymous"
# ### as well as "ftp"
UserAlias anonymous ftp
### It is wise when making an 'ftp' user that you either block its
### ability to login either via /etc/login.access or my giving it
### an invalid shell.
### Uncomment this if the 'ftp' user you made has an invalid shell
RequireValidShell off
### We want 'welcome.msg' displayed at login, and '.message'
### displayed in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message
AnonRequirePassword on
<Limit LOGIN>
AllowAll
</Limit>
# A private directory that we don't want the user getting in to.
<Directory logs>
<Limit READ WRITE DIRS>
DenyAll
</Limit>
</Directory>
</Anonymous>
</VirtualHost>
# Second virtual server
<VirtualHost 192.168.0.201>
AuthPAMAuthoritative off
ServerName "This is the Virtual Server 192.168.0.201"
DefaultRoot /pub/ftp.192.168.0.201
MaxClients 10
# Next, create a "guest" account (which could be used
# by a customer to allow private access to their web site, etc)
<Anonymous /pub/ftp.192.168.0.201>
User ftp
Group ftp
# ### We want clients to be able to login with "anonymous" as
# ### well as "ftp"
UserAlias anonymous ftp
### It is wise when making an 'ftp' user that you either block its
### ability to login either via /etc/login.access or my giving it
### an invalid shell.
### Uncomment this if the 'ftp' user you made has an invalid shell
RequireValidShell off
### We want 'welcome.msg' displayed at login, and '.message'
### displayed in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message
AnonRequirePassword on
<Limit LOGIN>
AllowAll
</Limit>
# A private directory that we don't want the user getting in to.
<Directory logs>
<Limit READ WRITE DIRS>
DenyAll
</Limit>
</Directory>
</Anonymous>
</VirtualHost>
|
|
Testing
|
If you check my NIC, you'll see they are listening on more than one IP:
# ifconfig ed1
ed1: flags=8843<up,broadcast,running,simplex,multicast> mtu 1500
inet 192.168.0.20 netmask 0xffffff00 broadcast 192.168.0.255
inet 192.168.0.200 netmask 0xffffff00 broadcast 192.168.0.255
inet 192.168.0.201 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:80:ad:df:f5:d6
And if I ftp to either address, I get different responses:
$ ftp 192.168.0.200
Connected to 192.168.0.200.
220 ProFTPD 1.2.0pre8 Server (This is the Virtual Server
192.168.0.200) [192.168.0.200]
Name (192.168.0.200:dan): dan
331 Password required for dan.
Password:
230 User dan logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
425 Can't build data connection: Connection refused
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (192,168,0,200,7,185)
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 14 wheel 0 Nov 11 13:58 192.168.0.200
226 Transfer complete.
ftp> close
221 Goodbye.
ftp> open 192.168.0.201
Connected to 192.168.0.201.
220 ProFTPD 1.2.0pre8 Server (This is the Virtual Server
192.168.0.201) [192.168.0.201]
Name (192.168.0.201:dan): dan
331 Password required for dan.
Password:
230 User dan logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,0,201,7,187)
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 0 wheel 0 Nov 11 14:43 192.168.0.201
226 Transfer complete.
ftp> quit
221 Goodbye.
|
|
