update

vsftpd/Dockerfile

@@ -10,12 +10,18 @@ RUN set -xe \
     && rm -rf /var/cache/apk/*
 
 RUN { \
-        echo "ftpd_banner=Welcome to VSFTPD service."; \
-        echo "write_enable=YES"; \
-        echo "local_enable=YES"; \
-        echo "chroot_local_user=YES"; \
         echo "allow_writeable_chroot=YES"; \
+        echo "chroot_local_user=YES"; \
+        echo "ftpd_banner=Welcome to VSFTPD service."; \
+        echo "local_enable=YES"; \
+        echo "pasv_addr_resolve=YES"; \
+        echo "pasv_address=my-ftp-server"; \
+        echo "pasv_enable=YES"; \
+        echo "pasv_max_port=30100"; \
+        echo "pasv_min_port=30000"; \
+        echo "port_enable=YES"; \
         echo "seccomp_sandbox=NO"; \
+        echo "write_enable=YES"; \
     } >> /etc/vsftpd/vsftpd.conf
 
 VOLUME /var/lib/ftp

vsftpd/README.md

@@ -4,23 +4,75 @@ vsftpd
 [vsftpd][1] is a GPL licensed FTP server for UNIX systems, including Linux.
 It is secure and extremely fast. It is stable. Don't take my word for it, though.
 
+## Directory Tree
+
+```
+~/fig/vsftpd/
+├── docker-compose.yml
+├── ftp/
+│   └── README.md
+└── vsftpd/
+    ├── vsftpd.conf
+    └── vsftpd.pem
+```
+
+## vsftpd.conf
+
+```bash
+allow_writeable_chroot=YES
+anonymous_enable=YES
+chroot_local_user=YES
+connect_from_port_20=YES
+dirmessage_enable=YES
+force_local_data_ssl=YES
+force_local_logins_ssl=YES
+ftpd_banner=Welcome to VSFTPD service.
+listen=YES
+local_enable=YES
+pasv_addr_resolve=YES
+pasv_address=my-ftp-server
+pasv_enable=YES
+pasv_max_port=30010
+pasv_min_port=30000
+port_enable=YES
+rsa_cert_file=/etc/vsftpd/vsftpd.pem
+rsa_private_key_file=/etc/vsftpd/vsftpd.pem
+seccomp_sandbox=NO
+ssl_enable=YES
+ssl_sslv2=NO
+ssl_sslv3=NO
+ssl_tlsv1=YES
+write_enable=YES
+xferlog_enable=YES
+```
+
+> Please point `pasv_address` to your ftp server.
+
 ## docker-compose.yml
 
 ```yaml
 vsftpd:
   image: vimagick/vsftpd
+# net: host
   ports:
+    - "20:20"
     - "21:21"
+    - "30000-30010:30000-30010"
   volumes:
+    - ./vsftpd:/etc/vsftpd
     - ./ftp:/var/lib/ftp
   privileged: true
   restart: always
 ```
 
+> You can use `net: host` instead of `ports`.
+> Make sure these ports are allowed by firewall.
+
 ## Server
 
 ```bash
 $ cd ~/fig/vsftpd/
+$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout vsftpd/vsftpd.pem -out vsftpd/vsftpd.pem
 $ docker-compose up -d
 $ touch ./ftp/README.md
 $ docker exec -it vsftpd_vsftpd_1 sh
@@ -41,13 +93,12 @@ Password for kev changed by root
 ```
 
 > :warning: Default password for `root` is empty, please change it!
-> I also add another local user called `kev` here.
+> I also added another local user called `kev` here.
-> You can edit [/etc/vsftpd/vsftpd.conf][2] to enable more functions.
+> You can edit [/etc/vsftpd/vsftpd.conf][2] to enable more [functions][3].
 
 ## Client
 
 You can login as `root`/`kev`(local user) or `ftp`(anonymous user).
-Only local users can upload files.
 
 ```bash
 $ ftp my-ftp-server
@@ -60,12 +111,6 @@ Password:
 Remote system type is UNIX.
 Using binary mode to transfer files.
 
-ftp> epsv4 off
-EPSV/EPRT on IPv4 off.
-
-ftp> passive off
-Passive mode: off; fallback to active mode: off.
-
 ftp> verbose off
 Verbose mode off.
 
@@ -83,7 +128,19 @@ Permission denied.
 ftp> bye
 ```
 
-> :warning: Passive mode is not working!
+Only local users can upload files.
+
+```bash
+$ lftp
+lftp :~> set ssl:verify-certificate no
+lftp :~> open root@my-ftp-server
+Password: ******
+lftp root@my-ftp-server:~> put README.md
+lftp root@my-ftp-server:~> ls
+-rw-------    1 0        0             337 Jan 31 16:26 README.md
+lftp root@my-ftp-server:~> bye
+```
 
 [1]: https://security.appspot.com/vsftpd.html
-[2]: https://wiki.archlinux.org/index.php/Very_Secure_FTP_Daemon
+[2]: http://vsftpd.beasts.org/vsftpd_conf.html
+[3]: https://wiki.archlinux.org/index.php/Very_Secure_FTP_Daemon

vsftpd/docker-compose.yml

@@ -1,6 +1,11 @@
 vsftpd:
   image: vimagick/vsftpd
   ports:
+    - "20:20"
     - "21:21"
+    - "30000-30010:30000-30010"
+  volumes:
+    - ./vsftpd:/etc/vsftpd
+    - ./ftp:/var/lib/ftp
   privileged: true
   restart: always

vsftpd/vsftpd/vsftpd.conf

@@ -0,0 +1,25 @@
+allow_writeable_chroot=YES
+anonymous_enable=YES
+chroot_local_user=YES
+connect_from_port_20=YES
+dirmessage_enable=YES
+force_local_data_ssl=YES
+force_local_logins_ssl=YES
+ftpd_banner=Welcome to VSFTPD service.
+listen=YES
+local_enable=YES
+pasv_addr_resolve=YES
+pasv_address=my-ftp-server
+pasv_enable=YES
+pasv_max_port=30010
+pasv_min_port=30000
+port_enable=YES
+rsa_cert_file=/etc/vsftpd/vsftpd.pem
+rsa_private_key_file=/etc/vsftpd/vsftpd.pem
+seccomp_sandbox=NO
+ssl_enable=YES
+ssl_sslv2=NO
+ssl_sslv3=NO
+ssl_tlsv1=YES
+write_enable=YES
+xferlog_enable=YES

vsftpd/vsftpd/vsftpd.pem

@@ -0,0 +1,49 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAtzIO2PzEb+wcurVGauFOFqeT3tRHdAdKdIiQsNt+4PAU/v6h
+VM4Qjf6ZigrIdtjpU4cfqBLdI1b/3qui6V/ZidgTpydQMtfhqiqu5oeeej0VDLV1
+mBDqQ+rBugnHLdMivIovzsPgbRSCkdLBM7Ndx7DUQgWOcKIkvzuwHq6mM8uawxo/
+ixHXYb2vNwRkAra80YJ2/aTyseIgmv6HT9AoW48ZXYdJyyGF4g8bWx/Yu4UJX+EN
+hAkg9t3olwyjDH7GziXvt99QzqHghu+2IWpdTyFa8TJbKQr5tTTcEbKg+fyaTP1y
+ahE+MquArpuqJP3tOldw5r4/wrGfSPjMpxPceQIDAQABAoIBAEZRjKl1vOFJPG3e
+jz0PZq4DfRsXWKYM9mNs2D1Kw5UMEsMeckbfIjOe+simAvS7pjRNtbUKKKAcEPMj
+5tC13gavTjvnNz2M6C4tXB1ZCVfagm3yaUUJmSKgxePnRPEuDjNYx6kSPt8f9E6N
+G2QBAYpZMeB1yYsqcfiFrMDaQSm34sEFaWhnjtLwPa3VlYgjtmhwJxxnDNbIvtCl
+NA2P2NiGVRsqi3z1jcQbWHcKUJkqphWlQUIJLsFVy5wl9yUXr6RFt4bege9KNMT9
+XcS10SwpSJV5coEugI75T78hYqI3vj/T8CbGSCk0onEQQMjpVTYFAx2VcSBk/D/j
+WpAgPtECgYEA68r35XfyzD23p3CZzpRHgvdtb3k9HppaiokxgsMkfOs+oUfpC14u
+kT+0OusuvrFssOIWoj2O05VHzwXreAThGuB0A9UtFMrEdKvPTGfOOrH+oBdhUz1B
+j+/tx0dBMO35ws4gUQzFsWX0JxE5V8sAG9eczQU8M6VdiV9epQ+EypcCgYEAxuUp
+25UqxlJ6hk8S6NIHhZqtRj1PmIU3VqKsXU0Wvh52gzj+xX49DbEzjISXl8kYZNzt
+ZYsAdg/C/SzQX7aAMWdkYOjIC28+88gN8fJmI9Caj41kBT+XFTWRBC2h0bRjOpQM
+ompgr+8lOBiyIJjR6k3n2lwb2QKFvYfpbMwpw28CgYAlY5HbeSGu8Tpl+pzo/Oo6
+AjIAMyFV8PPac9a9/WOTy1mrCVQS0WRg89EIZrKK2md5xOAB6fDz6//u++lSprNr
+J5w931e+rEhql7PPUcaJ2B+gExUDtfrncAwsRUg5EgNAuJ63O2c9sgT9DOYi3bWu
+tInQmLvrFJW4ar7/PW65EQKBgG09UmcbH5o7lLYN2inrqVv1H3QzmnL/v+wifp7k
+Bzi2jIr4E94uvqO1jsV/0a75MR+8w9qApOkzMPpS0cOv/eqkido8IBs/p4jHePlJ
+FFZZbXqowqWrTnTErfhog7ck51c2F1ZhLOeUZpHP5o3GwYx563zgGB9xpjj52/f4
+jnubAoGAQxev93QZVrU1OuXCQsrd5pZgEOh6d/LRL88ryDhmlyqjWlECw9ImcxTA
+exTxbZsZZdWDjD9rPHJSy++1JI4YJFIXV37W8DsBh3HRFqs/ZKTt0ihfy6Fy7Kw1
+Kij0QLIAPwd+iO2Uz0gGtERllpPJwnkTjP6B+POVatt76QIga7g=
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIJAOgVMrkyXnQRMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTYwMTMxMTUyNjA3WhcNMTcwMTMwMTUyNjA4WjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAtzIO2PzEb+wcurVGauFOFqeT3tRHdAdKdIiQsNt+4PAU/v6hVM4Qjf6Z
+igrIdtjpU4cfqBLdI1b/3qui6V/ZidgTpydQMtfhqiqu5oeeej0VDLV1mBDqQ+rB
+ugnHLdMivIovzsPgbRSCkdLBM7Ndx7DUQgWOcKIkvzuwHq6mM8uawxo/ixHXYb2v
+NwRkAra80YJ2/aTyseIgmv6HT9AoW48ZXYdJyyGF4g8bWx/Yu4UJX+ENhAkg9t3o
+lwyjDH7GziXvt99QzqHghu+2IWpdTyFa8TJbKQr5tTTcEbKg+fyaTP1yahE+MquA
+rpuqJP3tOldw5r4/wrGfSPjMpxPceQIDAQABo4GnMIGkMB0GA1UdDgQWBBRfx5/C
+w8DjHcxInaqFM8ThMy3F2jB1BgNVHSMEbjBsgBRfx5/Cw8DjHcxInaqFM8ThMy3F
+2qFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNV
+BAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAOgVMrkyXnQRMAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADDCMMd5s/UD4wGuzrvUKrbZigJDjeDu
+ux92PBuEC6VMX+qnj60GAKWaTdC0p4cbBUCxTHUmmVLS2Y54Ba420EE/KYj+P0Fg
+Sm8ymbBuIGtI1fcRVQnasmsxO3CDXKsy/BdIm3x6PSC+PzQsyo477za0jTQia4Zo
+FEIhGP2Eo4HOzfi6m08o1Xl70HNzyZ5WsyYKbsoFYCwFlriuymSZgG5aXd3BI9zJ
+48EKqis5ISSEmHFI5j4rGkv7+7RXOIpg6tScLjeKadobD8PCkNCSuvawqfSYi9yO
+MCFc6CXA4hW6BkyTXjfRrt/hnETv7tN4YnLNPwXwC8iB/CjpGD8m+0w=
+-----END CERTIFICATE-----