276 lines
13 KiB
HTML
276 lines
13 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>ProFTPD: Virtual Servers</title>
|
|
</head>
|
|
|
|
<body bgcolor=white>
|
|
|
|
<hr>
|
|
<center><h2><b>ProFTPD: Virtual Servers</b></h2></center>
|
|
<hr>
|
|
|
|
<p><a name="Definition"></a>
|
|
<b>What is a virtual server?</b><br>
|
|
A virtual server, also known as a virtual host (or <i>vhost</i> for short),
|
|
refers to the practice of serving more than one address/site on a single host
|
|
machine. The fact that these multiple sites are being served by the same
|
|
physical machine is transparent to the end user.
|
|
|
|
<p>
|
|
Until very recently, the definition of FTP did not allow for <i>name</i>-based
|
|
virtual hosts, such as supported by HTTP/1.1. That changed with
|
|
<a href="https://tools.ietf.org/html/rfc7151">RFC 7151</a>, which defined a
|
|
<code>HOST</code> FTP command. ProFTPD virtual hosts are IP-based <i>and</i>
|
|
name-based.
|
|
|
|
<p>
|
|
In some documents, one might see reference to both "daemon" and
|
|
"server". Sometimes these words are used interchangeably; however,
|
|
there is a slight difference. A "daemon" is a long-lived process
|
|
on a host machine, and a "server" is a process that provides some
|
|
service, typically to remote clients. A process, such as a standalone
|
|
<code>proftpd</code> process, can be considered both a "daemon"
|
|
and a "server". With this in mind, then, a "virtual server"
|
|
is not a separate process itself; it just looks like one to the remote clients.
|
|
Hence the "virtual".
|
|
|
|
<p><a name="Configuration"></a>
|
|
There are three "server" contexts (sometimes also called
|
|
<i>sections</i>) in the <code>proftpd.conf</code> configuration file:
|
|
<a href="../modules/mod_core.html#VirtualHost"><code><VirtualHost></code></a>, <a href="../modules/mod_core.html#Global"><code><Global></code></a>,
|
|
and "server config".
|
|
|
|
<p>
|
|
The <code><VirtualHost></code> context is used to define the configuration
|
|
for a particular virtual host, bound to an IP address. For example:
|
|
<pre>
|
|
<VirtualHost 1.2.3.4>
|
|
...
|
|
</VirtualHost>
|
|
</pre>
|
|
defines a configuration for a virtual server that <code>proftpd</code> should
|
|
use whenever a remote client connects to the IP address 1.2.3.4. DNS names,
|
|
too, can be used with the <code><VirtualHost></code> configuration
|
|
directive:
|
|
<pre>
|
|
<VirtualHost ftp.mydomain.com>
|
|
...
|
|
</VirtualHost>
|
|
</pre>
|
|
When <code>proftpd</code> parses this section on startup, it will resolve the
|
|
given DNS name to its IP address and use that, just as if that IP address
|
|
had been used in the first place. In addition, when DNS names are used like
|
|
this, ProFTPD will <i>automatically</i> create a <a href="../modules/mod_core.html#ServerAlias"><code>ServerAlias</code></a> directive using that DNS name.
|
|
This allows for multiple <code><VirtualHost></code> sections using the
|
|
same DNS name to be defined in your <code>proftpd.conf</code>.
|
|
|
|
<p>
|
|
If you want the same vhost to be used for multiple different names at the
|
|
same time (<i>e.g.</i> because you have multiple DNS names for the same
|
|
server), you would use the <code>ServerAlias</code> directive to list those
|
|
other names, like so:
|
|
<pre>
|
|
<VirtualHost ftp.mydomain.com>
|
|
# Use this vhost for other names, too
|
|
ServerAlias ftp.mydomain.org ftp2.mydomain.com ftp.otherdomain.org
|
|
...
|
|
</VirtualHost>
|
|
</pre>
|
|
|
|
<p>
|
|
The <code><Global></code> section is provided as a convenience. Imagine
|
|
that the administrator has many <code><VirtualHost></code> sections
|
|
in her <code>proftpd.conf</code>, and yet has a lot of the same configuration
|
|
for each virtual host, such as common <code><Directory></code> sections,
|
|
<code>DefaultRoot</code> settings, <i>etc</i>. Rather than including the
|
|
same configuration over and over, she could use the <code><Global></code>
|
|
section:
|
|
<pre>
|
|
<Global>
|
|
...
|
|
</Global>
|
|
</pre>
|
|
Anything inside of a <code><Global></code> section is applied to every
|
|
server configuration in the file, to every <code><VirtualHost></code> as
|
|
well as the default "server config" server.
|
|
|
|
<p>
|
|
Which brings us to the "server config" section. The name is
|
|
ill-suited, and is really borrowed directly from Apache's naming conventions.
|
|
The "server config" context refers to anything <b>not</b> in a
|
|
<code><VirtualHost></code> or <code><Global></code> section in
|
|
the <code>proftpd.conf</code> file. Unlike Apache's <code>httpd.conf</code>,
|
|
ProFTPD's configuration is designed such that one should be able to use
|
|
the simplest file as possible. In fact, <code>proftpd</code> will start
|
|
if the <code>proftpd.conf</code> is completely empty; try it! This will
|
|
cause the daemon to use all of the default settings, which in most cases
|
|
is not what is wanted, but it <i>is</i> possible. With this in mind,
|
|
there is always at least <i>one</i> server configuration present: the default
|
|
server context, and it is this context that is known as the
|
|
"server config". Just like the <code><VirtualHost></code>
|
|
section, any configuration directives inside the "server config"
|
|
section <b>do not apply</b> outside of the context. Many administrators often
|
|
<i>assume</i> that this is the case. It is not. This is what the
|
|
<code><Global></code> section is for.
|
|
|
|
<p>
|
|
However, one particular drawback to the "server config" section was
|
|
that it did not provide a way to specify to which IP address that configuration
|
|
pertained. By default, when <code>proftpd</code> parses the
|
|
<code>proftpd.conf</code> file, it will use the <code>gethostname()</code>
|
|
function to determine the IP address to which the default server should listen.
|
|
On a single address, single interface system, this default is fine. It is one
|
|
a multiple address system that the default handling does not always work;
|
|
the administrator may wish to explicitly specify to which address the default
|
|
server should listen. This is what the <a href="../modules/mod_core.html#DefaultAddress"><code>DefaultAddress</code></a> configuration directive provides: the
|
|
ability to specify to which IP address the "server config" vhost
|
|
should listen.
|
|
|
|
<p>
|
|
By default, every server will listen to port 21, the IANA standard port for
|
|
FTP. If you want to have server react to a different port, use the
|
|
<a href="../modules/mod_core.html#Port"><code>Port</code></a> directive to
|
|
change the port. As might be mentioned elsewhere, if you have many different
|
|
<code><VirtualHost></code> sections using the <i>same address</i> but
|
|
different <i>ports</i>, you'll want to make sure that you leave each
|
|
<code>Port</code>-1 number empty. <a href="http://www.faqs.org/rfcs/rfc959.html">RFC 959</a> specifies that the source port for an active
|
|
data transfer (read <a href="http://slacksite.com/other/ftp.html">here</a>)
|
|
must be <code>L-1</code>, where <code>L</code> is the port on which your server
|
|
listens. Also, as mentioned in the <code>Port</code> documentation, using:
|
|
<pre>
|
|
Port 0
|
|
</pre>
|
|
in any server context will effectively "disable" that server. This
|
|
is sometimes used to disable the "server config" configuration.
|
|
|
|
<p>
|
|
There is another configuration directive that comes into play in all of this
|
|
: <a href="../modules/mod_core.html#DefaultServer"><code>DefaultServer</code></a>. Here is why: when a client contacts <code>proftpd</code>, the server has to
|
|
determine which configuration to use for handling the client. To do this, it
|
|
searches its list of configured vhosts, searching for a vhost whose IP address
|
|
matches the IP address that the client contacted. If there is a matching vhost
|
|
for that IP address, simple: use that configuration. If not,
|
|
<code>proftpd</code> will then resort to using the configuration that bears the
|
|
<code>DefaultServer</code> directive, which says that the server configuration
|
|
in which it appears should be used in cases like this. If there is no
|
|
<code>DefaultServer</code> directive in the <code>proftpd.conf</code> file,
|
|
and no matching configuration can be found, then the client will see a message
|
|
such as "no server available to service your request". The
|
|
<code>DefaultServer</code> can be used to say that a
|
|
<code><VirtualHost></code> should be the default, and not necessarily the
|
|
"server config" context, as is common.
|
|
|
|
<p>
|
|
If you would like the same virtual host configuration to be used for
|
|
multiple different IP addresses (or DNS names), the
|
|
<code><VirtualHost></code> supports this:
|
|
<pre>
|
|
<VirtualHost 1.2.3.4 5.6.7.8>
|
|
...
|
|
</VirtualHost>
|
|
</pre>
|
|
|
|
<p>
|
|
If, however, you want to specific the address to which the configuration
|
|
of the "server config" context, use <code>DefaultAddress</code>
|
|
(mentioned above).
|
|
|
|
<p>
|
|
There is one last configuration directive about which an administrator should
|
|
know: <a href="../modules/mod_core.html#SocketBindTight"><code>SocketBindTight</code></a>. By default, the
|
|
<code>proftpd</code> daemon will listen on all addresses, port 21, for the
|
|
connection requests of remote clients. Sometimes, the administrator may
|
|
wish to have the <code>proftpd</code> daemon listen <b>only</b> on the IP
|
|
addresses for which it has been configured, and not <i>every</i> address.
|
|
To accomplish this, simply use the <code>SocketBindTight</code> configuration
|
|
directive:
|
|
<pre>
|
|
SocketBindTight on
|
|
</pre>
|
|
This configures the daemon to "bind tightly" only to those IP
|
|
addresses to which it has been configured to listen, rather than every address.
|
|
By default, the <code>proftpd</code> daemon will listen to every address on
|
|
the host machine.
|
|
|
|
<p><a name="FAQ"></a>
|
|
<b>Frequently Asked Questions</b><br>
|
|
|
|
<p>
|
|
<font color=red>Question</font>: Why do I see the following when I start <code>proftpd</code>?<br>
|
|
<pre>
|
|
- warning: "Virtual Server" address/port (1.2.3.4:21) already in use by "Main Server"
|
|
</pre>
|
|
<font color=blue>Answer</font>: This happens when a <code><VirtualHost></code> section is "hidden" behind the default server in the "server config"
|
|
section (<i>i.e.</i> the context that is outside of all <code><VirtualHost></code> and <code><Global></code> sections). It is "hidden" because
|
|
both the <code><VirtualHost></code> section and the "server config"
|
|
section are using the same IP address and port.
|
|
|
|
<p>
|
|
It is quite common to configure <code><VirtualHost></code> sections
|
|
using DNS names, rather than IP addresses. And the "server config" section
|
|
in the <code>proftpd.conf</code> file, by default, uses the IP address of
|
|
the machine's hostname. This makes it quite easy to inadvertently have
|
|
multiple sections trying to use the same IP address and port.
|
|
|
|
<p>
|
|
The quick-and-easy fix is to place the following your "server config" section
|
|
in your <code>proftpd.conf</code>:
|
|
<pre>
|
|
Port 0
|
|
</pre>
|
|
as mentioned above. You can also use the <code>DefaultAddress</code>
|
|
directive in the "server config" section to explicitly tell the "server config"
|
|
section to use a different IP address/DNS name.
|
|
|
|
<p>
|
|
<font color=red>Question</font>: How can I have my "server config" section
|
|
(or a <code><VirtualHost></code> section) listen for multiple IP
|
|
addresses/DNS names?<br>
|
|
<font color=blue>Answer</font>: In version 1.3.0rc1 and later, the
|
|
<code><VirtualHost></code> configuration was enhanced so that it could
|
|
handle multiple IP addresses/DNS names, <i>e.g.</i>:
|
|
<pre>
|
|
<VirtualHost 1.2.3.4 ftp.example.com>
|
|
...
|
|
</VirtualHost>
|
|
</pre>
|
|
And for the "server config" context, you would use the
|
|
<code>DefaultAddress</code> directive, which can also handle multiple IP
|
|
addresses/DNS names:
|
|
<pre>
|
|
DefaultAddress 1.2.3.4 ftp.example.com
|
|
</pre>
|
|
|
|
<p>
|
|
<font color=red>Question</font>: If I want to use many virtual hosts, do I
|
|
need to use a different port for each virtual host, or can the same port be
|
|
reused?<br>
|
|
<font color=blue>Answer</font>: The short answer is yes, it is possible to
|
|
have many virtual hosts on the same IP address and port.
|
|
|
|
<p>
|
|
However, doing so requires support from clients to work as you expect.
|
|
Specifically, it requires that FTP clients send the <code>HOST</code> command
|
|
(defined in
|
|
<a href="https://datatracker.ietf.org/doc/html/rfc7151">RFC 7151</a>), and not
|
|
all FTP clients do so. This command is equivalent to HTTP's <code>Host</code>
|
|
header, but it is newer, and so not every FTP client implementation has been
|
|
updated to use it. Without that <code>HOST</code> command, ProFTPD only has
|
|
the IP address/port combination from a client TCP connection to use for
|
|
determining which virtual host to use, and if there are many virtual hosts
|
|
(differentiated only by <em>name</em>) using the same IP address and port,
|
|
then ProFTPD cannot tell which specific virtual host to use. It will not work
|
|
as you expect, for clients that do not use the <code>HOST</code> command.
|
|
|
|
<p>
|
|
<hr>
|
|
<font size=2><b><i>
|
|
© Copyright 2017-2023 The ProFTPD Project<br>
|
|
All Rights Reserved<br>
|
|
</i></b></font>
|
|
<hr>
|
|
|
|
</body>
|
|
</html>
|