ProFTPD Direktiven

I've found 230 directive(s)

 
 Name<Anonymous> 
Syntax<Anonymous root-directory>
ContextServer config <Global> <VirtualHost>
Modulmod_core 
Standard
From version0.99.0
DescriptionThe Anonymous configuration block is used to create an anonymous FTP login, and is terminated by a matching </Anonymous> directive. The root-directory parameters specifies which directory the daemon will first chdir to, and then chroot, immediately after login. Once the chroot operation successfully completes, higher level directories are no longer accessible to the running child daemon (and thus the logged in user). By default, proftpd assumes an anonymous login if the remote client attempts to login as the currently running user; unless the current user is root, in which case anonymous logins are not allowed regardless of the presence of an <Anonymous> block. To force anonymous logins to be bound to a user other than the current user, see the User and Group directives. In addition, if a User or Group directive is present in an <Anonymous> block, the daemon permanently switches to the specified uid/gid before chroot()ing. Normally, anonymous logins are not required to authenticate with a password, but are expected to enter a valid e-mail address in place of a normal password (which is logged). If this behavior is undesirable for a given <Anonymous> configuration block, it can be overridden via the AnonRequirePassword directive.
Note: Chroot()ed anonymous directories do not need to have supplemental system files in them, nor do they need to have any sort of specific directory structure. This is because proftpd is designed to acquire as much system information as possible before the chroot, and to leave open those files which are needed for normal operation and reside outside the new root directory.
Example 1<Anonymous /home/ftp> 
 User  ftp               # After anonymous login, daemon runs as user ftp 
 Group ftp               # After anonymous login, daemon runs as group ftp
 UserAlias anonymous ftp # Client login as 'anonymous' is aliased to 'ftp'

 <Directory *>
  <Limit WRITE>    # Alle Schreibzugriffe unter dem root-Verzeichnis verbieten
   DenyAll         # Standard ist "erlauben", daher brauchen wir kein
  </Limit>         # <Limit> für Lesezugriffe erlauben
 </Directory>

 <Directory incoming>     
  <Limit READ WRITE>   # Nur das Hochladen von Dateien in das
   DenyAll             # Verzeichnis incoming erlauben
  </Limit>
  <Limit STOR>
   AllowAll
  </Limit>
 </Directory>
</Anonymous>
Example 2
06.00.2003 23:00
Go to top
 
 Name<Directory> 
Syntax<Directory pathname>
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From version0.99.0
DescriptionThis directive creates a block of configuration directives which applies only to the specified directory and its sub-directories. The block is ended with </Directory>. Per-directory configuration is enabled during run-time with a "closest" match algorithm, meaning that the <Directory> directive with the closest matching path to the actual pathname of the file or directory in question is used. Per-directory configuration is inherited by all sub-directories until a closer matching <Directory> is encountered, at which time the original per-directory configuration is replaced with the closer match. Note that this does not apply to <Limit> </Limit> blocks, which are inherited by all sub-directories until a <Limit> block is reached in a closer match.
A trailing slash and wildcard ("/*") can be appended to the directory, specifying that the configuration block applies only to the contents (and sub-contents), not to the actual directory itself. Such wildcard matches always take precedence over non-wildcard <Directory> configuration blocks. <Directory> blocks cannot be nested (they are automatically nested at run-time based on their pathnames). Pathnames must always be absolute (except inside <Anonymous>), and should not reference symbolic links. Pathnames inside an <Anonymous> block can be relative, indicating that they are based on the anonymous root directory.
[Notes for ProFTPD 1.1.3 and later only] Pathnames that begin with the special character '~' and do not specify a username immediately after ~ are put into a special deferred mode. When in deferred mode, the directory context is not hashed and sorted into the configuration tree at boot time, but rather this hashing is deferred until a user authenticates, at which time the '~' character is replaced with the user's home directory. This allows a global <Directory> block which applies to all user's home directories, or sub-directories thereof.
Example 1<Directory /users/anybody/private>
  HideNoAccess
</Directory>
Example 2<Directory ~/anon-ftp>
  <Limit WRITE>
   DenyAll
  </Limit>
</Directory>
06.00.2003 20:02
Go to top
 
 NameAllow 
SyntaxAllow ["from"] "all" | "none" | host | network
Context<Limit>
Modulmod_core 
Standardallow all
From version0.99.0pl6
DescriptionThe Allow directive is used inside a <Limit> context to explicitly specify which hosts and/or networks have access to the commands or operations being limited. Allow is typically used in conjunction with Order and Deny in order to create sophisticated (or perhaps not-so-sophisticated) access control rules. Allow takes an optional first argument; the keyword from. Using from is purely cosmetic. The remaining arguments are expected to be a list of hosts and networks which will be explicitly granted access. The magic keyword all can be used to indicate that all hosts will explicitly be granted access (analogous to the AllowAll directive, except with a lower priority). Additionally, the magic keyword none can be used to indicate that no hosts or networks will be explicitly granted access (although this does not prevent them from implicitly being granted access). If all or none is used, no other hosts or networks can be supplied. Host and network addresses can be specified by name or numeric address. For security reasons, it is recommended that all address information be supplied numerically. Relying solely on named addresses causes security to depend a great deal upon DNS servers which may themselves be vulnerable to attack or spoofing. Numeric addresses which specify an entire network should end in a trailing period (i.e. 10.0.0. for the entire 10.0.0 subnet). Named address which specify an entire network should begin with a trailing period (i.e. .proftpd.net for the entire proftpd.net domain).
Example 1<Limit Login> 
  Order Allow, Deny 
  Allow from 128.44.26., myhost.mydomain.edu. 
  Allow from 10.2.0.0/22 
  Deny from all 
</Limit>
06.00.2003 20:02
Go to top
 
 Name<Global> 
Syntax<Global>
ContextServer config <VirtualHost>
Modulmod_core 
From version1.1.6
DescriptionThe Global configuration block is used to create a set of configuration directives which is applied universally to both the main server configuration and all VirtualHost configurations. Most, but not all other directives can be used inside a Global block.
In addition, multiple <Global> blocks can be created. At runtime, all Global blocks are merged together and finally into each server's configuration. Global blocks are terminated by a matching </Global> directive.
06.00.2003 20:02
Go to top
 
 Name<Limit> 
Syntax<Limit command|command-group [command2 ..]>
ContextServer config <Global> <VirtualHost> <Anonymous> .ftpaccess <Directory>
Modulmod_core 
From version0.99.0
DescriptionThe Limit configuration block is used to place access restrictions on one or more FTP commands, within a given context. Limits flow downward, so that a Limit configuration in the server config context applies to all <Directory> and <Anonymous> blocks that also reside in the configuration; until it is overridden by a "lower" <Limit> block. Any number of command parameters can be specified, against which the contents of the <Limit> block will be applied. command can be any valid FTP command, but is generally one of the following: CWD (Change Working Directory) Sent by client when changing directories. MKD / XMKD (MaKe Directory) Sent by client to create a new directory. RNFR (ReName FRom), RNTO (ReName TO) Sent as a pair by client to rename a directory entry. DELE (DELEte) Sent by client to delete a file. RMD / XRMD (ReMove Directory) Sent by client to remove a directory. RETR (RETRieve) Transfer a file from the server to the client. STOR (STORe) Transfer a file from the client to the server. In addition, the following command-groups are accepted. They have a lower precedence than real commands, meaning that a real command limit will always be applied instead of the command-group. READ All FTP commands which deal with file reading (directory listing not included): RETR, SITE, SIZE, STAT WRITE All FTP commands which deal with file or directory write/creation/deletion: APPE, DELE, MKD, RMD, RNTO, STOR, XMKD, XRMD DIRS All FTP commands which deal with directory listing: CDUP, CWD, LIST, MDTM, NLST, PWD, RNFR, XCUP, XCWD, XPWD ALL ALL FTP commands (identical to READ WRITE DIRS). Note this group has the lowest precedence of all; it will not override a limit imposed by another command-group (e.g. DIRS). Finally, a special command is allowed which can be used to control login access: LOGIN Connection or login to the server. Applying a <Limit> to this pseudo-command can be used to allow or deny initial connection or login to the context. It has no effect, and is ignored, when used in a context other than server config, <VirtualHost> or <Anonymous> (i.e. using it in a <Directory> context is meaningless). <Limit> command restrictions should not be confused with file/directory access permission. While limits can be used to restrict a command on a certain directory, they cannot be used to override the file permissions inherent to the base operating/file system. The following FTP commands cannot be restricted via <Limit>: ABOR HELP MODE (not implemented, always S) NOOP PASS (use <Limit LOGIN>) PASV PORT QUIT REST (use AllowRetrieveRestart, AllowStoreRestart) STRU (not implemented, always F) SYST TYPE USER (use <Limit LOGIN>)

06.00.2003 20:02
Go to top
 
 Name<VirtualHost> 
Syntax<VirtualHost address>
ContextServer config
Modulmod_core 
From version0.99.0
DescriptionThe VirtualHost configuration block is used to create an independent set of configuration directives that apply to a particular hostname or IP address. It is often used in conjunction with system level IP aliasing or dummy network interfaces in order to establish one or more "virtual" servers which all run on the same physical machine. The block is terminated with a </VirtualHost> directive. By utilizing the Port directive inside a VirtualHost block, it is possible to create a virtual server which uses the same address as the master server, but listens on a separate tcp port (incompatible with ServerType inetd). When proftpd starts, virtual server connections are handled in one of two ways, depending on the ServerType setting: inetd The daemon examines the destination address and port of the incoming connection handed off from inetd. If the connection matches one of the configured virtual hosts, the connection is serviced based on the appropriate configuration. If no virtual host matches, and the main server does not match, the client is informed that no server is available to service their requests and disconnected. standalone After parsing the configuration file, the daemon begins listening for connections on all configured ports, spawning child processes as necessary to handle connections for either the main server or any virtual servers. Because of the method that the daemon uses to listen for connections when in standalone mode, it is possible to support an exceedingly large number of virtual servers, potentially exceeding the number of per-process file descriptors. This is due to the fact that a single file descriptor is used to listen to each configured port, regardless of the number of addresses being monitored. Note that it may be necessary to increase the tcpBackLog value on heavily loaded servers in order to avoid kernel rejected client connections ("Connection refused").

06.00.2003 20:02
Go to top
 
 NameAccessDenyMsg 
SyntaxAccessDenyMsg "Nachricht"
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
StandardHängt vom Login Typ ab
From version1.2.2
DescriptionNormally, a 530 response message is sent to an FTP client immediately after a failed authentication attempt, with a standard message indicating the the reason of failure. In the case of a wrong password, the reason is usually "Login incorrect." It is this message can be customized with the AccessDenyMsg directive. In the message argument, the magic cookie '%u' is replaced with the username specified by the client during login.
Example 1AccessDenyMsg "Zugriff für %u ist verweigert worden"
06.00.2003 20:02
Go to top
 
 NameAccessGrantMsg 
SyntaxAccessGrantMsg "Nachricht"
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
StandardHängt vom Login Typ ab
From version0.99.0pl5
DescriptionNormally, a 230 response message is sent to an FTP client immediately after authentication, with a standard message indicating that the user has either logged in or that anonymous access has been granted. This message can be customized with the AccessGrantMsg directive. In the message argument, the magic cookie '%u' is replaced with the username specified by the client during login.

Example 1AccessGrantMsg "Zugriff gewährt für %u"
06.00.2003 20:02
Go to top
 
 NameAllowAll 
SyntaxAllowAll
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_core 
StandardDefault is to implicitly AllowAll, but not explicit
From version0.99.0
DescriptionThe AllowAll directive explicitly allows access to a <Directory>, <Anonymous> or <Limit> block. Although proftpd's default behavior is to allow access to a particular object, the default is an implicit allow. AllowAll creates an explicit allow, overriding any higher level denial directives.
06.00.2003 20:02
Go to top
 
 NameAllowFilter 
SyntaxAllowFilter regular-expression
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From version1.2.0pre7
DescriptionAllowFilter allows the configuration of a regular expression that must be matched for all command arguments sent to ProFTPD. It is extremely useful in controlling what characters may be sent in a command to ProFTPD, preventing some possible types of attacks against ProFTPD. The regular expression is applied against the arguments to the command sent by the client, so care must be taken when creating a proper regex. Commands that fail the regex match result in a "Forbidden command" error being returned to the client. If the regular-expression argument contains whitespace, it must be enclosed in quotes.
Example 1# erlaubt nur Befehle mit Alphanumerischen Zeichen und Leerzeichen 
AllowFilter "^[a-zA-Z0-9 ,]*$"    
06.00.2003 20:02
Go to top
 
 NameAllowForeignAddress 
SyntaxAllowForeignAddress on|off
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
Standardoff
From version1.1.7
DescriptionNormally, proftpd disallows clients from using the ftp PORT command with anything other than their own address (the source address of the ftp control connection), as well as preventing the use of PORT to specify a low-numbered (< 1024) port. In either case, the client is sent an "Invalid port" error and a message is syslog'd indicating either "address mismatch" or "bounce attack". By enabling this directive, proftpd will allow clients to transmit foreign data connection addresses that do not match the client's address. This allows such tricks as permitting a client to transfer a file between two FTP servers without involving itself in the actual data connection. Generally it's considered a bad idea, security-wise, to permit this sort of thing. AllowForeignAddress only affects data connection addresses; not tcp ports. There is no way (and no valid reason) to allow a client to use a low-numbered port in its PORT command.
06.00.2003 20:02
Go to top
 
 NameAllowGroup 
SyntaxAllowGroup group-expression
Context<Limit>
Modulmod_core 
Standard
From version1.1.1, geändert in 1.2.10 RC1
DescriptionAllowGroup specifies a group-expression that is specifically permitted within the context of the <Limit> block it is applied to. group-expression has the same format as that used in DefaultRoot, in that it should contain a comma separated list of groups or "not" groups (by prefixing a group name with the `!' character) that are to be allowed access to the block. The expression is parsed as a boolean "and" list, meaning that ALL elements of the expression must evaluate to logically true in order for the explicit allow to apply.
Example 1
Example 2
05.00.2004 02:01
Go to top
 
 NameAllowLogSymlinks 
SyntaxAllowLogSymlinks on|off
ContextServer config <Global> <VirtualHost>
Modulmod_log 
Standardoff
From version1.2.2rc2
DescriptionBy default, the server will the path of any configured SystemLog, any configured TransferLogs, and any configured ExtendedLogs to see if they are symbolic links. If the paths are symbolic links, the server will refuse to log to that link unless explicitly configured to do so via this directive.
Security note: this behaviour should not be allowed unless for a very good reason. By allowing the server to open symbolic links with its root privileges, you are allowing a potential symlink attack where the server could be tricked into overwriting arbitrary system files. You have been warned.
Example 1AllowLogSymlinks on
Example 2
01.-1.2003 22:01
Go to top
 
 NameAllowOverwrite 
SyntaxAllowOverwrite on | off
ContextServer config <Global> <VirtualHost> <Anonymous> .ftpaccess <Directory>
Modulmod_core 
Standardoff
From version0.99.0
DescriptionThe AllowOverwrite directive permits newly transfered files to overwrite existing files. By default, ftp clients cannot overwrite existing files.
06.00.2003 20:02
Go to top
 
 NameAllowRetrieveRestart 
SyntaxAllowRetrieveRestart on|off
ContextServer config <Global> <VirtualHost> <Anonymous> .ftpaccess <Directory>
Modulmod_core 
Standardon
From version0.99.0
DescriptionThe AllowRetrieveRestart directive permits or denies clients from performing "restart" retrieve file transfers via the FTP REST command. By default this is enabled, so that clients may resume interrupted file transfers at a later time without losing previously collected data.
06.00.2003 20:02
Go to top
 
 NameAllowStoreRestart 
SyntaxAllowStoreRestart on | off
ContextServer config <Global> <VirtualHost> <Anonymous> .ftpaccess <Directory>
Modulmod_core 
Standardoff
From version0.99.0
DescriptionThe AllowStoreRestart directive permits or denies clients from "restarting" interrupted store file transfers (those sent from client to server). By default restarting (via the REST command) is not permitted when sending files to the server. Care should be taken to disallow anonymous ftp "incoming" transfers to be restarted, as this will allow clients to corrupt or increase the size of previously stored files (even if not their own).
The REST (Restart STOR) command is automatically blocked when HiddenStor is enabled, with the server returning a 501 error code to the client.
06.00.2003 20:02
Go to top
 
 NameAllowUser 
SyntaxAllowUser user-expression
Context<Limit>
Modulmod_core 
Standard
From version1.1.7, geändert in 1.2.10RC1
DescriptionAllowUser specifies a user-expression that is specifically permitted access within the context of the <Limit> block it is applied to. user-expression has a similar syntax as that used in AllowGroup, in that it should contain a comma delimited list of users or "not" users (by prefixing a user name with the `!' character) that are to be allowed access to the block. The expression is parsed as a boolean "and" list, meaning that ALL elements of the expression must evaluate to logically true in order to the explicit allow to apply.
Example 1
Example 2
05.00.2004 02:01
Go to top
 
 NameAnonRatio 
SyntaxAnonRatio foo1 foo2 foo3
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_ratio 
StandardNone
From version1.2.0
DescriptionThe AnonRatio directive ....
Example 1AnonRatio 
06.00.2003 20:02
Go to top
 
 NameAnonRequirePassword 
SyntaxAnonRequirePassword on|off
Context<Anonymous>
Modulmod_core 
Standardoff
From version0.99.0
DescriptionNormally, anonymous FTP logins do not require the client to authenticate themselves via the normal method of a transmitted cleartext password which is hashed and matched against an existing system user's password. Instead, anonymous logins are expected to enter their e-mail address when prompted for a password. Enabling the AnonRequirePassword directive requires anonymous logins to enter a valid password which must match the password of the user that the anonymous daemon runs as. However using AuthUsingAlias authentication can be matched against the password of the login username. This can be used to create "guest" accounts, which function exactly as normal anonymous logins do (and thus present a "chrooted" protected file system to the client), but require a valid password on the server's host system.
Example 1<Anonymous ~roger> 
  User    roger 
  Group  other 
  UserAlias proftpd roger 
  AnonRequirePassword on 

# Deny write operations to all directories, underneath root-dir 
# Default is to allow, so we don't need a <Limit> for read operations. 
 <Directory *> 
  <Limit WRITE> 
    DenyAll 
  </Limit> 
 </Directory> 

# Deny all read/write operations in incoming. Because these are command-group 
# limits, we can explicitly permit certain operations which will take precedence 
# over our group limit. 
 <Directory incoming> 
  <Limit READ WRITE>  
   DenyAll 
  </Limit> 

# The only command allowed in incoming is STOR 
# (transfer file from client to server) 
  <Limit STOR>  
   AllowAll 
  </Limit> 
 </Directory> 
</Anonymous>
06.00.2003 20:02
Go to top
 
 NameAnonymousGroup 
SyntaxAnonymousGroup group-expression
ContextServer config <Global> <VirtualHost>
Modulmod_core 
From version1.1.3
DescriptionThe AnonymousGroup directive specifies a group-expression to which all matching users will be considered anonymous logins. The group-expression argument is a boolean logically ANDed list of groups to which the user must be a member of (or non-member if the group name is prefixed with a `!' character). For more information on group-expressions see the DefaultRoot directive. If the authenticating user is matched by an AnonymousGroup directive, no valid password is required, and a special dynamic anonymous configuration is created, with the user's home directory as the default root directory. If a DefaultRoot directive also applies to the user, this directory is used instead of the user's home dir. Great care should be taken when using AnonymousGroup, as improper configuration can open up user home directories to full read/write access to the entire world.
06.00.2003 20:02
Go to top
 
 NameAuthAliasOnly 
SyntaxAuthAliasOnly on|off
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
Standardoff
From version1.1.3
DescriptionAuthAliasOnly restricts authentication to "aliased" logins only; i.e. those usernames provided by clients which are "mapped" to a real userid by the UserAlias directive. Turning AuthAliasOnly `on' in a particular context will cause proftpd to completely ignore all non-aliased logins for the entire context. If no contexts are available without AuthAliasOnly set to `on', proftpd rejects the client login and sends an appropriate message to syslog.
06.00.2003 20:02
Go to top
 
 NameAuthGroupFile 
SyntaxAuthGroupFile path
ContextServer config <Global> <VirtualHost>
Modulmod_unixpw 
From version1.1.1
DescriptionAuthGroupFile specifies an alternate groups file, having the same format as the system /etc/group file, and if specified is used during authentication and group lookups for directory/access control operations. The path argument should be the full path to the specified file. AuthGroupFile can be configured on a per-VirtualHost basis, so that virtual FTP servers can each have their own authentication database (most often used in conjunction with AuthUserFile).
Note that this file need not reside inside a chroot()ed directory structure for Anonymous or DefaultRoot logins, as it is held open for the duration of client connections.
06.00.2003 20:02
Go to top
 
 NameAuthPAM 
SyntaxAuthPAM on|off
ContextServer config <Global> <VirtualHost>
Modulmod_pam 
Standardon
From version1.2.0rc1
DescriptionThis directive determines whether PAM is used as an authentication method by ProFTPD. Enabled by default to fit in with the design policy of using PAM as the primary authentication mechanism.
06.00.2003 20:02
Go to top
 
 NameAuthPAMConfig 
SyntaxAuthPAMConfig service
ContextServer config <Global> <VirtualHost>
Modulmod_pam 
Standardftp
From version0.99.0
DescriptionThis directive allows you to specify the PAM service name used in authentication. PAM allows you to specify a service name to use when authenticating. This allows you to configure different PAM service names to be used for different virtual hosts. The directive was renamed from PAMConfig post 1.2.0 pre10.
Example 1# Virtual host foobar authenticates differently than the rest

AuthPAMConfig foobar

# This assumes, that you have a PAM service named foobar
# configured in your /etc/pam.conf file or /etc/pam.d directory. 
06.00.2003 20:02
Go to top
 
 NameAuthUserFile 
SyntaxAuthUserFile path
ContextServer config <Global> <VirtualHost>
Modulmod_unixpw 
Standard
From version1.1.1
DescriptionAuthUserFile specifies an alternate passwd file, having the same format as the system /etc/passwd file, and if specified is used during authentication and user lookups for directory/access control operations. The path argument should be the full path to the specified file. AuthUserFile can be configured on a per-VirtualHost basis, so that virtual FTP servers can each have their own authentication database (most often used in conjunction with AuthGroupFile).
Note that this file need not reside inside a chroot()ed directory structure for Anonymous or DefaultRoot logins, as it is held open for the duration of client connections.
Example 1
Example 2
02.00.2004 03:01
Go to top
 
 NameAuthUsingAlias 
SyntaxAuthUsingAlias on|off
Context<Anonymous>
Modulmod_core 
Standardoff
From version1.2.0pre9
DescriptionAuthUsingAlias disables the resolving of mapped usernames for authentication purposes. For example, if you have mapped the username anonymous to the "real" user ftp, the password gets checked against the user "anonymous". When AuthUsingAlias is disabled, the checked username would be "ftp".
Example 1Ein Beispiel für einen anonymen Zugang mit AuthUsingAlias 

# Standard "NUR LESEN" Konfiguration 
<Anonymous /home/ftp> 
  UserAlias anonymous nobody 
  UserAlias ftp nobody 
  AuthAliasOnly on 
  <Limit WRITE> 
   DenyAll 
  </Limit> 
</Anonymous> 

# Voller "Lesen/Schreiben" Zugriff für bestimte User 
<Anonymous /home/ftp> 
  AnonRequirePassword on 
  AuthAliasOnly on 
  AuthUsingAlias on 
# Die Liste aller authentisierten Benutzer 
# User/Passwort Abfrage ist für jeden User, nicht für die Passwort der Uid, 
# unter dem der Server läuft ('nobody' in diesem Beispiel) 
  UserAlias fred nobody 
  UserAlias joe nobody 
  <Limit ALL> 
   AllowAll 
  </Limit> 
</Anonymous>
06.00.2003 20:02
Go to top
 
 NameBind 
SyntaxBind address
ContextServer config <VirtualHost>
Modulmod_core 
From version1.1.6
DescriptionThe Bind directive allows additional IP addresses to be bound to a main or VirtualHost configuration. Multiple Bind directives can be used to bind multiple addresses. The address argument should be either a fully qualified domain name or a numeric dotted-quad IP address. Incoming connections destined to an additional address added by Bind are serviced by the context containing the directive. Additionally, if SocketBindTight is set to on, a specific listen connection is created for each additional address.
06.00.2003 20:02
Go to top
 
 NameByteRatioErrMsg 
SyntaxByteRatioErrMsg foo1 foo2 foo3
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_ratio 
From version1.2.0
DescriptionThe ByteRatioErrMsg directive
Example 1ByteRatioErrMsg 
06.00.2003 20:02
Go to top
 
 NameCDPath 
SyntaxCDPath directory
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From version1.2.0pre2
DescriptionAdds an entry to a search path that is used when changing directories. For example: CDPath /home/public CDPath /var/devel This allows a user to cd into any directory directly under /home/public or /var/devel, provided they have the appropriate rights. So, if /home/public/proftpd exists, cd proftpd will bring the user to that directory, regardless of where they currently are in the directory tree.
Example 1CDPath /net/mp3/musik 
CDPath /var/ 
# Angenommen in /net/mp3/musik liegt ein Verzeichnis "/U2", 
# dann kann der User mittels "cd U2" direkt in das Verzeichnis 
# wechseln  (vorausgesetzt die Rechte stimmen), egal wo im 
# Verzeichnisbaum er sich gerade befindet. Quasi als Abkürzung...
06.00.2003 20:02
Go to top
 
 NameClass 
SyntaxClass "name" limit|regex|ip value
ContextServer config <VirtualHost>
Modulmod_core 
From version1.2.0pre9
DescriptionControls class based access. Class base access allows each connecting IP to be classified into a separate class. Each class has its own maximum number of connections. limit sets the maximum number of connections (default is 100) for that class name, regex sets a hostname regex (POSIX) for inclusion in the class and ip sets an IP/netmask based inclusion.
Example 1Classes on 
Class local limit 100 
Class default limit 10 
Class local regex .*foo.com 
Class local ip 172.16.1.0/24 
# Dieses erstellt zwei Klassen (local & default), wobei "local" die IP's # von 
#"*.foo.com" und "172.16.1.*" beinhaltet. Für "default" stehen maximal 
#10 gleichzeitige Verbingen bereit, für "local" 100.
06.00.2003 20:02
Go to top
 
 NameClasses 
SyntaxClasses on | off
ContextServer config <VirtualHost>
Modulmod_core 
Standardoff
From version1.2.0pre9
DescriptionControls class based access. Enables class based access control. see: Class
06.00.2003 20:02
Go to top
 
 NameCommandBufferSize 
SyntaxCommandBufferSize size
ContextServer config <Global> <VirtualHost>
Modulmod_core 
From version1.2.0pre7
DescriptionThe CommandBufferSize directive controls the maximum command length permitted to be sent to the server. This allows you to effectively control what the longest command the server may accept it, and can help protect the server from various Denial of Service or resource-consumption attacks.
06.00.2003 20:02
Go to top
 
 NameCwdRatioMsg 
SyntaxCwdRatioMsg foo1 foo2 foo3
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_ratio 
From version1.2.0
DescriptionThe CwdRatioMsg directive
Example 1CwdRatioMsg 
06.00.2003 20:02
Go to top
 
 NameDefaultChdir 
SyntaxDefaultChdir directory [group-expression]
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_auth 
Standard~
From version1.2.0pre2
DescriptionDetermines the directory a user is placed in after logging in. By default, the user is put in their home directory. The specified directory can be relative to the user's home directory. NOTE: if the specified directory is not available the user will not be able to log in.
06.00.2003 20:02
Go to top
 
 NameDefaultRoot 
SyntaxDefaultRoot directory [group-expression]
ContextServer config <Global> <VirtualHost>
Modulmod_auth 
Standard/
From version0.99.0pl7
DescriptionThe DefaultRoot directive controls the default root directory assigned to a user upon login. If DefaultRoot is set to a directory other than "/", a chroot operation is performed immediately after a client authenticates. This can be used to effectively isolate the client from a portion of the host system filespace. The specified root directory must begin with a / or can be the magic character '~'; meaning that the client is chroot jailed into their home directory.
When the specified chroot directory is a symlink this will be resolved to it's parent first before setting up the chroot. This can have unwanted side effects. For example if a chroot is to be configured within space to which a user as shell access, the chroot directory could be converted to a symlink pointing at '/'. Thus the chroot would be to the root directory of the server.
If the DefaultRoot directive specifies a directory which disallows access to the logged-in user's home directory, the user's current working directory after login is set to the DefaultRoot instead of their normal home directory. DefaultRoot cannot be used in <Anonymous> configuration blocks, as the <Anonymous> directive explicitly contains a root directory used for Anonymous logins. The special character '~' is replaced with the authenticating user's home directory immediately after login. Note that the default root may be a subdirectory of the home directory, such as "~/anon-ftp".
The optional group-expression argument can be used to restrict the DefaultRoot directive to a unix group, groups or subset of groups. The expression takes the format: [!]group-name1[,[!]group-name2[,...]]. The expression is parsed in a logical boolean AND fashion, such that each member of the expression must evaluate to logically TRUE in order for the DefaultRoot directive to apply. The special character '!' is used to negate group membership.
Care should be taken when using DefaultRoot. Chroot "jails" should not be used as methods for implementing general system security as there are potentially ways that a user can "escape" the jail.
Example 1ServerName "A test ProFTPD Server" 
ServerType inetd 
User ftp 
Group ftp 
# Hiermit wird nun der User direkt in sein Heimatverzeichnis "gesperrt" 
# Anschliessend kann der User keine höheren Verzeichnisse sehen 
# Aufgrund der Gruppenangabe, nur Benutzer der Gruppe "user", jedoch 
# nicht User der Gruppe "staff" werden in das Heimatverzeichnis gesperrt 
DefaultRoot ~ users,!staff
06.00.2003 20:02
Go to top
 
 NameDefaultServer 
SyntaxDefaultServer on|off
ContextServer config <VirtualHost>
Modulmod_core 
Standardoff
From version0.99.0pl6
DescriptionThe DefaultServer directive controls which server configuration is used as the default when an incoming connection is destined for an IP address which is neither the host's primary IP address or one of the addresses specified in a <VirtualHost> configuration block. Normally such "unknown" connections are issued a "no server available to service your request" message and disconnected. When DefaultServer is turned on for either the primary server configuration or a virtual server, all unknown destination connections are serviced by the default server. Only a single server configuration can be set to default.
06.00.2003 20:02
Go to top
 
 NameDefaultTransferMode 
SyntaxDefaultTransferMode ascii|binary
ContextServer config <Global> <VirtualHost>
Modulmod_core 
Standardascii
From version1.2.0pre9
DescriptionDefaultTransferMode sets the default transfer mode of the server. By default, carriage-return/linefeed translation will be performed (ASCII mode).
06.00.2003 20:02
Go to top
 
 NameDeferWelcome 
SyntaxDeferWelcome on|off
ContextServer config <Global> <VirtualHost>
Modulmod_core 
Standardoff
From version0.99.0
DescriptionThe DeferWelcome directive configures a master or virtual server to delay transmitting the ServerName and address to new connections, until a client has successfully authenticated. If enabled, the initial welcome message will be exceedingly generic and will not give away any type of information about the host that the daemon is actively running on. This can be used by security-conscious administrators to limit the amount of "probing" possible from non-trusted networks/hosts.
Example 1
Example 2
01.00.2004 23:01
Go to top
 
 NameDeleteAbortedStores 
SyntaxDeleteAbortedStores on|off
ContextServer config <Global> <VirtualHost> <Anonymous> .ftpaccess <Directory>
Modulmod_core 
Standardoff
From version1.2.0rc3
DescriptionThe DeleteAbortedStores directive controls whether ProFTPD deletes partially uploaded files if the transfer is stopped via the ABOR command rather than a connection failure.
06.00.2003 20:02
Go to top
 
 NameDeny 
SyntaxDeny [ Deny ["from"] "all"|"none"|host|network[,host|network[,...]]]
Context<Limit>
Modulmod_core 
Standard
From version0.99.0pl6
DescriptionThe Deny directive is used to create a list of hosts and/or networks which will explicitly be denied access to a given <Limit> context block. The magic keywords all and none can be used to indicate that all hosts are denied access, or that no hosts are explicitly denied (respectively). For more information on the syntax and usage of Deny see: Allow and Order. The selection made can be selectively negated using the ! operator,this allows a large block of hosts or IPs to be blocked while stillallowing single hosts to be excluded from the filter Deny from example.net !trustedhost.example.net
Example 1Zugang nur von gewissen IPs erlauben

<Limit LOGIN>
Order allow,deny
Allow from 128.44.26.,128.44.26.,myhost.mydomain.edu,.trusted-domain.org
Deny from all
</Limit>
Example 2
02.00.2004 04:01
Go to top
 
 NameDenyAll 
SyntaxDenyAll
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_core 
Standard
From version0.99.0
DescriptionThe DenyAll directive is analogous to a combination of "order deny,allow <cr> deny from all", with the exception that it has a higher precedence when parsed. It is provided as a convenient method of completely denying access to a directory, anonymous ftp or limit block. Because of its precedence, it should not be intermixed with normal Order/Deny directives. The DenyAll directive can be overridden at a lower level directory by using AllowAll. DenyAll and AllowAll are mutually exclusive.
Example 1
Example 2
02.00.2004 04:01
Go to top
 
 NameDenyFilter 
SyntaxDenyFilter regular-expression
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From version1.2.0pre7
DescriptionSimilar to AllowFilter, DenyFilter specifies a regular expression which must not match any of the command arguments. If the regex does match, a "Forbidden command" error is returned to the client. This can be especially useful for forbidding certain command argument combinations from ever reaching ProFTPD.
Notes: The 'PASV' command cannot be blocked using this directive.
Example 1# keine Befehle mit % erlauben 
DenyFilter "%"
06.00.2003 20:02
Go to top
 
 NameDenyGroup 
SyntaxDenyGroup group-expression
Context<Limit>
Modulmod_core 
Standard
From version1.1.1, geändert in 1.2.10 RC1
DescriptionDenyGroup specifies a group-expression that is specifically denied within the context of the <Limit> block it is applied to. group-expression has the same format as that used in DefaultRoot, in that it should contain a comma separated list of groups or "not" groups (by prefixing a group name with the `!' character) that are to be denied access to the block. The expression is parsed as a boolean "and" list, meaning that ALL elements of the expression must evaluate to logically true in order for the explicit deny to apply.
Example 1
Example 2
05.00.2004 02:01
Go to top
 
 NameDenyUser 
SyntaxDenyUser user-expression
Context<Limit>
Modulmod_core 
Standard
From version1.1.7a, geändert in 1.2.10 RC1
DescriptionDenyUser specifies a user-expression that is specifically denied within the context of the <Limit> block it is applied to. user-expression is a comma delimited list of users or "not" users (by prefixing a user name with the `!' character). The expression is parsed as a boolean "and" list, meaning that all elements of the expression must evaluate to logically true in order for the explicit deny to apply.
Example 1
Example 2
05.00.2004 02:01
Go to top
 
 NameDirFakeGroup 
SyntaxDirFakeGroup On|Off [groupname]
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_ls 
Standardoff
From version1.1.5
DescriptionDirFakeGroup can be used to hide the true group of files (including directories, fifos, etc.) in a directory listing. If simply turned On, DirFakeGroup will display all files as being owned by group 'ftp'. Optionally, the groupname argument can be used to specify a specific group other than 'ftp'. "~" can be used as the argument in order to display the primary group name of the current user.
Both DirFakeGroup and DirFakeUser are completely cosmetic; the groupname or username specified don't need to exist on the system, and neither directive affects permissions, real ownership or access control in any way.
06.00.2003 20:02
Go to top
 
 NameDirFakeMode 
SyntaxDirFakeMode octal-mode
ContextServer config <Global> <VirtualHost> <Anonymous> <Directory>
Modulmod_ls 
From version1.1.6
DescriptionThe DirFakeMode directive configures a mode (or permissions) which will be displayed for ALL files and directories in directory listings. For each subset of permissions (user, group, other), the "execute" permission for directories is added in listings if the "read" permission is specified by this directive. As with DirFakeUser, and DirFakeGroup, the "fake" permissions shown in directory listings are cosmetic only, they do not affect real permissions or access control in any way.
Example 1 DirFakeMode 0640

Will result in:

  -rw-r----- ... arbitrary.file
  drwxr-x--- ... arbitrary.directory
06.00.2003 20:02
Go to top
 
 NameDirFakeUser 
SyntaxDirFakeUser On|Off [username]
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_ls 
Standardoff
From version1.1.5
DescriptionDirFakeUser can be used to hide the true user owners of files (including directories, fifos, etc.) in a directory listing. If simply turned On, DirFakeUser will display all files as being owned by user 'ftp'. Optionally, the username argument can be used to specify a specific user other than 'ftp'. "~" can be used as the argument in order to display the current user's username.
Both DirFakeGroup and DirFakeUser are completely cosmetic; the groupname or username specified don't need to exist on the system, and neither directive affects permissions, real ownership or access control in any way.
06.00.2003 20:02
Go to top
 
 NameDisplayConnect 
SyntaxDisplayConnect filename
ContextServer config <Global> <VirtualHost>
Modulmod_core 
From version1.2.0pre2
DescriptionThe DisplayConnect directive configures an ASCII text filename which will be displayed to the user when they initially connect but before they login. The filename can be either relative or absolute. In the case of a relative filename, the file is searched for starting in the home directory of the user the server is running as. As this can lead confusion, absolute pathnames are suggested. If the file cannot be found or accessed, no error occurs and nothing is logged or displayed to the client.
06.00.2003 20:02
Go to top
 
 NameDisplayFirstChdir 
SyntaxDisplayFirstChdir filename
ContextServer config <Global> <VirtualHost> <Anonymous> <Directory>
Modulmod_core 
From version0.99.0pl10
DescriptionThe DisplayFirstChdir directive configures an ASCII text filename which will be displayed to the user the first time they change into a directory (via CWD) per a given session. The file will also be displayed if proftpd detects that its last modification time has changed since the previous CWD into a given directory. If the filename is relative, it is looked for in the new directory that the user has changed into. Note that for anonymous ftp logins (see <Anonymous>), the file must reside inside the chroot()ed file system space. If the file cannot be found or accessed, no error occurs and nothing is logged or displayed to the client.
DisplayFirstChdir, DisplayConnect, DisplayLogin and DisplayQuit support the following "magic cookies" (only in 0.99.0pl10 and later), which are replaced with their respective strings before being displayed to the user.

%T Current Time
%F Available space on file system
%C Current working directory
%R Remote host name
%L Local host name
%u Username reported by ident protocol
%U Username originally used in login
%M Max number of connections
%N Current number of connections
%E Server admin's e-mail address
%i The number of files uploaded (input) in this session
%o The number of files downloaded (output) in this session
%t The number of files transfered (uploaded and downloaded) in this session
%x The name of the user's class
%y Current number of connections from the user's class
%z Max number of connections from the user's class
NOTE: not all of these may have a rational value, depending on the context in which they're used (e.g., %u if ident lookups are off).
06.00.2003 20:02
Go to top
 
 NameDisplayGoAway 
SyntaxDisplayGoAway filename
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From version1.2.0pre8
DescriptionThe DisplayGoAway directive specifies an ASCII text filename which will be displayed to the user if the class they're a member of has too many users logged in and their login request has been denied. DisplayGoAway supports the same "magic cookies" as DisplayFirstChdir
06.00.2003 20:02
Go to top
 
 NameDisplayLogin 
SyntaxDisplayLogin filename
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From version0.99.0
DescriptionThe DisplayLogin directive configures an ASCII text filename which will be displayed to the user when they initially login. The filename can be either relative or absolute. In the case of a relative filename, the file is searched for in the initial directory a user is placed in immediately after login (home directory for unix user logins, anonymous-root directory for anonymous logins). Note: that for jailed logins, the file must reside inside the chroot()ed file system space. If the file cannot be found or accessed, no error occurs and nothing is logged or displayed to the client. DisplayLogin supports the same "magic cookies" as DisplayFirstChdir.
06.00.2003 20:02
Go to top
 
 NameDisplayQuit 
SyntaxDisplayQuit filename
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From version1.2.0pre8
DescriptionDisplayQuit configures an ASCII text filename which will be displayed to the user when they quit. The filename can be either relative or absolute. In the case of a relative filename, the file is searched for in current directory a user is in when they logout -- for this reason, a absolute filename is usually preferable. NOTE: for jailed logins, the file must reside inside the chroot()ed file system space. If the file cannot be found or accessed, no error occurs and nothing is logged or displayed to the client. DisplayQuit supports the "magic cookies" listed under DisplayFirstChdir
06.00.2003 20:02
Go to top
 
 NameDisplayReadme 
SyntaxDisplayReadme filename or pattern
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_readme 
Standard
From version1.2.0pre8
DescriptionModule: mod_readme The DisplayReadme directive notifies the user of the last change date of the specified file or pattern. Only a single DisplayReadme directive is allowed per configuration scope. DisplayReadme README Will result in: Please read the file README it was last modified on Sun Oct 17 10:36:14 1999 - 0 days ago Being displayed to the user on a cwd. DisplayReadmePattern README* Will result in: Please read the file README it was last modified on Tue Jan 25 04:47:48 2000 - 0 days ago Please read the file README.first it was last modified on Tue Jan 25 04:48:04 2000 - 0 days ago Being displayed to the user on a cwd.
Example 1DisplayReadme README 

ergibt: 
Please read the File README it was kast modified on SUN Oct 17 10:36:14 1999 - 0 days ago 
Example 2DisplayReadmePattern README* 

ergibt: 
Please read the file README it was last modified on Tue Jan 25 04:47:48 2000 - 0 days ago 
Please read the file README.first it was last modified on Tue Jan 25 04:48:04 2000 - 0 days ago
07.00.2003 19:02
Go to top
 
 NameExtendedLog 
SyntaxExtendedLog [ filename [[command-classes] format-nickname]]
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_log 
From version1.1.6pl1
DescriptionThe ExtendedLog directive allows customizable logfiles to be generated, either globally or per VirtualHost. The filename argument must contain an absolute pathname to a logfile which will be appended to when proftpd starts; the pathname should not be to a file in a nonexistent directory, to a world-writeable directory, or be a symbolic link (unless AllowLogSymlinks is set to on). Multiple logfiles (potentially with different command classes and formats) can be created. Optionally, the command-classes argument can be used to control which types of commands are logged. If not command classes are specified, proftpd logs all commands by default (passwords are hidden). command-classes is a comma delimited (no whitespace!) list of which commands to log.
The following are valid classes: NONE No commands AUTH Authentication commands (USER, PASS) INFO Informational commands (PWD, SYST, etc) DIRS Directory commands (LIST, CWD, MKD, etc) READ File reading (RETR) WRITE File/directory writing or creation MISC Miscellaneous commands (SITE, etc) ALL All commands (default)
If a format-nickname argument is supplied, ExtendedLog will use the predefined logformat (created by LogFormat). Otherwise, the default format of "%h %l %u %t \"%r\" %s %b" is used.
Example 1# alle Lesende und Schreibende Zugriffe zu /var/log/ftp.log
ExtendedLog /var/log/ftp.log read,write 
06.00.2003 20:02
Go to top
 
 NameFileRatioErrMsg 
SyntaxFileRatioErrMsg foo1 foo2 foo3
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_ratio 
From version1.2.0
Description
Example 1FileRatioErrMsg
06.00.2003 20:02
Go to top
 
 NameFooBarDirective 
SyntaxFooBarDirective thingy
ContextServer config <Anonymous> <Limit>
Modulmod_sample 
From version1.2.0
DescriptionFooBarDirective is a dummy directive to be used as a coding example only.
06.00.2003 20:02
Go to top
 
 NameGroup 
SyntaxGroup groupid
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From version0.99.0
DescriptionThe Group directive configures which group the server daemon will normally run at. See User for more details.
06.00.2003 20:02
Go to top
 
 NameGroupOwner 
SyntaxGroupOwner groupname
Context<Anonymous> .ftpaccess <Directory>
Modulmod_core 
From version0.99.0
DescriptionThe GroupOwner directive configures which group all newly created directories and files will be owned by, within the context that GroupOwner is applied to. The group ID of groupname cannot be 0. Note that GroupOwner cannot be used to override the host OS/file system user/group paradigm. If the current user is not a member of the specified group, new files and directories will not be able to be chown()ed to the GroupOwner group. If this happens, file STOR (send file from client to server) and MKD/XMKD (mkdir) operations will succeed normally, however the new directory entries will be owned by the current user's default group (a warning message is also logged) instead of by the desired group. If you also use UserOwner in the same context, this restriction is lifted.
06.00.2003 20:02
Go to top
 
 NameGroupPassword 
SyntaxGroupPassword groupid hashed-password
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From version0.99.0pl5
DescriptionThe GroupPassword directive creates a special "group" password which allows all users in the specified group to authenticate using a single password. The group/password supplied is only effective inside the context to which GroupPassword is applied. The hashed-password argument is a standard cleartext password which has been passed through the standard unix crypt() library function. Extreme care should be taken when using GroupPassword, as serious security problems may arise if group membership is not carefully controlled.
06.00.2003 20:02
Go to top
 
 NameGroupRatio 
SyntaxGroupRatio foo1 foo2 foo3
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_ratio 
From version1.2.0
DescriptionThe GroupRatio directive .... INCOMPLETE
06.00.2003 20:02
Go to top
 
 NameHideGroup 
SyntaxHideGroup groupid
Context<Anonymous> <Directory>
Modulmod_core 
From version0.99.0
DescriptionThe HideGroup directive configures a <Directory> or < Anonymous> block to hide all directory entries owned by the specified group, unless the group is the primary group of the currently logged-in, authenticated user . Normally, hidden directories and files cannot be seen via LIST or NLST commands but can be operated on via other FTP commands (CWD, DELE, RETR, etc). This behavior can be modified via the IgnoreHidden directive.
06.00.2003 20:02
Go to top
 
 NameHideNoAccess 
SyntaxHideNoAccess on|off
Context<Anonymous> <Directory>
Modulmod_core 
From version0.99.0
DescriptionThe HideNoAccess directive configures a <Directory> or <Anonymous> block to hide all directory entries in a directory listing (via the LIST or NLST FTP commands) to which the current logged-in, authenticated user has no access. Normal Unix-style permissions always apply, so that although a user may not be able to see a directory entry that has HideNoAccess applied, they will receive a normal "Permission denied" error message when attempting to blindly manipulate the file system object. The directory or file can be made completely invisible to all FTP commands by applying IgnoreHidden in conjunction with HideNoAccess.
06.00.2003 20:02
Go to top
 
 NameHideUser 
SyntaxHideUser userid
Context<Anonymous> <Directory>
Modulmod_core 
From version0.99.0
DescriptionThe HideUser directive configures a <Directory> or <Anonymous> block to hide all directory entries owned by the specified user, unless the owning user is the currently logged-in, authenticated user. Normally, hidden directories and files cannot be seen via LIST or NLST commands but can be operated on via other FTP commands (CWD, DELE, RETR, etc). This behavior can be modified via the IgnoreHidden directive.
06.00.2003 20:02
Go to top
 
 NameHostRatio 
SyntaxHostRatio foo1 foo2 foo3
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_ratio 
From version0.99.0
DescriptionThe HostRatio directive .... INCOMPLETE
06.00.2003 20:02
Go to top
 
 NameHostsAllowSyslogLevel 
SyntaxHostsAllowSyslogLevel facility-level
ContextServer config <VirtualHost> <Anonymous>
Modulmod_wrap 
From version1.2.0
DescriptionProftpd can log when a connection is allowed as the result of a rule in the file specified in UseHostsAllowFile to the Unix syslog mechanism. A discussion on the facility levels which can be used is given in the SyslogFacility directive.
See Also: HostsDenySyslogLevel
Example 1HostsAllowSyslogLevel local3
06.00.2003 20:02
Go to top
 
 NameHostsDenySyslogLevel 
SyntaxHostsDenySyslogLevel facility-level
ContextServer config <VirtualHost> <Anonymous>
Modulmod_wrap 
From version1.2.0
DescriptionProftpd can log when a connection is rejected as the result of a rule in the file specified in UseHostsAllowFile to the Unix syslog mechanism. A discussion on the facility levels which can be used is given in the SyslogFacility directive
06.00.2003 20:02
Go to top
 
 NameIdentLookups 
SyntaxIdentLookups on|off
ContextServer config <Global> <VirtualHost>
Modulmod_core 
Standardon
From version1.1.5
DescriptionNormally, when a client initially connects to proftpd, the ident protocol (RFC1413) is used to attempt to identify the remote username. This can be controlled via the IdentLookups directive.
06.00.2003 20:02
Go to top
 
 NameIgnoreHidden 
SyntaxIgnoreHidden on|off
Context<Limit>
Modulmod_core 
Standardoff
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameInclude 
SyntaxInclude file
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit> <Directory>
Modulmod_core 
From version1.2.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPAuthBinds 
SyntaxLDAPAuthBinds on|off
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
StandardLDAPAuthBinds off in mod_ldap <= 2.7.6, LDAPAuthBinds on in mod_ldap >= 2.8
From versionmod_ldap v2.5
Description
06.00.2003 20:02
Go to top
 
 NameLDAPDefaultAuthScheme 
SyntaxLDAPDefaultAuthScheme crypt|clear
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
Standardcrypt
From versionmod_ldap v2.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPDefaultGID 
SyntaxLDAPDefaultGID default-gid
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
From versionmod_ldap v2.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPDefaultUID 
SyntaxLDAPDefaultUID default-uid
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
From versionmod_ldap v2.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPDNInfo 
SyntaxLDAPDNInfo "ldap-dn" "dn-password"
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
Standard" " (anonymous bind)
From versionmod_ldap v2.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPDoAuth 
Syntax?
Context
Modul
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPDoGIDLookups 
Syntax?
Context
Modul
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPDoUIDLookups 
Syntax?
Context
Modul
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPForceDefaultGID 
Syntax?
Context
Modul
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPForceDefaultUID 
Syntax?
Context
Modul
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPHomedirOnDemand 
SyntaxLDAPHomedirOnDemand on|off directory-mode
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
Standard
From versionmod_ldap v2.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPHomedirOnDemandPrefix 
Syntax??
Context
Modul
Standard??
From version0.99.0
DescriptionNo Entry
Example 1
Example 2
06.00.2003 20:02
Go to top
 
 NameLDAPHomedirOnDemandPrefixNoUsername 
Syntax?
Context
Modul
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPHomedirOnDemandSuffix 
SyntaxLDAPHomedirOnDemandSuffix "additional-directory"
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
Standard""
From versionmod_ldap v2.6
Description
06.00.2003 20:02
Go to top
 
 NameLDAPNegativeCache 
SyntaxLDAPNegativeCache on|off
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
Standardoff
From versionmod_ldap v1.1
Description
06.00.2003 20:02
Go to top
 
 NameLDAPQueryTimeout 
SyntaxLDAPQueryTimeout timeout-seconds
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
Standarddefault-api-timeout
From versionmod_ldap v2.0
Description
06.00.2003 20:02
Go to top
 
 NameLDAPSearchScope 
SyntaxLDAPSearchScope onelevel|subtree
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
Standardsubtree
From versionmod_ldap v2.6
Description
06.00.2003 20:02
Go to top
 
 NameLDAPServer 
SyntaxLDAPServer "hostname1:port hostname2:port ..."
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
Standardlocalhost
From versionmod_ldap v1.0
Description
06.00.2003 20:02
Go to top
 
 NameLeechRatioMsg 
SyntaxLeechRatioMsg foo1 foo2 foo3
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_ratio 
From version1.2.0
Description
06.00.2003 20:02
Go to top
 
 NameLogFormat 
SyntaxLogFormat nickname "format-string"
ContextServer config
Modulmod_log 
Standarddefault "%h %l %u %t %r %s %b"
From version1.1.6pl1
Description
Example 1# Some logging formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"

# Log file/dir access
ExtendedLog /var/log/proftpd.access_log WRITE,READ write

# Record all logins
ExtendedLog /var/log/proftpd.auth_log AUTH auth

# Paranoia logging level....
ExtendedLog /var/log/proftpd.paranoid_log ALL default 
Example 2
02.00.2004 05:01
Go to top
 
 NameLoginPasswordPrompt 
SyntaxLoginPasswordPrompt on|off
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_auth 
Standardon
From version1.2.0pre1
DescriptionIf set to off, ProFTPd will skip the password request if the login will be denied regardless of password, e.g., if a <Limit LOGIN> directive forbids the connection.
Example 1
Example 2
02.00.2004 04:01
Go to top
 
 NameMasqueradeAddress 
SyntaxMasqueradeAddress ip-address|dns-hostname
ContextServer config <VirtualHost>
Modulmod_core 
Standard
From version1.2.2
Description
Example 1MasqueradeAddress natbox.example.com
Example 2MasqueradeAddress 213.133.103.252
02.00.2004 03:01
Go to top
 
 NameMaxClients 
SyntaxMaxClients number | none [message]
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameMaxClientsPerHost 
SyntaxMaxClientsPerHost number|none [message]
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
Standard
From version1.1.7
Description
Example 1Beispiel: 
MaxClientsPerHost 1 "Bitte nicht öfters als 1x verbinden" 

Ergebnis: 530 Bitte nicht öfters als 1x verbinden
Example 2
02.00.2004 05:01
Go to top
 
 NameMaxHostsPerUser 
SyntaxMaxHostsPerUser number|none [message]
Context<Global> <VirtualHost> <Anonymous>
Modulmod_core 
Standard
From version1.2.4
DescriptionThe MaxHostsPerUser directive configures the maximum number of times different hosts, using a given login, can connect at any given time. The optional argument message may be used which will be displayed to a client attempting to exceed the maximum value. If message is not supplied, a default message of "Sorry, the maximum number of hosts (%m) for this user already connected."
Example 1
Example 2
02.00.2004 05:01
Go to top
 
 NameMaxInstances 
SyntaxMaxInstances number
ContextServer config
Modulmod_core 
From version1.1.6pl1
Description
06.00.2003 20:02
Go to top
 
 NameMaxLoginAttempts 
SyntaxMaxLoginAttempts number
ContextServer config <Global> <VirtualHost>
Modulmod_core 
Standard3
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameMultilineRFC2228 
SyntaxMultilineRFC2228 on|off
ContextServer config
Modulmod_core 
Standardoff
From version1.2.0pre3
Description
06.00.2003 20:02
Go to top
 
 NameOrder 
SyntaxOrder allow,deny|deny,allow
Context<Limit>
Modulmod_core 
Standardallow,deny
From version0.99.0pl6
Description
06.00.2003 20:02
Go to top
 
 NamePassivePorts 
SyntaxPassivePorts min-pasv-port max-pasv-port
ContextServer config <Global> <VirtualHost>
Modulmod_core 
From version1.2.0rc3
Description
06.00.2003 20:02
Go to top
 
 NamePathAllowFilter 
SyntaxPathAllowFilter regular-expression
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
Standard
From version1.1.7
DescriptionPathAllowFilter allows the configuration of a regular expression that must be matched for all newly uploaded (stored) files. The regular expression is applied against the entire pathname specified by the client, so care must be taken when creating a proper regex. Paths that fail the regex match result in a "Forbidden filename" error being returned to the client. If the regular-expression argument contains whitespace, it must be enclosed in quotes.
Example 1# Only allow filenames containing alphanumeric characters 
PathAllowFilter ".*/[a-zA-Z0-9]+$"
Example 2
02.00.2004 03:01
Go to top
 
 NamePathDenyFilter 
SyntaxPathDenyFilter regular-expression
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
Standard
From version1.1.7
DescriptionSimilar to PathAllowFilter, PathDenyFilter specifies a regular expression which must not match any uploaded pathnames. If the regex does match, a "Forbidden filename" error is returned to the client. This can be especially useful for forbidding .ftpaccess or .htaccess files. Note, if the regex is placed insite quotes ( ie "foo.*" ) then any slashes will need to be escaped twice. ie PathDenyFilter "\.ftpaccess$"
Example 1# Verhindert Files mit ausfuehrbaren Dateiendungen
PathDenyFilter "\.(js|vbs|shs|scr|exe)$" 

# Verhindert alle Files mit führendem Punkt oder Strich
PathDenyFilter "(^|/)[-.]" 

# Verhindert alle beiden Möglichkeiten
PathDenyFilter "((^|/)[-.])| (\.(js|vbs|shs|scr|exe)$)" 
Example 2
02.00.2004 03:01
Go to top
 
 NamePersistentPasswd 
SyntaxPersistentPasswd on|off
ContextServer config
Modulmod_unixpw 
StandardPlatform dependent
From version1.1.5
Description
06.00.2003 20:02
Go to top
 
 NamePidFile 
SyntaxPidFile filename
ContextServer config <Global>
Modulmod_core 
From version1.2.0rc2
Description
06.00.2003 20:02
Go to top
 
 NamePort 
SyntaxPort port-number
ContextServer config <VirtualHost>
Modulmod_core 
Standard21
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameRatioFile 
SyntaxRatioFile foo1 foo2 foo3
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_ratio 
From version1.2.0
Description
06.00.2003 20:02
Go to top
 
 NameRatios 
SyntaxRatios foo1 foo2 foo3
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_ratio 
From version1.2.0
Description
06.00.2003 20:02
Go to top
 
 NameRatioTempFile 
SyntaxRatioTempFile foo1 foo2 foo3
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_ratio 
From version1.2.0
Description
06.00.2003 20:02
Go to top
 
 NameRequireValidShell 
SyntaxRequireValidShell on|off
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
Standardon
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameRLimitCPU 
SyntaxRLimitCPU soft-limit|"max" [hard-limit|"max"]
ContextServer config
Modulmod_core 
From version1.2.2
Description
06.00.2003 20:02
Go to top
 
 NameRLimitMemory 
SyntaxRLimitMemory [ RLimitMemory ["daemon"|"session"|"none"] soft-limit[units]|"max" [hard-limit[units]|"max"]]
ContextServer config
Modulmod_core 
From version1.2.2
Description
06.00.2003 20:02
Go to top
 
 NameRLimitOpenFiles 
SyntaxRLimitOpenFiles soft-limit|"max"
ContextServer config
Modulmod_core 
From version1.2.2
Description
06.00.2003 20:02
Go to top
 
 NameRootLogin 
SyntaxRootLogin on|off
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_auth 
Standardoff
From version1.1.5
DescriptionNormally, proftpd disallows root logins under any circumstance. If a client attempts to login as root, using the correct password, a special security message is sent to syslog. When the RootLogin directive is turned On, the root user may authenticate just as any other user could (assuming no other access control measures deny access); however the root login security message is still sysloged. Obviously, extreme care should be taken when using this directive.
Example 1
Example 2
01.-1.2003 22:01
Go to top
 
 NameSaveRatios 
SyntaxSaveRatios foo1 foo2 foo3
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_ratio 
From version1.2.0
Description
06.00.2003 20:02
Go to top
 
 NameServerAdmin 
SyntaxServerAdmin "admin-email-address"
ContextServer config <VirtualHost>
Modulmod_core 
Standardroot@[ServerName]
From version0.99.0pl10
Description
06.00.2003 20:02
Go to top
 
 NameServerIdent 
SyntaxServerIdent off|on [identification string]
ContextServer config <Global> <VirtualHost>
Modulmod_core 
StandardProFTPD [version] Server (server name) [hostname]
From version1.2.0pre2
Description
06.00.2003 20:02
Go to top
 
 NameServerName 
SyntaxServerName "name"
ContextServer config <VirtualHost>
Modulmod_core 
StandardProFTPD Server [version]
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameServerType 
SyntaxServerType type-identifier
ContextServer config
Modulmod_core 
Standardstandalone
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameShowSymlinks 
SyntaxShowSymlinks on|off
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
Standardon
From version0.99.0pl6
Description
06.00.2003 20:02
Go to top
 
 NameSocketBindTight 
SyntaxSocketBindTight on|off
ContextServer config
Modulmod_core 
Standardoff
From version0.99.0pl6
Description
Example 1#Two servers have been configured (one master and one virtual), 
#with the IP addresses 10.0.0.1 and 10.0.0.2, respectively. 
#The 10.0.0.1 server runs on port 21, while 10.0.0.2 runs on port 2001. 
SocketBindTight off
# default proftpd creates two sockets, both bound to ALL available addresses. 
# one socket listens on port 21, the other on 2001. 
# Because each socket is bound to all available addresses, 
#no other daemon or user process will be  
# allowed to bind to ports 21 or 2001. 

SocketBindTight on 
# proftpd creates two sockets again, however one is bound to 10.0.0.1, port 21 
# and the other to 10.0.0.2, port 2001. Because these sockets are "tightly" 
# bound to IP addresses, port 21 can be reused on any address OTHER than 
# 10.0.0.1, and visa-versa with 10.0.0.2, port 2001. 

#One side-effect of setting SocketBindTight to on is that connections to 
# non-bound addresses will result in a "connection refused" message
#rather than the typical 
# "500 Sorry, no server available to handle request on xxx.xxx.xxx.xxx.", 
#due to the fact that no listen socket has been bound to the particular 
# address/port pair. This may or may not be aesthetically desirable, 
# depending on your circumstances.
06.00.2003 20:02
Go to top
 
 NameSQLAuthenticate 
SyntaxSQLAuthenticate on|off oder SQLAuthenticate [ users [*] ] [ group [*] ] [ userset [fast] ] [ groupset [fast] ]
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
Standardon
From versionmod_sql 4.x
Description
Example 1Normalerweise behandelt mod_sql alle drei Tabellenxakt gleich. 

|-----------------------------------------------| 
| GROUPNAME | GID  | MEMBERS                    | 
|-----------------------------------------------| 
| Gruppe1   | 1000 | Stonki                     | 
| Gruppe2   | 1000 | Paul                       | 
| Gruppe3   | 1000 | Weller                     | 
|-----------------------------------------------| 
|-----------------------------------------------| 
| GROUPNAME | GID  | MEMBERS                    | 
|-----------------------------------------------| 
| Gruppe1   | 1000 | Stonki, Paul               | 
| Gruppe2   | 1000 | Weller                     | 
|-----------------------------------------------| 
|-----------------------------------------------| 
| GROUPNAME | GID  | MEMBERS                    | 
|-----------------------------------------------| 
| Gruppe1   | 1000 | Stonki, Paul, Weller       | 
|-----------------------------------------------| 

Falls Du die "fast" Option benutzt, geht mod_sql davon aus, 
dass alle Einträge wie im letzten Bespiel strukturiert sind.
06.00.2003 20:02
Go to top
 
 NameSQLAuthTypes 
SyntaxSQLAuthTypes OpenSSL|Crypt|Backend|Plaintext|Empty
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
From version1.2.0, mod_sql 3.x und 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSQLConnectInfo 
SyntaxSQLConnectInfo connection-info [username] [password]
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
From version1.2.0, mod_sql 4.x
Description
Example 1#Versuche mit den Datanbank "ftpuser" zu verbinden 
#am server "foo.com" auf dem Standard Port. 
#Benutze als Usernamen und Passwort NULL. 
#Benutze die PERSESSION Methode. 
SQLConnectInfo ftpusers@foo.com 

# Versuche mit der Datenbank "ftpuser" am Server 
#"localhost" auf dem Port 3000 zu verbinden. 
#Benutze den Usernamen "admin" und 
#als Passwort NULL. 
#Benutze die PERSESSION Methode. 
SQLConnectInfo ftpusers:3000 admin 

#Versuche mit der Datenbank "ftpuser" auf dem 
#Server "foo.com", Port 3000 zu verbinden. 
#Benutze dafür den Usernamen "admin" und das 
# Passwort "mypassword". Benutze die PERCALL Methode. 
SQLConnectInfo ftpusers@foo.com:3000 admin mypassword PERCALL 

#Versuche mit der Datenbank "ftpuser" auf dem 
#Server "foo.com", Port 3000 zu verbinden. 
#Benutze dafür den Usernamen "admin" und 
#das Passwort "mypassword". Begrenze die inaktive Zeit auf 30 sekunden
SQLConnectInfo ftpusers@foo.com:3000 admin mypassword 30 
06.00.2003 20:02
Go to top
 
 NameSQLDefaultGID 
SyntaxSQLDefaultGID number
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
Standard65533
From version1.2.0, mod_sql 3.x und 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSQLDefaultHomedir 
SyntaxSQLDefaultHomedir /pfad/zum/home/dir
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
From versionmod_sql 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSQLDefaultUID 
SyntaxSQLDefaultUID number
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
Standard65533
From version1.2.0, mod_sql 3.x und 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSQLGroupInfo 
SyntaxSQLGroupInfo grouptable groupname gid members
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
Standardgroups groupname gid members
From versionmod_sql 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSQLGroupWhereClause 
SyntaxSQLGroupWhereClause whereclause
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
From versionmod_sql 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSQLHomedirOnDemand 
SyntaxSQLHomedirOnDemand on|off
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
Standardoff
From version1.2.0, mod_sql 3.x und 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSQLLog 
SyntaxSQLLog cmd-set query-name [IGNORE_ERRORS]
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
From versionmod_sql 4.x
Description
Example 1#Dieses ersetzt die alte 'SQLLoginCountField count' Anweisung und zählt bei 
#jedem Einloggen den Wert des Feldes count in der Tabelle users einen höher. 
#Ist der aktuelle User 'joe', so würde dieses übersetzt werden in: 
#"update users set count=count+1 where userid='joe'" 
#Diese Abfrage würde immer gestartet werden, wenn ein User sich angemeldet hat. 

SQLLog PASS updatecount 
SQLNamedQuery updatecount UPDATE "count=count+1 WHERE userid='%u'" users 

#Dieses ersetzt die alte 'SQLLogDirs cwd' Anweisung und schreibt jedes 
#Verzeichnis in das der User wechselt in die Datenbank, Tabelle "users". 
#Ist aktuelle User 'joe' und das aktuelle Verzeichnis '/tmp', 
#wird dieses übersetzt in: 
#"update users set cwd='/tmp' where userid='joe'". 
#Diese Anfrage wird immer gestartet, wenn ein User ein Verzeichnis wechselt. 

SQLLog CWD updatedir 
SQLNamedQuery updatedir UPDATE "cwd='%d' where userid='%u'" users 

#Dieses schreibt bei jedem (erfolgreich) senden oder empfangen einer Datei 
#den Namen, die Grösse in Bytes, den User und Host sowie die aktülle Zeit 
# (zumindest unter MySQL) in die Tabelle filehistory. Dieses würde übersetzt 
# werden Abfrage ähnlich: 
#"insert into filehistory values
# ('somefile', 12345, 'joe@joe.org', '21-05-2001 20:01:00')" 

SQLLog RETR,STOR insertfileinfo 
SQLNamedQuery insertfileinfo INSERT "'%f', %b, '%u@%v', now()" filehistory 
06.00.2003 20:02
Go to top
 
 NameSQLMinID 
SyntaxSQLMinID minumumid
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
Standard999
From version1.2.0, mod_sql 3.x und 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSQLMinUserGID 
SyntaxSQLMinUserGID number
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
Standard999
From versionmod_sql 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSQLMinUserUID 
SyntaxSQLMinUserUID number
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
Standard999
From versionmod_sql 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSQLNamedQuery 
SyntaxSQLNamedQuery name type query-string [table]
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
From versionmod_sql 4.x
Description
Example 1#Erstellt eine Abfrage mit dem Namen 'count', die einem User mittels SQLShowInfo 
#während dessen Login angezeigt wird. Die eigentliche Abfrage wäre ähnlich: 
#"SELECT count from users where userid='matilda'" for user 'matilda'. 

SQLNamedQuery count SELECT "count from users where userid='%u'" 

#Erstellt eine Abfrage mit dem Namen 'updatecount', die mittels SQLLOG dazu 
#benutzt wird einen Login Zähler in der Tabelle 'users' zu erhöhen. Die eigentlich 
# Abfrage für den User 'stonki' wäre ähnlich: 
#"UPDATE users SET count=count+1 WHERE userid='stonki'" 

SQLNamedQuery updatecount UPDATE "count=count+1 WHERE userid='%u'" users 
Example 2#Erstellt eine Abfrage mit den Namen 'accesslog', die mittels 
#SQLLOG zum loggen der Onlinezeiten benutzt werden kann. 
# Die eigentlich Abfrage wäre für den User 'paul' ähnlich: 
#"INSERT INTO accesslog valueS (now(), 'paul')" 

SQLNamedQuery accesslog INSERT "now(), '%u'" accesslog 

#Diese Tabellenstruktur mag für den täglich Gebrauch zu einfach sein, 
#da die meisten Datenbanken die Daten für JEDE Feld benötigen. 
#Falls man nur eine Felder ändern will, ist ggf. die 
#FREEFORM Abfrage besser geeignet: 

#Erstellt eine Abfrage mit dem Namen 'accesslog', 
#die mittels SQLLOG zum loggen der Onlinezeiten benutzt werden kann. 
#Die eigentlich Abfrage wäre für den User 'weller' ähnlich: 
#"INSERT INTO acclog(date, user) valueS (now(), 'weller')" 

SQLNamedquery acclog FREEFORM "INSERT INTO acclog(date, user) values (now(), '%u')" 
06.00.2003 20:02
Go to top
 
 NameSQLProcessPwEnt 
SyntaxSQLProcessPwEnt "name" limit|regex|ip value
Context
Modul
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameSQLRatios 
SyntaxSQLRatios "name" limit|regex|ip value
Context<Global> <VirtualHost>
Modulmod_ratio mod_sql 
From version1.2.0, mod_sql 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSQLRatioStats 
SyntaxSQLRatioStats "name" limit|regex|ip value
ContextServer config <Global> <VirtualHost> <Limit>
Modulmod_ratio mod_sql 
Standardoff
From versionmod_sql 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSQLShowInfo 
SyntaxSQLShowInfo cmd-set numeric query-string
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
From versionmod_sql 4.x
Description
Example 1SQLNamedQuery count SELECT "count from users where userid='%u'" 
SQLShowInfo PASS "230" "You've logged on % times, %u" 

#Angenommen die Informationen existieren in der Datenbank, geben diese 
#beiden Anweisungen an, dass der User nach einem erfolgreichen Login mit 
#seinem Login Counter begrüsst wird. Beachte die Verwendung des "230" 
#Codes. Diese ist in der RFC für FTP definiert als "230 User logged in, proceed",
#was soviel bedeutet, daß alles ok ist. Dieser Code ist hier angebracht, da die 
#Nachricht unmittelbar nach Akzeptieren des Passwortes geschickt wird und 
#die Verbindung gestartet ist. (siehe auch http://www.rfc-editor.org/rfc/rfc959.txt)
06.00.2003 20:02
Go to top
 
 NameSQLUserWhereClause 
SyntaxSQLUserWhereClause whereclause
ContextServer config <Global> <VirtualHost>
Modulmod_sql 
From versionmod_sql 4.x
Description
06.00.2003 20:02
Go to top
 
 NameSyslogFacility 
SyntaxSyslogFacility facility-level
ContextServer config
Modulmod_core 
From version1.1.6
Description
06.00.2003 20:02
Go to top
 
 NameSyslogLevel 
SyntaxSyslogLevel level
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From versionPost 1.2.0rc2 CVS
Description
06.00.2003 20:02
Go to top
 
 NameSystemLog 
SyntaxSystemLog filename
ContextServer config
Modulmod_log 
From version1.1.6pl1
Description
06.00.2003 20:02
Go to top
 
 NameTCPAccessFiles 
SyntaxTCPAccessFiles allow-filename deny-filename
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_wrap 
From version1.2.1
Description
06.00.2003 20:02
Go to top
 
 NameTCPAccessSyslogLevels 
SyntaxTCPAccessSyslogLevels <match>; <remote-server>
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_wrap 
StandardTCPAccessSyslogLevels info warn
From version1.2.1
Description
06.00.2003 20:02
Go to top
 
 NametcpBackLog 
SyntaxtcpBackLog backlog-size
ContextServer config
Modulmod_core 
Standard5
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameTCPGroupAccessFiles 
SyntaxTCPGroupAccessFiles group-expression allow-filename deny-filename
Context
Modul
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NametcpNoDelay 
SyntaxtcpNoDelay on|off
ContextServer config <Global> <VirtualHost>
Modulmod_core 
Standardon
From version1.2.0pre3a
Description
06.00.2003 20:02
Go to top
 
 NametcpReceiveWindow 
SyntaxtcpReceiveWindow window-size
ContextServer config <VirtualHost>
Modulmod_core 
Standard8192
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NametcpSendWindow 
SyntaxtcpSendWindow window-size
ContextServer config <VirtualHost>
Modulmod_core 
Standard8192
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameTCPUserAccessFiles 
SyntaxTCPUserAccessFiles user-expression allow-filename deny-filename
Context
Modul
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameTimeoutIdle 
SyntaxTimeoutIdle seconds
ContextServer config
Modulmod_core 
Standard600
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameTimeoutLogin 
SyntaxTimeoutLogin seconds
ContextServer config
Modulmod_core 
Standard300
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameTimeoutNoTransfer 
SyntaxTimeoutNoTransfer seconds
ContextServer config
Modulmod_core 
Standard300
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameTimeoutStalled 
SyntaxTimeoutStalled seconds
ContextServer config
Modulmod_core 
Standard3600
From version1.1.6
Description
06.00.2003 20:02
Go to top
 
 NameTimesGMT 
SyntaxTimesGMT on|off
ContextServer config
Modulmod_core 
Standardab 1.2.0pre9: on, vorher off
From version1.2.0pre9
Description
06.00.2003 20:02
Go to top
 
 NameTransferLog 
SyntaxTransferLog filename|NONE
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
Standard/var/log/xferlog
From version1.1.4
Description
06.00.2003 20:02
Go to top
 
 NameUmask 
SyntaxUmask file octal-mask [directory octal-mask]
ContextServer config <Global> <VirtualHost> <Anonymous> .ftpaccess <Directory>
Modulmod_core 
Standardnone
From version0.99.0
DescriptionUmask sets the mask applied to newly created file and directory permissions within a given context. By default, the Umask in the server configuration, <VirtualHost> or <Anonymous> block is used, unless overridden by a "per-directory" Umask setting. Any arguments supplied must be an octal number, in the format 0xxx. An optional second argument can specify a Umask to be used when creating directories. If a second argument isn't specified, directories are created using the default Umask in the first argument. For more information on umasks, consult your operating system documentation/man pages.
Example 1# Alle Files auf 644, Verzeichnisse 755
Umask 022

# Alle Files und Verzeichnisse NUR für den Owner
Umask 066 077

Example 2
04.00.2006 03:00
Go to top
 
 NameUseFtpUsers 
SyntaxUseFtpUsers on|off
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
Standardon
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameUseGlobbing 
SyntaxUseGlobbing on | off
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_ls 
Standardon
From version1.2.5.rc1
Description
Example 1UseGlobbing ON (default)
ftp> ls kb*
227 Entering Passive Mode (127,0,0,1,73,233).
150 Opening ASCII mode data connection for file list
drwxr-xr-x   3 stonki   users        4096 Aug  2  2003 kbarcode
226 Transfer complete.

UseGlobbing OFF
ftp> ls kb*
227 Entering Passive Mode (127,0,0,1,73,241).
150 Opening ASCII mode data connection for file list
226 Transfer complete.




Example 2
05.00.2004 03:01
Go to top
 
 NameUseHostsAllowFile 
SyntaxUseHostsAllowFile filename
ContextServer config <VirtualHost> <Directory>
Modulmod_wrap 
Standard/etc/hosts.allow
From version1.2.0
Description
Example 1UseHostsAllowFile /etc/ftpd.allow
06.00.2003 20:02
Go to top
 
 NameUseHostsDenyFile 
SyntaxUseHostsDenyFile filename
ContextServer config <VirtualHost> <Anonymous>
Modulmod_wrap 
Standard/etc/hosts.deny
From version1.2.0
Description
Example 1UseHostsDenyFile /etc/ftpd.deny
06.00.2003 20:02
Go to top
 
 NameUser 
SyntaxUser userid
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From version0.99.0
Description
06.00.2003 20:02
Go to top
 
 NameUserAlias 
SyntaxUserAlias login-user userid
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_auth 
From version0.99.0
Description
Example 1UserAlias anonymous ftp
06.00.2003 20:02
Go to top
 
 NameUserDirRoot 
SyntaxUserDirRoot on|off
Context<Anonymous>
Modulmod_auth 
Standardoff
From version1.2.0pre2
Description
Example 1Benutzer "foo" ist der Alias für "ftp", wenn man sich als "foo" einloggt, 
wird ProFTPD unter der UserID "ftp" laufen, 
jedoch das Verzeichnis "~ftp/foo" als root benutzen anstatt nur "~ftp".
06.00.2003 20:02
Go to top
 
 NameUseReverseDNS 
SyntaxUseReverseDNS on|off
ContextServer config
Modulmod_core 
Standardon
From version1.1.7
Description
06.00.2003 20:02
Go to top
 
 NameUserOwner 
SyntaxUserOwner username
Context<Anonymous> <Directory>
Modulmod_core 
From version1.2.pre11
Description
06.00.2003 20:02
Go to top
 
 NameUserPassword 
SyntaxUserPassword userid hashed-password
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
From version0.99.0pl5
Description
06.00.2003 20:02
Go to top
 
 NameUserRatio 
SyntaxUserRatio foo1 foo2 foo3
Context<Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_ratio 
From version1.2.0
Description
06.00.2003 20:02
Go to top
 
 NameWtmpLog 
SyntaxWtmpLog on|off|NONE
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
Standardon
From version1.1.7
Description
06.00.2003 20:02
Go to top
 
 NameTransferRate 
SyntaxTransferRate FTP-Kommandos Kilobytes-pro-Sekunde:Freie Bytes ["user"|"group"|"class" expression]
ContextServer config <Global> <VirtualHost> <Anonymous> .ftpaccess <Directory>
Modulmod_xfer 
From version1.2.8rc1
DescriptionThe TransferRate directive is used to set transfer rates limits on the transfer of data. This directive allows for transfer rates to be set in a wide variety of contexts, on a per-command basis, and for certain subsets of users.

The cmds parameter may be an comma-separated list of any of the following commands: APPE, RETR, STOR, and STOU.

The kilobytes-per-sec parameter is the actual transfer rate to be applied.

The free-bytes parameter, if configured, allows that many bytes to be transferred before the rate controls are applied. This allows for clients transferring small files to be unthrottled, but for larger files, such as MP3s and ISO images, to be throttled.

The optional parameters are used to restrict the application of the rate controls only to specific users. If the "user" restriction is given, then expression is a user-expression specifying to which users the rate applies. Similarly for the "group" restriction. For the "class" restriction, the expression is simply the name of connection class for whom the rate will apply.
Example 1# Limit downloads for everyone except the special group of users 
TransferRate RETR 1.5 group !special-users
Example 2# Limit uploads (and appends!) to the prolific users in the 
# lotsofuploadfiles.net domain. This presumes that a Class has been defined 
# for that domain, and that that Class has been named "uploaders". Let them 
# upload small files without throttling, though.
TransferRate APPE,STOR 8.0:1024 class uploaders
06.00.2003 20:02
Go to top
 
 NameControlsMaxClients 
SyntaxControlsMaxClients number
ContextServer config
Modulmod_ctrls 
Standard5
From version1.2.8rc1 and later
Description
Example 1
Example 2
02.00.2004 05:01
Go to top
 
 NameExecBeforeCommand 
SyntaxExecBeforeCommand cmds path [arg1 arg2 ...]
ContextServer config <Global> <VirtualHost> <Anonymous> <Directory>
Modulmod_exec 
StandardExecBeforeCommand cmds path [arg1 arg2 ...]
From version1.2.8 and later
DescriptionThe ExecBeforeCommand directive is used to execute the program or script at path before the handling of any FTP command listed in cmds, where cmds is a comma-delimited list of FTP commands. The command groups of the <Limit> directive, such as READ, WRITE, and ALL, may also be used. The program will be executed with the privileges of the logged-in user.

Any number of arbitrary arguments may be configured to pass to the script. In addition, the "cookies" supported by the ExecEnviron directive may also be used in the script argument list.

Important: use of DefaultRoot will cause complications (to be elaborated upon soon).
Example 1ExecBeforeCommand RETR /path/to/ftp-prep --file %f
Example 2
06.00.2003 20:02
Go to top
 
 NameRootRevoke 
SyntaxRootRevoke on|off
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_auth 
Standardoff
From version1.2.5rc1 and later
DescriptionThe RootRevoke directive causes all root privileges to be dropped once a user is authenticated. This will also cause active transfers to be disabled, if the server is listening on a port less than 1025. Note that this only affects active transfers; passive transfers will not be blocked.
Example 1
Example 2
06.00.2003 20:02
Go to top
 
 NameMD5FS 
SyntaxMD5FS path
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_md5fs 
Standard
From version1.2.5rc1 and later
DescriptionThis directive specifies a path to a directory. Files uploaded to that directory (and its subdirectories) will automatically have MD5 digests calculated and printed to a file.md5 file. Multiple directories can be configured with multiple MD5FS directives
Example 1# path can use "~/" notation, in which case the path is resolved after successful login
MD5FS ~/public_ftp/md5

# calculate digests in the normal upload directory
MD5FS /path/to/upload/dir

# im normalen Home Dir
MD5FS ~
Example 2
02.00.2004 04:01
Go to top
 
 NameQuotaDirectoryTally 
SyntaxQuotaDirectoryTally on|off
Context
Modulmod_quotatab 
Standard
From version1.2.5rc2 and later
DescriptionThe QuotaDirectoryTally directive configures mod_quotatab to take directory operations (e.g. creating a directory, removing a directory) into account when tallying
Example 1
Example 2
05.00.2004 03:01
Go to top
 
 NameQuotaDisplayUnits 
SyntaxQuotaDisplayUnits "b"|"Kb"|"Mb"|"Gb"
Context
Modulmod_quotatab 
Standard
From version1.2.5rc2 and later
DescriptionThis directive configures how the user's current byte quota values will be reported to them. Note that this directive does not affect how the quota values are stored in the quota table, only their presentation to the user.

"b" causes quotas to be displayed in bytes; "Kb", kilobytes; "Mb", megabytes; and "Gb", gigabytes
Example 1# display quota information in megabytes
QuotaDisplayUnits Mb
Example 2
05.00.2004 03:01
Go to top
 
 NameQuotaEngine 
SyntaxQuotaEngine on|off
Context
Modulmod_quotatab 
Standard
From version1.2.5rc2 and later
DescriptionThe QuotaEngine directive enables or disables the module's runtime quota engine. If it is set to off this module does no runtime processing at all. Use this directive to disable the module instead of commenting out all mod_quotatab directives
Example 1
Example 2
05.00.2004 03:01
Go to top
 
 NameQuotaLimitTable 
SyntaxQuotaLimitTable source-type:source-info
Context
Modulmod_quotatab 
Standard
From version1.2.5rc2 and later
DescriptionThis directive configures the information necessary for the module to locate and use the table containing the quota limit, the maximum number of bytes and/or files defined for use by specific users, groups, classes, etc, and is required for mod_quotatab to function.

Please consult the relevant submodule documentation for details on that module's syntax for this configuration directive.
Example 1
Example 2
05.00.2004 03:01
Go to top
 
 NameQuotaLog 
SyntaxQuotaLog file|"none"
Context
Modulmod_quotatab 
Standard
From version1.2.5rc2 and later
DescriptionThe QuotaLog directive is used to a specify a log file for mod_quotatab reporting, and can be done a per-server basis. The file parameter must be the full path to the file to use for logging. Note that this path must not be to a world-writeable directory and, unless AllowLogSymlinks is explicitly set to on (generally a bad idea), the path must not be a symbolic link.

If file is "none", no logging will be done at all; this setting can be used to override a QuotaLog setting inherited from a <Global> context
Example 1
Example 2
05.00.2004 03:01
Go to top
 
 NameQuotaShowQuotas 
SyntaxQuotaShowQuotas on|off
Context
Modulmod_quotatab 
Standard
From version1.2.5rc2 and later
DescriptionThe QuotaShowQuotas directive can be used to enable/disable mod_quotatab's response to a SITE QUOTA request. For some sites, revealing the current quota information may be considered an unnecessary, perhaps even detrimental, information leak; other sites may consider this a definite feature.
Example 1
Example 2
05.00.2004 03:01
Go to top
 
 NameQuotaTallyTable 
SyntaxQuotaTallyTable source-type:source-info
Context
Modulmod_quotatab 
Standard
From version1.2.5rc2 and later
DescriptionThis directive configures the information necessary for the module to locate and use the table containing the quota tally, or the current byte/file counts for users, groups, classes, etc, and is required for mod_quotatab to function.

Please consult the relevant submodule documentation for details on that module's syntax for this configuration directive
Example 1
Example 2
05.00.2004 03:01
Go to top
 
 NameVirtualRootEngine 
SyntaxVRootEngine on|off
ContextServer config <Global> <VirtualHost>
Modulmod_vroot 
Standard
From version1.2.8rc1
DescriptionThe VRootEngine module enables the virtual chroot engine implemented by mod_vroot. If enabled, the virtual chroot will be used in place of the operating system's chroot(2). This directive affects any DefaultRoot directives and any <Anonymous> contexts within the server context in which the VRootEngine directive appears.
Example 1
Example 2
02.00.2004 04:02
Go to top
 
 NameWrapUserTables 
SyntaxWrapUserTables user-OR-expression source-type:allow-source-info source-info:deny-source-info
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_wrap 
Standard
From version1.2.8rc1 and later
DescriptionThe WrapUserTables directive configures the information necessary for mod_wrap to locate and use the tables containing the access rules for specific users.

The user-OR-expression parameter is a logical OR expression, which means that the connecting user can be any the users listed for this directive to apply. User names may be negated with a ! prefix.

The next two parameters specify two tables, an allow and a deny table, each of which contain the IP addresses, networks or host/network masks to be allowed or denied.

Please consult the relevant submodule documentation for details on that module's syntax for specifying tables. The service name for which mod_wrap will look in the indicated access tables is "proftpd" by default; this can be configured via the WrapGroupTables, WrapServiceName, WrapTables
Example 1
Example 2
01.-1.2003 29:00
Go to top
 
 Name<IfClass> 
Syntax<IfClass ["AND"|"OR"] class-expression|"regex" regexp>
ContextServer config <Global> <VirtualHost>
Modulmod_ifsession 
Standard
From version1.2.8rc1 and later
DescriptionThe <IfClass> context should contain any configuration directives that should be in effect for any sessions that match the class-expression. Classes must be enabled for this context to work properly; the connecting client must be in any of the classes listed in the expression for the directives contained to be applied. Note that ! notation in front of a class name in the expression is supported.
The given class-expression may optionally be prefixed with either the "AND" or "OR" keywords, which affect how the expression is evaluated: if "AND" is used, then all portions of the expression must evaluate to TRUE for the configuration context to be applied to the current session; if "OR" is used, then any portion of the expression must be TRUE for the context to be applied. The default setting for <IfClass> is "OR".
If the "regex" keyword is used, the regexp should be a regular expression to match class names
Example 1 # Give friends, and local users, better transfer rates
  <IfClass local, friends>
    TransferRate RETR 8192
  </IfClass>

  TransferRate RETR 4096
Example 2
01.-1.2003 15:01
Go to top
 
 NameAuthOrder 
SyntaxAuthOrder [ module-name...]
ContextServer config <Global> <VirtualHost>
Modulmod_core 
Standard
From version1.2.8rc1 and later
DescriptionThe AuthOrder directive rebuilds the tables of modules' authentication functions, reordering the tables such that only the listed modules' authentication functions are used, in the order in which the modules are listed.

At least one module name must be given; there is no maximum number of modules that can be listed. The listed module names must the full name of the source file, e.g. "mod_auth_unix.c".
Example 1# If the user's information is not in LDAP, 
# they're not a user to use this server. 
AuthOrder mod_ldap.c
Example 2# Use SQL tables first, then LDAP, for authentication 
AuthOrder mod_sql.c mod_ldap.c
05.00.2004 03:01
Go to top
 
 NameAnonRejectPasswords 
SyntaxAnonRejectPasswords regular-expression
Context<Anonymous>
Modulmod_auth 
Standard
From version1.2.2rc3 and later
DescriptionThe AnonRejectPasswords directive configures a regular expression filter for passwords given for anonymous logins. If the given anonymous password matches the configured regular expression, the anonymous login is denied.
Example 1# reject all <Anonymous> logins that use "evil.org" 
# as part of the password
AnonRejectPasswords @evil\.org$
Example 2
06.00.2003 20:02
Go to top
 
 NameSocketOptions 
SyntaxSocketOptions [maxseg size] [rcvbuf size] [sndbuf size]
ContextServer config <VirtualHost>
Modulmod_core 
Standard
From version1.2.8rc2 and later
DescriptionReplaces the tcpReceiveWindow and tcpSendWindow directives.
The rcvbuf and sndbuf parameters are used for setting the send/receive window sizes. The maxseg parameter is used for setting a MSS via setsockopt(2)'s TCP_MAXSEG option. If the MSS is larger than the interface's MTU, it is ignored and has no effect.

Also, if accepted, this directive should probably expand to take in SocketBindTight (e.g. [bind each|any] parameters), and possibly the tcpBacklog and tcpNodelay directives. However, these directives are only allowed in the server config context (ideally, a <Daemon> context, but...that's for later).
Example 1
Example 2
06.00.2003 20:02
Go to top
 
 NameScoreboardFile 
SyntaxScoreboardFile path
ContextServer config
Modulmod_core 
Standard/var/run/proftpd.scoreboard
From version1.2.7rc1 and later
DescriptionThe ScoreboardFile directive sets the path to the file where the daemon will store its run-time "scoreboard" session information. This file is necessary for MaxClients to work properly, as well as other utilities (such as ftpwho and ftpcount). This directive deprecates ScoreboardPath.
Example 1ScoreboardFile /var/run/proftpd.scoreboard
Example 2
06.00.2003 20:02
Go to top
 
 NameAllowOverride 
SyntaxAllowOverride [ on|off ["user"|"group"|"class" expression]]
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_core 
Standardon
From version1.2.7rc1 and later
DescriptionNormally, the server will look for and parse any files in the encountered directories called ".ftpaccess". The files provide a functionality similar to Apache's .htaccess files -- mini-configuration files. This directive controls when those .ftpaccess files will be parsed.

Die zusaetzlichen Parameter koennen die Auswertung auf gewisse User, Gruppen oder Classen begrenzen.
Example 1
Example 2
02.00.2004 04:01
Go to top
 
 NameCapabilitiesEngine 
SyntaxCapabilitiesEngine [ on off]
ContextServer config <Global> <VirtualHost>
Modulmod_cap 
StandardOn, if running on a Linux hosts that supports capabilities
From version1.2.8rc1 and later
DescriptionThe CapabilitiesEngine directive enables or disables the module's runtime capabilities engine. If set to off, this module does no runtime capabilities processing at all. Use this directive to disable the module
Example 1
Example 2
06.00.2003 20:02
Go to top
 
 NameCapabilitiesSet 
SyntaxCapabilitiesSet [ [+/-]capability...]
ContextServer config <Global> <VirtualHost>
Modulmod_cap 
Standard+CAP_CHOWN
From version1.2.8rc1 and later
DescriptionBy default, mod_cap removes all but two capabilities from the session-handling process: CAP_NET_BIND_SERVICE, for binding to ports lower than 1024 (required for active data transfers), and CAP_CHOWN, for allowing a process to change a file's ownership to a different user. The latter capability is only strictly necessary if the UserOwner configuration directive is in use; if not being used, the CAP_CHOWN capability is best removed. The CapabilitiesSet directive is used to manipulate the set of capabilities that mod_cap grants.

To remove a capability, prefix the name with a '-'; to enable a capability, use '+'. At present, this directive only supports one capability: CAP_CHOWN.
Example 1<IfModule mod_cap.c> 
 CapabilitiesEngine on 
 CapabilitiesSet -CAP_CHOWN 
</IfModule>
Example 2
06.00.2003 21:00
Go to top
 
 NameCreateHome 
SyntaxCreateHome [ off|on [<mode>] [skel <path>] [dirmode <mode>]]
ContextServer config <Global> <VirtualHost>
Modulmod_auth 
Standard
From version1.2.8rc2 and later
DescriptionThe CreateHome directive configures the server to automatically create a user's home directory, if that directory does not exist, during the login process.

The mode parameter is used to configure the absolute mode of the home directory created. If not specified, the module will default to 700.

The optional skel path parameter can be used to configure an /etc/skel-like directory containing account initialization files and directories. The parameter must be the full path to the directory. The directory must not be world-writeable. Files copied from this directory into the new home directory will have the UID and GID of the logging-in user. Note that sockets and FIFOs in the skeleton directory will not be copied; any setuid or setgid bits on files will be removed from the copied files in the target home directory.

The optional dirmode parameter can be used to specify the mode for intermediate directories that may need to be created in order to create the target home directory. By default, the mode for such intermediate directories will be 711. NOTE: using a mode that does not allow for the execute bit to be enabled can cause havoc. You have been warned.
Example 1# Use the CreateHome default settings 
CreateHome on
Example 2# Specify a skeleton directory 
CreateHome on skel /etc/ftpd/skel

# Skeleton directory, with 700 intermediate directories 
CreateHome on skel /etc/ftpd/skel dirmode 700

# No skeleton, but make sure that intermediate 
# directories have 755 permissions. 
CreateHome on dirmode 755
01.-1.2003 22:01
Go to top
 
 NameDebugLevel 
SyntaxDebugLevel [ level]
ContextServer config <Global> <VirtualHost>
Modulmod_core 
Standard0
From version1.2.8rc1 and later
DescriptionThe DebugLevel directive configures the debugging level the server will use when logging. The level parameter must be between 0 and 9. This configuration directive will take precedence over any command-line debugging options used.
Example 1DebugLevel 9
Example 2
01.00.2004 29:01
Go to top
 
 NameDefaultAddress 
SyntaxDefaultAddress [ dns-name|ip-address]
ContextServer config
Modulmod_core 
Standard
From version1.2.7rc1 and later
DescriptionThis directive sets the the address the main server instance will bind to, the default behaviour is to select whatever IP the system reports as being the primary IP.
Example 1# We want the main server instance to listen on a specific IP
DefaultAddress 192.168.10.30
Example 2
06.00.2003 21:02
Go to top
 
 NameDefine 
SyntaxDefine [ parameter-name]
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_core 
Standard
From version1.2.6rc1 and later
DescriptionThis directive is used to initialise defines for use in conjunction with the IfDefine directive
Example 1IfDefine LoadLimiting
Example 2IfDefine HighPerformanceSetup
06.00.2003 21:02
Go to top
 
 NameHiddenStores 
SyntaxHiddenStores on|off
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit>
Modulmod_xfer 
Standardoff
From version1.2.7rc1 and later
DescriptionThe HiddenStor directive enables two-step file uploads: files are uploaded as ".in.filename." and once the upload is complete, renamed to just "filename". This provides a degree of atomicity and helps prevent 1) incomplete uploads and 2) files being used while they're still in the progress of being uploaded. Note: if the temporary file name is already in use (e.g., a server crash during upload), it will prevent the file from being uploaded.
The REST (Restart STOR) command is automatically blocked when HiddenStor is enabled, with the server returning a 501 error code to the client.
Example 1
Example 2
02.00.2004 04:02
Go to top
 
 Name<IfDefine> 
Syntax<IfDefine [ [!]define-label]>
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_core 
Standard
From version1.2.6rc1 and later
DescriptionThe <IfDefine test>...</IfDefine> section is used to mark directives that are conditional. The directives within an IfDefine section are only processed if the test is true. If the test is false, everything between the start and end markers is ignored.

The test in the <IfDefine> section directive can be one of two forms: 'parameter-name' or '!parameter-name'

In the former case, the directives between the start and end markers are only processed if the parameter named parameter-name is defined. The second format reverses the test, and only processes the directives if parameter-name is not defined.

The parameter-name argument is a define as given on the command line via -Dparameter-name, at the time the server was started.

<IfDefine> sections are nest-able, which can be used to implement simple multiple-parameter tests.
Example 1$ proftpd -DDoSomething
--[ proftpd.conf ]--
<IfDefine DoSomething>
 # do something here
</IfDefine>
--[ end ]--
Example 2
01.-1.2003 15:01
Go to top
 
 Name<IfModule> 
SyntaxIfModule [ [!]module-name]
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit> .ftpaccess <Directory>
Modulmod_core 
Standard
From version1.2.6rc1 and later
DescriptionThe <IfModule test>...</IfModule> section is used to mark directives that are conditional. The directives within an IfModule section are only processed if the test is true. If the test is false, everything between the start and end markers is ignored.

The test in the <IfModule> section directive can be one of two forms: "module name" or "!module name"

In the former case, the directives between the start and end markers are only processed if the module named module name is compiled in to ProFTPD. The second format reverses the test, and only processes the directives if module name is not compiled in.

The module name argument is a module name as given as the file name of the module, at the time it was compiled. For example, mod_sql.c.

<IfModule> sections are nest-able, which can be used to implement simple multiple-module tests.
Example 1<IfModule mod_load.c>
  MaxLoad   10 "Access denied, server load too high"
</IfModule>
Example 2
06.00.2003 21:02
Go to top
 
 NameLDAPDoQuotaLookups 
SyntaxLDAPDoQuotaLookups [ on off ] [ "auth-base-prefix" ] [ "search-filter-template" ]
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
Standardoff
From versionmod_ldap v2.8.11 and later
DescriptionThis configuration directive activates LDAP quota lookups. The second argument to this directive is the LDAP prefix to use for authentication. The third argument is a template to be used for the search filter; %v will be replaced with the username that is being authenticated. By default, the search filter template "(&(uid=%v)(objectclass=posixAccount))" is used. Search filter templates are only supported in mod_ldap v2.7 and later.
Example 1
Example 2
06.00.2003 21:02
Go to top
 
 NameLDAPForceHomedirOnDemand 
SyntaxLDAPForceHomedirOnDemand [ on off ] [ directory-mode ]
ContextServer config <Global> <VirtualHost>
Modulmod_ldap 
Standardoff
From versionmod_ldap v2.8.11 and later
DescriptionEven when a LDAPHomeDironDemandPrefix is configured, mod_ldap will allow individual users to have homeDirectory attributes that will override the default. With LDAPForceHomeDironDemand enabled, all LDAP-authenticated users are given the default prefix and/or suffix; homedirs may not be overridden by LDAP homeDirectory attributes.
Example 1
Example 2
06.00.2003 21:02
Go to top
 
 NameListOptions 
SyntaxListOptions [ "options string"] [ ["strict"]]
ContextServer config <Global> <VirtualHost> <Anonymous> .ftpaccess <Directory>
Modulmod_ls 
Standard
From version1.2.8rc1 and later
DescriptionNormally, FTP commands involving directory listings (NLST, LIST and STAT) use the arguments (options) passed by the client to determine what files are displayed and the format they are displayed in. The ListOptions directive can alter the behaviour of such listings by making it such that a certain option (or options) is always in effect, or is always disabled.

In addition to the normal dash-prefixed options that the builtin ls takes, the directive allows for plus-prefixed options. The plus-prefixed options allow for their dash-prefixed equivalents, potentially given by a user, to be disabled, while still allowing other options to function normally.

In the optional "strict" keyword is used, then the configured options will override any options given by the user (i.e. the user's options will be ignored).
Example 1# Erzwingt grundsätzlich das Anzeigen von versteckten Files. 
ListOptions "-a"
Example 2# Hier wird nur das rekursive Listen verboten,
# alle anderen Optionen sind jedoch erlaubt. 
# Das "+R" verbietet alle "-R" Optionen, die vom
# Client übermittelt werden
ListOptions "+R"

# Erlaubt nur das einfache auflisten, keine Optionen 
# IMMER 
ListOptions "" strict
02.00.2004 10:01
Go to top
 
 NameMaxClientsPerUser 
SyntaxMaxClientsPerUser [ MaxClientsPerUser number|none [message]]
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_auth 
Standard
From version1.2.7rc1 and later
DescriptionThe MaxClientsPerUser directive configures the maximum number of clients that may be connected at any given time using the same user name. The optional argument message may be used which will be displayed to a client attempting to exceed the maximum value. If message is not supplied, a default message of "Sorry, the maximum number of clients (%m) for this user already connected."
Example 1MaxClientsPerUser 1 "Only one such user at a time."
#Results in: 530 Only one such user at a time.
Example 2
02.00.2004 05:01
Go to top
 
 NameMaxRetrieveFileSize 
SyntaxMaxRetrieveFileSize [ number|"*" units ["user"|"group"|"class" expression]]
ContextServer config <Global> <VirtualHost> <Anonymous> .ftpaccess <Directory>
Modulmod_xfer 
Standard
From version1.2.7rc1 and later
DescriptionWhen downloading files to clients (eg serving a RETR request), the server will check for any configured limit against the size of the file being requested, and abort any transfers if the requested file's size exceeds the configured limit.

A single "*" argument configures unlimited file sizes, and is used primarily to override any inherited restrictions from higher contexts. The given number is the number of bytes for the limit, and is followed by a units specifier of (case-insensitive) "Gb" (Gigabytes), "Mb" (Megabytes), "Kb" (Kilobytes), or "B" (bytes). The given number of bytes is multiplied by the appropriate factor.

The optional parameters are used to restrict the file size limits only to specific users. If the "user" restriction is given, then expression is a user-expression specifying to which users the rule applies. Similarly for the "group" restriction. For the "class" restriction, the expression is simply the name of connection class for whom the rule will apply. If no matching user, group, or class expression is found for the current user (in that order), then a limit with no expression (i.e. no "user", "group", or "class" identifier) is applied.

See Also: MaxStoreFileSize
Example 1# Download bis zu 1 GB erlauben
MaxRetrieveFileSize 1 Gb
Example 2# Den Download nur für den User "fred" begrezen 
# für alle anderen aber nicht begrenzen
MaxStoreFileSize 50 Kb user fred
MaxStoreFileSize *
02.00.2004 04:02
Go to top
 
 NameVRootOptions 
SyntaxVRootOptions opt1 ...
ContextServer config <Global> <VirtualHost>
Modulmod_vroot 
Standard
From version1.2.9rc2 and later
DescriptionThe VRootOptions directive is used to configure various optional behavior of mod_vroot.

Example:

VRootOptions allowSymlinks

The currently implemented options are:

* allowSymlinks
Normally, any symlinks that point outside of the vroot area simply do not work. When the allowSymlinks option is enabled, these symlinks will be allowed. Note that by enabling symlinks, the efficacy of the vroot "jail" is reduced.
Example 1VRootOptions allowSymlinks
Example 2
02.00.2004 04:02
Go to top
 
 NameMaxConnectionRate 
SyntaxMaxConnectionRate [ connections per second]
ContextServer config
Modulmod_core 
Standard
From version1.2.7rc1 and later
DescriptionSet the maxiumum rate at which new TCP connections are accepted, this applies to the entire server, therefore too low a value on a high traffic server can result in all VirtualHosts being made unavailable due to normal traffic levels.

The value is the number of connections in a given second at which the block comes into effect, thus a value of "1" will result in all connections being blocked.
Example 1MaxConnectionRate 4
Example 2
06.00.2003 21:02
Go to top
 
 NameMaxStoreFileSize 
SyntaxMaxStoreFileSize [ number|"*" units ["user"|"group"|"class" expression]]
ContextServer config <Global> <VirtualHost> <Anonymous> .ftpaccess <Directory>
Modulmod_xfer 
Standard
From version1.2.7rc1 and later
DescriptionWhen uploading files from a client (eg serving a STOR request), the server will check for any configured limit against the size of the file being sent, and abort any transfers if/when the given file's size exceeds the configured limit.

A single "*" argument configures unlimited file sizes, and is used primarily to override any inherited restrictions from higher contexts. The given number is the number of bytes for the limit, and is followed by a units specifier of (case-insensitive) "Gb" (Gigabytes), "Mb" (Megabytes), "Kb" (Kilobytes), or "B" (bytes). The given number of bytes is multiplied by the appropriate factor.

Weiterhin kann man durch die Angabe eines Users, einer Gruppe oder ein Klasse die Ausfuehrung des Befehls aus eben diese beschraenken. Sollte dabei keine Angabe zutreffen, so wird der Befehl dann nicht ausgefuehrt.

Ausserdem: MaxRetrieveFileSize
Example 1# Restrict upload to only 3 megabytes
MaxStoreFileSize 3 Mb
Example 2# Restrict anonymous uploads to 50k, 
# but allow unlimited upload size for everyone else
MaxStoreFileSize 50 Kb user anonymous
MaxStoreFileSize *
02.00.2004 04:02
Go to top
 
 NameSQLLogFile 
SyntaxSQLLogFile [ "name" limit|regex|ip value]
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit> .ftpaccess
Modulmod_sql 
Standard
From version1.2.8rc2 and later
Description?????
Example 1SQLLogFile /var/log/proftpd_sql.log

Alle SQL Befehle werden in die Datei "/var/log/proftpd_sql.log" geloggt.
Example 2
06.00.2003 23:00
Go to top
 
 NameSQLUserInfo 
SyntaxSQLUserInfo [users userid password uid gid homedir shell]
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit> .ftpaccess
Modulmod_sql 
Standard????
From version1.2.5rc1 and later
Description???????
Example 1
Example 2
06.00.2003 23:01
Go to top
 
 NameServerLog 
SyntaxServerLog [ path]
ContextServer config <Global> <VirtualHost>
Modulmod_log 
Standard
From version1.2.8rc1 and later
DescriptionThe ServerLog directive disables the daemon's use of the syslog mechanism and instead redirects all logging output for the server to the specified filename. The filename argument must contain an absolute path. Use of this directive overrides any facility set by the SyslogFacility directive, as well as overriding any configured SystemLog.
Example 1DebugLevel 5
ServerLog /var/log/proftpd.debug.log
Example 2
02.00.2004 04:01
Go to top
 
 NameStoreUniquePrefix 
SyntaxStoreUniquePrefix [ "prefix"]
ContextServer config <Global> <VirtualHost> <Anonymous> .ftpaccess <Directory>
Modulmod_xfer 
Standard
From version1.2.6rc1 and later
DescriptionThe StoreUniquePrefix is used to configure a prefix for the generated unique random filenames used for the STOU FTP command. The last six characters of the filename will be random. Slashes are not allowed in the prefix string.

All valid filename characters are allowed except '/'
Example 1StoreUniquePrefix "test"

[...]
230 User xx logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> sunique
Store unique on.
ftp> mput coolness.pl
mput coolness.pl [anpqy?]? a
Prompting off for duration of mput.
229 Entering Extended Passive Mode (|||1373|)
150 FILE: test4kzRvu
100% |*************************************|   323       1.26 MB/s    00:00 ETA
226 Transfer complete.


ftp> sunique
Store unique off.
ftp> mput coolness.pl
mput coolness.pl [anpqy?]? a
Prompting off for duration of mput.
229 Entering Extended Passive Mode (|||1374|)
150 Opening BINARY mode data connection for coolness.pl
100% |*************************************|   323       2.24 MB/s    00:00 ETA
226 Transfer complete.
Example 2
02.00.2004 03:01
Go to top
 
 NameTCPServiceName 
SyntaxTCPServiceName [ name]
ContextServer config <Global> <VirtualHost>
Modulmod_wrap 
Standardproftpd
From version1.2.1 and later
DescriptionTCPServiceName is used to configure the name of the service under which mod_wrap will check the allow/deny files. By default, this is the name of the program started, i.e. "proftpd". However, some administrators may want to use a different, more generic service name, such as "ftpd"; use this directive for such needs.
Example 1
Example 2
06.00.2003 21:02
Go to top
 
 NameTLSCACertificateFile 
SyntaxTLSCACertificateFile [ "name" limit|regex|ip value]
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit> .ftpaccess
Modulmod_tls 
Standard????
From version1.2.8rc1 and later
Description???????
Example 1
Example 2
06.00.2003 21:02
Go to top
 
 NameTLSCACertificatePath 
SyntaxTLSCACertificatePath [ "name" limit|regex|ip value]
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit> .ftpaccess
Modulmod_tls 
Standard????
From version1.2.8rc1 and later
Description???????
Example 1?????????
Example 2????????
06.00.2003 21:02
Go to top
 
 NameTLSCARevocationFile 
SyntaxTLSCARevocationFile [ "name" limit|regex|ip value]
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit> .ftpaccess
Modulmod_tls 
Standard????
From version1.2.8rc1 and later
Description???????
Example 1
Example 2
06.00.2003 21:02
Go to top
 
 NameTLSCARevocationPath 
SyntaxTLSCARevocationPath [ "name" limit|regex|ip value]
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit> .ftpaccess
Modulmod_tls 
Standard?????
From version1.2.8rc1 and later
Description???????
Example 1
Example 2
06.00.2003 21:02
Go to top
 
 NameTLSCertificateChainFile 
SyntaxTLSCertificateChainFile [ "name" limit|regex|ip value]
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit> .ftpaccess
Modulmod_tls 
Standard???????
From version1.2.8rc1 and later
Description??????????
Example 1
Example 2
06.00.2003 21:02
Go to top
 
 NameTLSCipherSuite 
SyntaxTLSCipherSuite [ "name" limit|regex|ip value]
ContextServer config <Global> <VirtualHost> <Anonymous> <Limit> .ftpaccess
Modulmod_tls 
Standard???
From version1.2.8rc1 and later
Description????
Example 1
Example 2
06.00.2003 21:02
Go to top
 
 NameTimeoutSession 
SyntaxTimeoutSession [ seconds ["user"|"group"|"class" expression]]
ContextServer config <Global> <VirtualHost> <Anonymous>
Modulmod_auth 
Standard
From version1.2.6rc1 and later
DescriptionThe TimeoutSession directive sets the maximum number of seconds a control connection between the proftpd server and an FTP client can exist after the client has successfully authenticated. If the seconds argument is set to 0, sessions are allowed to last indefinitely (the default).

The optional parameters are used to restrict the session time limit only to specific users. If "user" restriction is given, then expression is a user-expression specifying to which users the time limit applies. Similarly for the "group" restriction. For the "class" restriction, the expression is simply the name of connection class for whom the time limit will apply. Note that use of the "user" or "group" classifiers within an <Anonymous> context will not make much sense.
Example 1# Kick the user off after 60 minutes
TimeoutSession 3600
Example 2# set a draconian session time limit 
TimeoutSession 60 

# set session time limits for everyone except a few privileged users 
TimeoutSession 300 user !bob,!dave,!jenni
06.00.2003 21:02
Go to top
 
 Namesql:// 
Syntaxsql://dbuser:dbpass@dbserver/db:dbname/ctxt:table[:id,parent_id,name,value]/conf:table[:id,name,value]/map:table[:conf_id,ctxt_id]
ContextServer config
Modulmod_conf_sql 
Standardsql://foo:bar@localhost/db:proftpd/ctxt:ftpctxt:id,parent_id,name,value/conf:ftpconf:id,name,value/map:ftpmap:conf_id,ctxt_id
From version 1.2.9rc1 + mod_conf_sql-0.3
DescriptionConceptually, there are two basic elements in proftpd.conf: contexts and directives. Contexts include <Anonymous>, <VirtualHost>, the "server config" default context, and conditional contexts such as <IfDefine> and <IfModule>. Configuration directives are contained within a context.
Thus, to represent the configuration file contents within SQL tables, three things are needed: a table of contexts, a table of configuration directives, and a table that describes which directives are contained within which contexts. mod_conf_sql thus relies on a database schema of three tables. The SQL queries it uses rely on inner joins; this means that the underlying database must support INNER JOINs.

Database Schema
Here is an example MySQL schema for the tables mod_conf_sql uses:

DROP TABLE ftpctxt
CREATE TABLE ftpctxt (
id INTEGER UNSIGNED UNIQUE PRIMARY KEY NOT NULL AUTO_INCREMENT,
parent_id INTEGER UNSIGNED,
name VARCHAR(255),
value VARCHAR(255)
)

DROP TABLE ftpconf
CREATE TABLE ftpconf (
id INTEGER UNSIGNED UNIQUE PRIMARY KEY NOT NULL AUTO_INCREMENT,
name VARCHAR(255) NOT NULL,
value BLOB
)

DROP TABLE ftpmap
CREATE TABLE ftpmap (
conf_id INTEGER UNSIGNED NOT NULL,
ctxt_id INTEGER UNSIGNED NOT NULL
)

Each context and configuration directive is assigned a unique ID. The ftpmap table maps the configuration directive to its appropriate context by IDs. In addition, each context has a parent context, which allows for nested contexts, such as:
<Directory incoming>
<Limit DELE MKD RMD STOR XMKD XRMD>
DenyAll
</Limit>
</Directory>

The one allowed exception to this parent requirement context is the "server config" context, which is the default context in the proftpd.conf file. mod_conf_sql always starts by searching for this top-level context, which must have a NULL parent ID.
Configuration URI
How does mod_conf_sql do its magic? This module uses ProFTPD's FSIO API to temporarily redefine what it means to open and read a file; it presents a file-like interface to a SQL table such that ProFTPD's configuration parser does not know that the configuration is coming from a database rather than a flat file.

In order to accomplish this magic, mod_conf_sql needs to know some things about the database, so that it can connect and retrieve the configuration data. This information is provided in the "path" to the configuration file, using proftpd's -c/--config command-line option. The specific "path" to use for mod_conf_sql uses an URI-like syntax:

sql://dbuser:dbpass@dbserver/db:dbname/ctxt:table[:id,parent_id,name,value]/conf:table[:id,name,value]/map:table[:conf_id,ctxt_id]

The syntax is long, but it has to be so in order to provide all of the information mod_conf_sql needs. (This information cannot be stored in the configuration file because mod_conf_sql will be constructing that configuration file).
The "sql://" prefix informs the FSIO API that this "path" should be handled differently from a normal Unix filesystem path. The dbuser, dbpass, and dbserver parts are the usual data needed to connect to a database; database server information, such as port number or Unix domain socket path, can be added to the dbserver string. dbname configures the name of the database to use. Then, one specifies the names of the three tables to use (the context table, the directives table, and the mapping table); one can optionally configure the column names in those tables. Note that if column names are specified, all of the columns in the table must be provided.

The following example shows a "path" where the table names are specified, but the column names in those tables are left to the default values:

proftpd -c sql://foo:bar@localhost/db:proftpd/ctxt:ftpctxt/conf:ftpconf/map:ftpmap

Explicitly specifying the column names in the above URI would make the "path" look like:
proftpd -c sql://foo:bar@localhost/db:proftpd/ctxt:ftpctxt:id,parent_id,name,value/conf:ftpconf:id,name,value/map:ftpmap:conf_id,ctxt_id

This URI-like path syntax can also be used as the parameter to the Include configuration directive. Note, though, that at present mod_conf_sql will always search for the "server config" context in the ftpctxt table first, and then recurse through all its contained contexts. This means that using something like this in a proftpd.conf configuration file:

<VirtualHost 1.2.3.4>
Include sql://foo:bar@localhost/db:proftpd/ctxt:vhostctxt/conf:vhostconf/map:vhostmap
</VirtualHost>

is currently unsupported, and will not function as one would assume.
The mod_conf_sql module does not actually need mod_sql to be configured, using the normal mod_sql configuration directives; however, mod_conf_sql does require that mod_sql be compiled into proftpd. It is possible to store the configuration information in one database, and the user/group authentication information in a completely different database.

Importing/Exporting
While storing configuration information in SQL tables may make some tasks easier, it will making editing of configurations more complex. To help with this, mod_conf_sql is accompanied by two Perl scripts that can be used to import existing proftpd.conf files into a database, and to export configuration information from SQL tables back into a proftpd.conf file.

The conf2sql.pl script reads a given proftpd.conf configuration file and populates the SQL tables with the information from that file. One specifies the database connection information, and the full path to the proftpd.conf to be imported. The script will delete any existing information in the SQL tables. Use conf2sql.pl --help to see usage information.

Example:

conf2sql.pl --dbdriver=mysql --dbname=proftpd --dbuser=foo --dbpass=bar --dbserver=localhost /etc/proftpd.conf

Note that the script currently allows the SQL table names to be specified via command-line options, but the column names are assumed to be those mentioned above.
The sql2conf.pl script reads the SQL tables and reconstructs the proftpd.conf configuration file represented by those tables. One specifies the database connection information. Use sql2conf.pl --help to see usage information.

Example:

sql2conf.pl --dbdriver=mysql --dbname=proftpd --dbuser=foo --dbpass=bar --dbserver=localhost

Note that the script currently allows the SQL table names to be specified via command-line options, but the column names are assumed to be those mentioned above.
Example 1 proftpd -c sql://foo:bar@localhost/db:proftpd/ctxt:ftpctxt:id,parent_id,name,value/conf:ftpconf:id,name,value/map:ftpmap:conf_id,ctxt_id
Example 2  CREATE TABLE ftpctxt (
    id INTEGER UNSIGNED UNIQUE PRIMARY KEY NOT NULL AUTO_INCREMENT,
    parent_id INTEGER UNSIGNED,
    name VARCHAR(255),
    value VARCHAR(255)
  )

  CREATE TABLE ftpconf (
    id INTEGER UNSIGNED UNIQUE PRIMARY KEY NOT NULL AUTO_INCREMENT,
    name VARCHAR(255) NOT NULL,
    value BLOB
  )

  CREATE TABLE ftpmap (
    conf_id INTEGER UNSIGNED NOT NULL,
    ctxt_id INTEGER UNSIGNED NOT NULL
  )
07.00.2003 09:00
Go to top
 
 NameHideFiles 
SyntaxHideFiles [ [!]regexp|"none" ["user"|"group"|"class" expression]]
Context.ftpaccess <Directory>
Modul
Standard
From version1.2.7rc1
DescriptionThe HideFiles directive configures a <Directory> section to hide all directory entries, e.g. its files and sub-directories, that match the given regular expression. These files can still be operated on by other FTP commands (DELE, RETR, etc), as constrained by any applicable <Limit>s, but this can be modified using the IgnoreHidden directive. Note that this directive manipulates a file's "hidden-ness", but doesn't do any hiding by itself. A <Limit> section, with IgnoreHidden enabled, does the actual hiding of the files from the <Limit>ed commands.


As <Directory> configurations are inherited by sub-directories, the "none" parameter can be used to disable any inherited file hiding within a sub-directory, usually through the use of a .ftpaccess file.


The optional parameters are used to restrict the rule for hiding files only to specific users. If "user" restriction is given, then expression is a user-expression specifying to which users the rule applies. Similarly for the "group" restriction. For the "class" restriction, the expression is simply the name of connection class for whom the rule will apply.


An unrestricted HideFiles directive and an unrestriected ShowFiles directive cannot be used simultaneously in the context.


Example: # Hide configuration and passwd files from view HideFiles "(\.conf|passwd)$" # ...or the same regex, without the quotes HideFiles (\.conf|passwd)$ # Hide those same files from everyone _except_ a special user HideFiles (\.conf|passwd)$ user !tj # Using the ! prefix to "invert" the regular expression matching, # allow only .txt and .html files to be seen HideFiles !(\.txt|\.html)$ # Only let users of the webmaster group see HTML files, but nothing else HideFiles !(\.htm|\.html)$ group webmaster



See Also: HideGroup, HideUser, HideNoAccess
Example 1Beispiel:
# Hide configuration and passwd files from view
HideFiles "(\.conf|passwd)$" 

# ...or the same regex, without the quotes 
HideFiles (\.conf|passwd)$ 

# Hide those same files from everyone _except_ a special user named "tj"
HideFiles (\.conf|passwd)$ user !tj 

# Using the ! prefix to "invert" the regular expression matching, 
# allow only .txt and .html files to be seen 
HideFiles !(\.txt|\.html)$ 

# Only let users of the webmaster group see HTML files, but nothing else
HideFiles !(\.htm|\.html)$ group webmaster
Example 2
05.00.2004 02:01
Go to top
 
 NameQuotaLock 
SyntaxQuotaLock file
Context
Modulmod_quotatab 
StandardNone
From versionab 1.2.9 RC1
DescriptionNEU
Example 1NEU
Example 2NEU
05.00.2004 02:01
Go to top
 
 NameShaperAll 
SyntaxShaperAll ["priority" num] ["rate" num] ["shares" num]
ContextServer config
Modulmod_shaper 
StandardShaperAll priority 10 rate -1.0 shares 5
From version1.2.10RC1
DescriptionThe ShaperAll directive is used to configure the overall mod_shaper settings: the rate for the entire daemon, the default shares for shaped sessions, and the default priority for shaped sessions. If specified, the priority cannot be a negative number, the rate is in KB/s and must be greater than zero, and the shares must be greater than one. For configuring the priority and shares for individual sessions, use the ShaperSession directive.

The default rate is -1.0, which means that in order for mod_shaper to function properly, a rate must be specified. The default shares setting is 5, the default priority is 10.

Examples:

# Change the overall daemon rate to 100 KB/s
ShaperAll rate 100

# Give 20 shares to each session by default, and have an overall rate of 1000
ShaperAll rate 1000 shares 20

See also: ShaperSession
Example 1NEU
Example 2NEU
05.00.2004 03:01
Go to top
 
 NameShaperControlsACLs 
SyntaxShaperControlsACLs actions|"all" "allow"|"deny" "user"|"group" list
ContextServer config
Modulmod_shaper 
Standardnone
From version1.2.10 RC1
DescriptionThe ShaperControlsACLs directive configures access lists of users or groups who are allowed (or denied) the ability to use the actions implemented by mod_ctrls. The default behavior is to deny everyone unless an ACL allowing access has been explicitly configured.

If "allow" is used, then list, a comma-delimited list of users or groups, can use the given actions; all others are denied. If "deny" is used, then the list of users or groups cannot use actions all others are allowed. Multiple ShaperControlsACLs directives may be used to configure ACLs for different control actions, and for both users and groups.

The actions provided by mod_shaper are "all", "info", and "sess".

Examples:

# Allow only user root to alter the overall settings
ShaperControlsACLs all allow user root

# Allow the ftpadm group to shape current sessions
ShaperControlsACLs sess allow group ftpadm

# Allow everyone but user bob to see the current shaper stats
ShaperControlsACLs info deny user bob
Example 1NEU
Example 2NEU
05.00.2004 03:01
Go to top
 
 NameShaperEngine 
SyntaxShaperEngine on|off
ContextServer config
Modulmod_shaper 
Standardoff
From version1.2.10 RC1
DescriptionThe ShaperEngine directive enables or disables the "shaping" of sessions by mod_shaper. If it is set to off this module does no shaping of transmitted traffic. Use this directive to disable the module instead of commenting out all mod_shaper directives.
Example 1NEU
Example 2NEU
05.00.2004 03:01
Go to top
 
 NameShaperLog 
SyntaxShaperLog path|"none"
ContextServer config
Modulmod_shaper 
Standardnone
From version1.2.10 RC1
DescriptionThe ShaperLog directive is used to a specify a log file for mod_shaper reporting and debugging. The path parameter must be the full path to the file to use for logging. Note that this path must not be to a world-writeable directory and, unless AllowLogSymlinks is explicitly set to on (generally a bad idea), the path must not be a symbolic link.

If path is "none", no logging will be done at all.
Example 1NEU
Example 2NEU
05.00.2004 03:01
Go to top
 
 NameShaperSession 
SyntaxShaperSession ["priority" num] ["shares" +|-num]
ContextServer config
Modulmod_shaper 
StandardShaperSession priority 10
From version1.2.10 RC1
DescriptionThe ShaperSession directive is used to set shaping data on a per-session basis. It is intended to be used within mod_ifsession conditional configuration blocks. If used, the priority must not be a negative number. The shares parameter must start with '+' or '-'; this value adjusts the default numbers of shares allotted to a session, increasing or reducing the sessions's shares. The ShaperAll directive is used for configuring overall shaping data.

Example:

# Reward my friends
ShaperSession shares +2

# Punish my enemies
ShaperSession shares -4

# Let <Directory>-level TransferRate directives take priority
ShaperSession priority 3

See also: ShaperAll
Example 1NEU
Example 2NEU
05.00.2004 03:01
Go to top
 
 NameShaperTable 
SyntaxShaperTable path
ContextServer config
Modulmod_shaper 
Standardnone
From version1.2.10 RC1
DescriptionThe ShaperTable directive configures a path to a file that mod_shaper uses for storing its shaping data. The given path must be an absolute path. Note: this directive is required for mod_shaper to function.
Example 1NEU
Example 2NEU
05.00.2004 03:01
Go to top
 
 Nameshaper all 
Syntaxftpdctl shaper all [priority num] [rate num] [shares num]
ContextControl Program
Modulmod_shaper 
Standard
From version1.2.10 RC1
DescriptionNEU
Example 1NEU
Example 2NEU
05.00.2004 03:01
Go to top
 
 Nameshaper info 
Syntaxftpdctl shaper info
ContextControl Program
Modulmod_shaper 
Standard
From version1.2.10 RC1
DescriptionPurpose: Print information about current shaped sessions

The shaper info control action can be used to view information on currently shaped sessions. This includes the current overall rate, the default number of shares per session, and the total number of currently shaped sessions. It also lists the following for each shaped session: process ID (PID), share adjustments, priority, and session rate.

Example listing:

# ftpdctl shaper info
ftpdctl: Overall Rate: 100.00 KB/s
ftpdctl: Default Shares Per Session: 5
ftpdctl: Default Priority: 10
ftpdctl: Number of Shaped Sessions: 2
ftpdctl: PID Shares Priority Rate (KB/s)
ftpdctl: ----- -------------- -------- -----------
ftpdctl: 3912 7/14 (+2) 10 50.00
ftpdctl: 3915 7/14 (+2) 10 50.00

The "Shares" column is formatted as:

sharessession/sharestotal (+|-sharesadjust)

The +2 in the listing above is due to a ShaperSession affecting these sessions:

ShaperSession shares +2
Example 1NEU
Example 2NEU
05.00.2004 03:01
Go to top
 
 Nameshaper sess 
Syntax ftpdctl shaper sess class|host|user name [priority num] [shares +|-num]
ContextControl Program
Modulmod_shaper 
Standard
From version1.2.10 rc1
DescriptionPurpose: Alter specific session's mod_shaper settings

The shaper sess action is used to change session-specific shaping data on-the-fly. If given, the priority must not be a negative number. The shares parameter must start with '+' or '-'; this value adjusts the default numbers of shares allotted to a session, increasing or reducing the sessions's shares.

This example gives user alex an additional 10 shares:

ftpdctl shaper sess user alex shares +10

The following sets the priority for host cache.example.com such that TransferRate directives in <Anonymous> sections, <Directory> sections and .ftpacccess files have precedence (see the usage instructions for more details on priority):

ftpdctl shaper sess host cache.example.com priority 2

One can even change the settings on entire Classes of sessions:

ftpdctl shaper sess class proxy shares -3 priority 1

See also: shaper all
Example 1NEU
Example 2NEU
05.00.2004 03:01
Go to top
 
 NameMaxClientsPerClass 
SyntaxMaxClientsPerClass name number|"none" [message]
ContextServer config <Global> <VirtualHost>
Modulmod_auth 
StandardNone
From version1.2.10RC1
DescriptionThe MaxClientsPerClass directive configures the maximum number of clients
that may be connected at any given time from the same Class. The
optional argument message may be used which will be displayed to a client
attempting to exceed the maximum value. If message is not supplied, a default
message of "Sorry, the maximum number of clients (%m) from your class are
already connected."</para>
Example 1NEU
Example 2NEU
05.00.2004 03:01
Go to top

Valid HTML 4.01!