Add SFTP support

CloudronManifest.json

@@ -20,8 +20,14 @@
     "oauth": {},
     "simpleauth": {}
   },
+  "tcpPorts": {
+    "SFTP_PORT": {
+      "title": "SFTP Port",
+      "description": "SFTP Port over which code can be pushed & pulled",
+      "defaultValue": 2222
+    }
+  },
   "tags": [ "apache", "php", "mysql" ],
   "mediaLinks": [ "https://raw.githubusercontent.com/cloudron-io/lamp-app/master/medialinks/medialink_0.jpg" ],
-  "changelog": "file://CHANGELOG",
-  "minBoxVersion": "0.13.3"
+  "changelog": "file://CHANGELOG"
 }

Dockerfile

@@ -37,8 +37,8 @@ RUN apt-get update && apt-get install -y php libapache2-mod-php crudini \
     php-xml-svg \
     php-yac \
     php-zip \
-    && rm -r /var/cache/apt /var/lib/apt/lists
-
+    proftpd proftpd-mod-ldap \
+    && rm -rf /var/cache/apt /var/lib/apt/lists /etc/ssh_host_*
 
 # configure apache
 RUN rm /etc/apache2/sites-enabled/*
@@ -51,7 +51,7 @@ RUN echo "Listen 8000" > /etc/apache2/ports.conf
 RUN ln -sf /app/data/apache2-app.conf /etc/apache2/sites-available/app.conf
 RUN ln -sf /etc/apache2/sites-available/app.conf /etc/apache2/sites-enabled/app.conf
 
-RUN a2enmod rewrite dav dav_fs authnz_ldap
+RUN a2enmod rewrite
 
 # configure mod_php
 RUN crudini --set /etc/php/7.0/apache2/php.ini PHP upload_max_filesize 8M && \
@@ -62,6 +62,17 @@ RUN crudini --set /etc/php/7.0/apache2/php.ini PHP upload_max_filesize 8M && \
 RUN mv /etc/php/7.0/apache2/php.ini /etc/php/7.0/apache2/php.ini.orig && ln -sf /app/data/php.ini /etc/php/7.0/apache2/php.ini
 
 ADD apache2-app.conf /app/code/apache2-app.conf
+
+# configure proftpd
+ADD proftpd.conf /app/code/proftpd.conf.template
+
+RUN rm -rf /var/log/proftpd && ln -s /run/proftpd /var/log/proftpd
+
+# configure supervisor
+ADD supervisor/ /etc/supervisor/conf.d/
+RUN sed -e 's,^logfile=.*$,logfile=/run/supervisord.log,' -i /etc/supervisor/supervisord.conf
+
+# add code
 ADD index.html /app/code/index.html
 ADD start.sh /app/code/start.sh
 

apache2-app.conf

@@ -14,23 +14,4 @@
         </IfModule>
     </Directory>
 
-    ### WARNING the following lines will be updated dynamically by start.sh
-    Alias /webdav /app/data/public
-
-    <Location /webdav>
-        Options +Indexes
-        DirectoryIndex disabled
-        php_admin_value engine Off
-        DAV on
-        DavDepthInfinity on
-        AuthType Basic
-        AuthBasicProvider ldap
-        AuthName "Cloudron Authorization"
-        AuthLDAPURL ldap://url/basedn?username??(objectclass=user)
-        AuthLDAPBindDN abouttochange
-        AuthLDAPBindPassword abouttochange
-        Require valid-user
-    </Location>
-    ### WARNING END
-
 </VirtualHost>

index.html

@@ -10,20 +10,22 @@
 
 <body>
 
-<h4>This works!</h4>
+<center><h4>This works!</h4></center>
 
-Use the <a href="https://cloudron.io/references/cli.html">cloudron</a> commandline tool to put files in this app or get a remote terminal similar to ssh.
-
-<br/>
 <br/>
 
-Find the <i>ldap</i>, <i>mysql</i> and other addon credentials exposed as environment variables using:
+Find the <i>ldap</i>, <i>mysql</i> and other addon credentials exposed as environment variables using the <a href="https://cloudron.io/references/cli.html">cloudron commandline tool</a>:
 <pre class="code">
 <code>cloudron exec env</code>
 </pre>
 
-For a more convenient way to manage larger file sets, there is a webdav endpoint at <a href="/webdav/" target="_blank">/webdav/</a>.
-For Windows and Mac <a href="https://cyberduck.io/" target="_blank">Cyberduck</a> is a suitable webdav client.
+You can also use SFTP to transfer files using  <a href="https://cyberduck.io/" target="_blank">Cyberduck</a>,
+<a href="https://filezilla-project.org/" target="_blank">FileZilla</a> or <a href="https://www.gftp.org/" target="_blank">gFTP</a>
+(use your cloudron credentials to authenticate).
+<pre class="code">
+<code>sftp -P ##SFTP_PORT ##SFTP_DOMAIN </code>
+</pre>
+
 
 </body>
 </html>

proftpd.conf

@@ -0,0 +1,123 @@
+# Includes DSO modules
+Include /etc/proftpd/modules.conf
+
+# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
+UseIPv6				off
+# If set on you can experience a longer connection delay in many cases.
+IdentLookups			off
+
+ServerName			"##SERVER_NAME"
+ServerType			standalone
+DeferWelcome			off
+
+MultilineRFC2228		on
+DefaultServer			on
+ShowSymlinks			on
+
+TimeoutNoTransfer		600
+TimeoutStalled			600
+TimeoutIdle			1200
+
+DisplayLogin                    welcome.msg
+DisplayChdir               	.message true
+ListOptions                	"-l"
+
+DenyFilter			\*.*/
+
+# Use this to jail all users in their homes 
+# DefaultRoot			~
+
+# Users require a valid shell listed in /etc/shells to login.
+# Use this directive to release that constrain.
+# RequireValidShell		off
+
+# Port 21 is the standard FTP port.
+Port				0
+
+# To prevent DoS attacks, set the maximum number of child processes
+# to 30.  If you need to allow more than 30 concurrent connections
+# at once, simply increase this value.  Note that this ONLY works
+# in standalone mode, in inetd mode you should use an inetd server
+# that allows you to limit maximum number of processes per service
+# (such as xinetd)
+MaxInstances			10
+
+# Set the user and group that the server normally runs at.
+User				www-data
+Group				www-data
+
+# Umask 022 is a good standard umask to prevent new files and dirs
+# (second parm) from being group and world writable.
+Umask				022  022
+# Normally, we want files to be overwriteable.
+AllowOverwrite			on
+
+TransferLog /run/proftpd/xferlog
+SystemLog   /run/proftpd/proftpd.log
+
+<IfModule mod_quotatab.c>
+QuotaEngine off
+</IfModule>
+
+<IfModule mod_ratio.c>
+Ratios off
+</IfModule>
+
+# Delay engine reduces impact of the so-called Timing Attack described in
+# http://www.securityfocus.com/bid/11430/discuss
+# It is on by default. 
+<IfModule mod_delay.c>
+DelayEngine on
+</IfModule>
+
+<IfModule mod_ctrls.c>
+ControlsEngine        off
+ControlsMaxClients    2
+ControlsLog           /var/log/proftpd/controls.log
+ControlsInterval      5
+ControlsSocket        /var/run/proftpd/proftpd.sock
+</IfModule>
+
+<IfModule mod_ctrls_admin.c>
+    AdminControlsEngine off
+</IfModule>
+
+LoadModule mod_ldap.c
+<IfModule mod_ldap.c>
+# https://forums.proftpd.org/smf/index.php?topic=6368.0
+LDAPServer "##LDAP_URL/??sub"
+LDAPBindDN "##LDAP_BIND_DN" "##LDAP_BIND_PASSWORD"
+LDAPUsers "##LDAP_USERS_BASE_DN" (username=%u)
+
+LDAPForceDefaultUID on
+LDAPDefaultUID ##LDAP_UID
+LDAPForceDefaultGID on
+LDAPDefaultGID ##LDAP_GID
+
+LDAPForceGeneratedHomedir on
+LDAPGenerateHomedir on
+LDAPGenerateHomedirPrefix /app/data/public
+LDAPGenerateHomedirPrefixNoUsername on
+
+#LDAPUseTLS off
+#LDAPLog /run/proftpd/ldap.log
+</IfModule>
+
+<IfModule mod_sftp.c>
+SFTPEngine on
+Port ##SFTP_PORT
+SFTPLog /run/proftpd/sftp.log
+
+# Configure both the RSA and DSA host keys, using the same host key
+# files that OpenSSH uses.
+SFTPHostKey /app/data/sftpd/ssh_host_rsa_key
+SFTPHostKey /app/data/sftpd/ssh_host_dsa_key
+
+SFTPAuthMethods password
+
+# Enable compression
+SFTPCompression delayed
+
+RequireValidShell off
+</IfModule>
+

start.sh

@@ -2,7 +2,7 @@
 
 set -eu
 
-mkdir -p /app/data/public /run/app /run/apache2
+mkdir -p /app/data/public /run/apache2 /run/proftpd
 
 # check if any index file exists
 for f in /app/data/public/index.*; do
@@ -18,19 +18,51 @@ if [ ! -f "/app/data/apache2-app.conf" ]; then
     cp /app/code/apache2-app.conf /app/data/apache2-app.conf
 fi
 
-sed -e "s@AuthLDAPURL .*@AuthLDAPURL ${LDAP_URL}/${LDAP_USERS_BASE_DN}?username??(objectclass=user)@" \
-    -e "s@AuthLDAPBindDN .*@AuthLDAPBindDN ${LDAP_BIND_DN}@" \
-    -e "s@AuthLDAPBindPassword .*@AuthLDAPBindPassword ${LDAP_BIND_PASSWORD}@" \
-    -i /app/data/apache2-app.conf
+# SFTP_PORT can be unset to disable SFTP
+disable_sftp="false"
+if [[ -z "${SFTP_PORT:-}" ]]; then
+    echo "SSH disabled"
+    SFTP_PORT=29418 # arbitrary port to keep sshd happy
+    disable_sftp="true"
+else
+    sed -e "s,##SERVER_NAME,${APP_DOMAIN}," \
+        -e "s/##SFTP_PORT/${SFTP_PORT}/" \
+        -e "s,##LDAP_URL,${LDAP_URL},g" \
+        -e "s/##LDAP_BIND_DN/${LDAP_BIND_DN}/g" \
+        -e "s/##LDAP_BIND_PASSWORD/${LDAP_BIND_PASSWORD}/g" \
+        -e "s/##LDAP_USERS_BASE_DN/${LDAP_USERS_BASE_DN}/g" \
+        -e "s/##LDAP_UID/$(id -u www-data)/g" \
+        -e "s/##LDAP_GID/$(id -g www-data)/g" \
+        /app/code/proftpd.conf.template > /run/proftpd/proftpd.conf
+
+    if [[ -f /app/data/public/index.html ]]; then
+        sed -e "s,##SFTP_PORT,${SFTP_PORT}," \
+            -e "s,##SFTP_DOMAIN,${APP_DOMAIN}," \
+            -i /app/data/public/index.html
+    fi
+fi
+
+if [[ ! -f "/app/data/sftpd/ssh_host_ed25519_key" ]]; then
+    echo "Generating ssh host keys"
+    mkdir -p /app/data/sftpd
+    ssh-keygen -qt rsa -N '' -f /app/data/sftpd/ssh_host_rsa_key
+    ssh-keygen -qt dsa -N '' -f /app/data/sftpd/ssh_host_dsa_key
+    ssh-keygen -qt ecdsa -N '' -f /app/data/sftpd/ssh_host_ecdsa_key
+    ssh-keygen -qt ed25519 -N '' -f /app/data/sftpd/ssh_host_ed25519_key
+else
+    echo "Reusing existing host keys"
+fi
+
+chmod 0600 /app/data/sftpd/*_key
+chmod 0644 /app/data/sftpd/*.pub
 
 ## hook for custom start script in /app/data/run.sh
 if [ -f "/app/data/run.sh" ]; then
     /bin/bash /app/data/run.sh
 fi
 
-chown -R www-data:www-data /app/data /run
+chown -R www-data:www-data /app/data /run/apache2 /run/proftpd
+
+echo "Starting supervisord"
+exec /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i Lamp
 
-echo "Starting apache"
-APACHE_CONFDIR="" source /etc/apache2/envvars
-rm -f "${APACHE_PID_FILE}"
-exec /usr/sbin/apache2 -DFOREGROUND

supervisor/apache2.conf

@@ -0,0 +1,12 @@
+[program:apache2]
+autorestart=true
+autostart=true
+command=/usr/bin/pidproxy /run/apache2/apache2.pid /bin/bash -c "source /etc/apache2/envvars && /usr/sbin/apache2 -DFOREGROUND"
+environment=APACHE_CONFDIR=""
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+stopasgroup=true
+killasgroup=true
+

supervisor/proftpd.conf

@@ -0,0 +1,11 @@
+[program:proftpd]
+directory=/
+command=/usr/sbin/proftpd --nodaemon -c /run/proftpd/proftpd.conf
+user=root
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+