Apache HTTP Server Version 2.4
Available Languages: en
The support for FTP over TLS allows you to run FTP connections securely through TLS encryption and certificate authentication support. Apache mod_ftp supports RFC-compliant TLS support through Apache's own mod_ssl.
As the FTP protocol was developed long before security through encryption became an important consideration, it was originally designed as a clear-text protocol. Both the command channel and the data channel were, and in many cases remain, unencrypted. Today, this is not desirable since the users' logins and passwords travel in the clear across the network, and could be readily detected by a malicious intruder. Conversely, a user would not easily be able to detect a spoofed server address because the server could not identify itself by certificate.
To address these limitations, the FTP over TLS protocol was developed and became an Internet Standard described in RFC 4217. The FTP over TLS protocol uses TLS connection upgrade, where the client and server negotiate their features and capabilities before upgrading to an encrypted connection.
The mod_ftp module for the Apache HTTP Server aims to implement FTP over TLS as defined by RFC 4217. The RFC describes how the FTP client and server can discover each other's security capabilities and how a client can upgrade an FTP control channel to use TLS protection. This connection upgrade behavior, similar to the SMTP over TLS standard described in RFC 3207, allows an FTP over TLS server to run on the same port as a plaintext FTP server, and offer both plaintext and protected services simultaneously.
The FTP protocol specification dictates that it is up to the
client to specify session attributes like the protection level.
The server cannot require that the client use TLS, but it can
refuse to accept any command from the client until it sends an
AUTH TLS
FTP command to upgrade the control channel
to TLS protection. See the FTPOptions
, specifically the
RequireSSL
option, to make the server refuse any FTP
command until a TLS session is established.
The use of TLS allows both the server and client to identify
themselves using standard SSL Certificates. Generally, a
certificate will be in use on the server, but the server can be
configured to request client-side certificates for
authentication. RFC 4217 requires that the client send a
USER
command even if a certificate is presented, but
the server may forego requiring a password from the client.
Since the FTP over TLS RFC was published only in 2005, several alternative approaches have arisen to secure file transfer connections. Besides the TLS connection upgrade on a normal FTP connection as defined by the RFC, another popular approach is to define a separate FTP control channel listener that can only be accessed over SSL. An SSL handshake has to be completed before even the first FTP protocol exchange can take place. This approach, known as Implicit SSL, is supported by mod_ftp. Finally, some FTP clients and server support file transfer over SSH. This approach is not supported by mod_ftp.
To implement TLS, mod_ftp uses Apache's
mod_ssl
. This means that the configuration
options for FTP over TLS are not too different from those for
HTTPS. In fact, for RFC 4217-based FTP over TLS support, no
additional configuration options are necessary above the ones you
would use to set up an HTTP over SSL virtual host. Note however
that we explicitly turn off AcceptFilter
. This is necessary because
in FTP the server initiates the protocol conversation and not the
client.
LoadModule ftp_module /usr/local/apache2/modules/mod_ftp.so
Listen 21 ftp
AcceptFilter ftp none
LogFormat "%u [%a] %r %>s" ftp_command
LogFormat "%{%b %e %H:%M:%S %Y}t %T %a %B %U %M %F %d %W %u %S %Z %Y" ftp_transfer
<VirtualHost _default_:21>
FTP On
SSLEngine on
SSLCertificateFile conf/server.crt
SSLCertificateKeyFile conf/server.key
ErrorLog logs/ftps_error_log
CustomLog logs/ftps_command_log ftp_command
CustomLog logs/ftps_transfer_log ftp_transfer env=do_transfer_log
</VirtualHost>
The configuration below is similar to the one above, except for
the FTPImplicitSSL
and the
listening port which is 990
. The AcceptFilter
is set to
data
, since the conversation starts with an SSL
handshake from the client.
LoadModule ftp_module /usr/local/apache2/modules/mod_ftp.so
Listen 990 ftps
AcceptFilter ftps data
LogFormat "%u [%a] %r %>s" ftp_command
LogFormat "%{%b %e %H:%M:%S %Y}t %T %a %B %U %M %F %d %W %u %S %Z %Y" ftp_transfer
<VirtualHost _default_:990>
FTP On
SSLEngine On
FTPImplicitSSL On
SSLCertificateFile ssl/server.crt
SSLCertificateKeyFile ssl/server.key
ErrorLog logs/ftps_error.log
CustomLog logs/ftps_command.log ftp_command
CustomLog logs/ftps_transfer.log ftp_transfer env=do_transfer_log
DocumentRoot "/usr/local/apache2/htdocs"
</VirtualHost>
An ever-growing number of FTP clients implements FTP over
TLS, and listing them all is outside the scope of this document.
A list can be found on Wikipedia.
When selecting a client, do keep in mind that the FTP over
SSH protocol (sometimes also called SFTP) is not
supported by mod_ftp
.
Available Languages: en