- Introduction
- What is virtual FTP server support ?
- Setup Overview
- Configuring IP Address Aliases
- Building the software
- Setting up the directory structure for virtual server support
- ftpaccess file Modifications
- Setting up other support files
- Supporting virtual logging
- Shutting down your virtual FTP servers
- Testing your config.
- Restarting your shutdown virtual FTP servers
- ftpaccess access information that should be supported but isn't
- Adding COMPLETE support for Virtual FTP Servers
- An Alternative Way of Supporting Virtual FTP Servers
- A Plea for Help
- Credits
- Disclaimer
So you want to setup more than one FTP server on the same machine....To make it work you will need to use the virtual server support in wu-ftpd. What follows are instructions for building the software and configuring it to use virtual servers. These instructions are not meant to hold your hand but are meant to make setting it up just a bit easier.
If you wish to manage an ftp server for two separate domains on the same machine then you need to be able to support virtual FTP servers. Basically, this allows an administrator to configure their system so a user ftping to ftp.domain1.com gets one ftp banner and one ftp directory and a user ftping to ftp.domain2.com gets another banner and directory even though they are on the same machine and use the same ports.Virtual ftp servers make supporting multiple domains a lot less costly and are easier to maintain than multiple ftp servers on multiple machines.
In order to set up a virtual ftp server environment you need to understand what it is you're about to do. What follows is a brief overview of the process ahead.Additionally, you need to know how to shutdown and restart access to your real, anonymous and virtual servers in the event you need to.
- You will be configuring your machine to respond to multiple IP addresses. This is done via IP Address Aliases described below. First, you need to acquire the IP addresses you'll need. Once you have an IP address for each virtual server you wish to setup, you are ready to proceed.
- Once you can see both addresses from the network, you will need to build and install the wu-ftpd software to support virtual servers.
- Next you need to setup up the ftp directory structure for each virtual server you wish to support. You will need to customize the banner and message files in each of the virtual server areas.
- With the directories in place you are ready to configure the ftpaccess file and specify the virtual server specific information.
- In order to be able to separate out who is logging in to what virtual server, you'll need to configure the system logging. This allows you to maintain separate logfiles depicting the activity of each virtual server.
- And finally, you need to test your configuration. Once that is accomplished you can feel pleased with yourself and begin populating the individual ftp directories with data as appropriate.
You have to be able to setup IP address aliases in order for the virtual server support in wu-ftpd to work. Linux and BSDI, FreeBSD, SGI, Solaris 2.5*, AIX and others support this. What follows are "general" instructions on how to configure IP address aliases for the specified systems. Please check your system's 'ifconfig' documentation for specific instructions.In order to make the changes to the required system files you will first need to login as root.
Configuring IP Aliases on Sun Solaris 2.5:
- Assure/place the system's normal hostname/IP address in the file /etc/hostname.le0.
- Insert the following in the system initialization file /etc/init.d/rootuser just after the if/fi test for interface_names.
#
# configure virtual host interfaces quietly.
#
/sbin/ifconfig le0:1 inet XXX.XXX.XXX.XXX netmask + broadcast + -trailers up 2>&1 > /dev/nullReplace XXX.XXX.XXX.XXX with the IP address that you wish to alias.
Configuring IP Aliases on SGI:
- Edit /etc/hosts to include IP address and the name of the virtual server
- Edit /etc/config/ipaliases.options using comments in that file as a template:
ec0 XXX.XXX.XXX.xxx netmask 0xffffff00 broadcast XXX.XXX.XXX.255
orec0 foobar netmask 0xffffff00 broadcast XXX.XXX.XXX.255
- /etc/chkconfig -f ipaliases on
Replace XXX.XXX.XXX.xxx with the IP address that you wish to alias.
Replace XXX.XXX.XXX.255 with the network's broadcast address.Configuring IP Aliases on FreeBSD:
- Edit /etc/netstart and put something like the following in.
ifconfig de0 alias XXX.XXX.XXX.XXX netmask 0xffffffff
(or use ed0 or some other netmask if appropriate)
Configuring IP Aliases on AIX:
In the way AIX is shipped, there is no direct support for IP aliases in the ODM. This does not mean that AIX does not support IP aliases, it means that IP alias info is stored in an ASCII file rather than in the ODM.Refer to the ifconfig man pages. For more info on TCP/IP configuration and tuning, review the "no" command.
- Edit the proper /etc/rc* file.
If you are currently using an ODM TCP/IP configuration, edit the file /etc/rc.net.
If you are using the traditional "BSD-style bootup method", edit the file /etc/rc.bsdnet instead.
- Add a line such as the following example.
/usr/sbin/ifconfig tr0 inet xx.xx.xx.xx netmask yy.yy.yy.yy alias 1>/dev/null 2>&1
Be sure to set the interface to the correct type if you are not using token ring (tr0) as the example shows.
After system configuration:
In order to test your new configuration it is wise to reboot your system. This assures that your system is properly configured in the event of an non-planned system halt/reboot. A problem here is that the system is probably a production server for someone else... It is recommended that you add virtual www/ftp servers to your system at a scheduled maintenance time. Also, if you are adding more than one virtual server, add them all and simply reboot a single time. If you cannot reboot then execute the appropriate ifconfig (or chkconfig) command and test the reboot when you can.Also, if not immediately rebooting, it's not a bad idea to
arp -s XXX.XXX.XXX.XXX x:x:xx:xx:xx:xx pubwhere XXX.XXX.XXX.XXX is the IP Address and where x:x:xx:xx:xx:xx is the Ethernet/whatever hardware physical address.Testing interfaces:
You need to assure you can see the interfaces using netstat and then try to ping the interface to assure it is responding. If so, your system is now ready. Now it's time to setup the FTPD server software and virtual server directories.
In order to get the virtual support compiled in you will need to add -DVIRTUAL to the CFLAGS of the appropriate Makefile if it is not already there.Note: If you are building on a
BSDI (build bdi) FreeBSD 2.0 (build fbs) Linux (build lnx) NetBSD 1.X (build nbs)then you can skip Step 1 and jump right to Step 2. Your system is already setup to build with the VIRTUAL flag.Step 1:
If you are adding this to a fresh copy of the server, just untarred, without ever having built the software edit the file in src/makefiles that matches target platform you will use in "build"ing it.Step 2:(i.e. Solaris2.x edit src/makefiles/Makefile.sol).
If you have previously built the server then the appropriate makefile has been linked into the "src" directory and all you need to do is edit src/Makefile, add -DVIRTUAL to CFLAGS and then type "build clean"
Follow the documented build and install procedures.
You will need to setup a separate directory structure for each virtual server that you plan on installing. There are various scripts available to assist you. Best to grab one and customize it for your environment so it's easier next time. Oh... there won't be a next time ? Then do it by hand making sure all the standard support directories are there (bin/etc/dev/usr/..).It is outside the scope of this document to describe specifics about setting up an FTP directory structure. Several documents exist which explain how to set up a secure anonymous ftp facility. A virtual ftp server directory structure is no different. There are just more of them.
Be sure to check you operating system's manual pages as well. There are often scripts and excellent information there to make the setup easier.If you are installing the software on a Solaris 2.5.x system, check out A How-To Guide for wu-ftpd on Solaris 2.5.x for more specific information.
You need to specify three separate things for each virtual server you setup.The format of a virtual server entry is
- root - This it the path to the ftp directory that you previously setup for this virtual server.
- banner - This it the path to banner you wish displayed when a user connects to the virtual server.
- logfile - This is the path to the logfile that is setup specifically for this virtual server.
virtual <address> <root | banner | logfile> <path><address> is the IP address of the virtual server. The second argument specifies the <path> is either the path to the root of the filesystem for this virtual server, the banner presented to the user when connecting to this virtual server, or the logfile where transfers are recorded for this virtual server. If the logfile is not specified the default logfile will be used.For example, add lines similar to the following for each virtual server you are trying to set up.
# Virtual Server at 10.10.10.10All other message files and permissions as well as any other settings in the ftpaccess file apply to all virtual servers.
virtual 10.10.10.10 root /var/ftp/virtual/ftp-serv
virtual 10.10.10.10 banner /var/ftp/virtual/ftp-serv/banner.msg
virtual 10.10.10.10 logfile /var/log/ftp/virtual/ftp-serv/xferlog
You will need to make sure that any file referenced after the chroot(~ftp) are in the virtual server directories. Those files areYou will need to customize the banner, welcome and other message files for each virtual server directory.
- all messages (deny, welcome, etc.)
- _PATH_EXECPATH files
NOTE: all the other ftp configuration files, and permissions and other settings in the ftpaccess file apply to all virtual servers.
There are two different types of logging, the standard syslog logging and transfer logging. In order to separate transfer (or xferlog) logging it is necessary to use the virtual "logfile" entry as described above.To enable logging via syslog, follow the standard syslog configuration instructions found in your system's documentation. Make sure you are using the same syslog 'facility' as is compiled into your wu-ftpd software. By default, 'daemon' is used. If you would like to change this, change the 'FACILITY' define in config.h.
If you have syslog logging enabled you will see entries such as
Mar 3 15:26:30 rkive ftpd[27207]: VirtualFTP Connect to: xxx.xxx.xxx.xxx
This enables you to determine which virtual server the log records pertain to.
You will need to test each and every new virtual server you install. Make sure that you have the appropriate permissions and are getting the right results. Only you will know what is right for you.Also, if you have existing FTP server areas on your system, test and make sure that something you did to the ftpaccess file did not break what use to work.
In order to support the proper shutting down of your server, you need to assure the shutdown message file is created in both the real user and anonymous user ftp areas. The location of the shutdown message file is specified in the ftpaccess file "shutdown" directive.In the INSTALL file of wu-ftpd 2.4.* it is recommended to create a link to where the shutdown message file would be in order for shutdown to work properly for real and anonymous user. The problem is the supplied utility, 'ftpshut', only creates the shutdown message file in the actual location as indicated in the shutdown directive and not in the anonymous FTP area. It also does not have support for virtual server shutdown. And when you are ready to restart your servers, you need to remove the shutdown message file. Currently, you have to do so manually.
In order to overcome this, you need to grab the ftpshut/ftprestart utilities modified/written by Kent Landfield. His copy of ftpshut.c is a complete replacement for the BETA-13 version and supports shutting down the server for real users and guest/anonymous accounts. It also has support for virtual FTP servers. It creates shutdown message files in all appropriate locations.
It has been submitted for inclusion in the baseline so expect to see it appear in a later version of wu-ftpd.
When you are ready to restart your ftp servers you will need to remove the shutdown message files. If using the existing 'ftpshut' you will need to manually remove all the shutdown message files.If you have gotten a copy of the ftpshut/ftprestart utilities described above then simply type 'ftprestart'.
ftprestart is used when you are ready to re-enable your FTP server. It does the opposite of ftpshut and removes shutdown message files that were created by ftpshut. It will remove the system-wide shutdown message file as well as the shutdown message files in the anonymous ftp areas and any virtual ftp server areas.
- It would be useful to have the "email" directive supported. Then you would be able to specify %E in the banner and welcome message files. Today it is not supported and there is only one email directive allowed.
- The "guestserver" directive is not documented in the manpage. It would useful to be able to use that in a virtual setup.
- shutdown - virtual server
If you're looking for a way to support all directives in the ftpaccess file for your virtual sites, check out Kent Landfield's "A New Way of Supporting Virtual Hosts in WU-FTPD" page. It is currently in final beta before being sent to Stan for possible inclusion in the baselined wu-ftpd software.
There is also another alternative method of setting up virtual ftp servers that supplies support for the full set of directives such as e-mail, upload, guestserver, etc. This entails setting up the virtual server support using tcpwrappers.Instructions (a little loose for an exact step by step, but it's a start):
Read all of these instructions before starting.
- Get the ftpaccess patch from the directory
ftp://ftp.meme.com/pub/software/wu-ftpd-2.4.2/
It's there as a tar file, a gzipped tar file a rpm file, and just a directory with the patch and a README.
NOTE: This patch works on beta 11. While I haven't tried this patch with beta 12 or beta 13, unless there's radical revision to the command line parsing code, very unlikely, or radical revision to the code that opens ftpaccess (and what would change this? Just calls open) it should continue to work.
Please contact me,Karl O. Pinc <kop@meme.com> if you have any problems in later releases and I'll fix it.) Read the README and put the patch in with "patch".
- Recompile and re-install wu-ftpd.
You now have a ftpd that will take an argument to -a, the path to the ftpaccess file.
- Get a copy of tcpwrappers. It can be found at
ftp://ftp.win.tue.nl/pub/security
(Every system providing services to the net should have a copy of this anyhow.) Read the directions. Compile it with full options so the TWIST command will work. Install it. (If you're using Redhat Linux, it comes with tcpwrappers ready to go.)
- Configure your virtual servers: Make /etc/ftpaccess a directory, put different ftpaccess files into it, using file names of your choosing. Remove the virtual directives and anything else needed by the virtual servers from the old /etc/ftpaccess file and move it into /etc/ftpaccess. Each virtual server can have it's own ftpaccess file, or they can share. The different ftpaccess files can contain completely different sets of directives as each configuration file can configure a single virtual server. The ftpaccess file of a virtual server doesn't need to have any configuration directives not used by that virtual server, so it doesn't need virtual commands for any of the other virtual servers and it doesn't need class directives or whatnot used only by the regular ftp server.
Note that there needs to be a line like
virtual 10.10.10.10 root /var/ftp/virtual/ftp-serv
for each virtual ftp server in the ftpaccess file used by the virtual server. This line directs the virtual server to the approprite root directory for anonymous ftp access. If this directive is not present the home directory of the "ftp" user will be used as root for anonymous ftp to the virtual server.
- Use tcpwrappers to give ftpd a different command line for each virtual server, directing each virtual server to the appropriate ftpaccess file:
- Modify /etc/inetd.conf to invoke tcpwrapper. On my system the new line for the ftp port looks like:
ftp stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/ftpd
- Add a line to /etc/hosts.allow for the real ftp server and for each virtual ftp server. Use the -a option to tell ftpd which ftpaccess file to use for each server. On my system a typical line looks like:
ftpd@204.128.247.214 : ALL : twist exec /usr/local/sbin/ftpd -l -a /etc/ftpaccess/x.meme.com
Note that the IP number is the IP number used by the ftp server, the same as that in the ftpaccess virtual directive.
Note: with an "ftproot" directive to tell the ftp server a path to use as root for anonymous ftp access, the virtual directives become completely unnecessary. This would be handy because it would reduce the spattering of IP numbers about the system (and simplify the ftpd code.)
NOTE: I'd like to put in information about other systems in this FAQ. If you are successfully running virtual FTP servers on a system that is not listed in this document, please send me the instructions and I'll gladly add them along with the appropriate Credits below.
- Virtual ftp server support was initially added by Brian Kramer <bjkramer@pluto.njcc.com>
- Modifications to provide for discrete xferlogs for each server provided by Marc G. Fournier <scrappy@ki.net>.
- "An Alternative Way of Supporting Virtual FTP Servers" supplied by Karl O. Pinc <kop@meme.com> of The Meme Factory, Inc.
- Information on FreeBSD (and general editing/corrections) supplied by Perry.Rovers@IAEhv.NL and Mikhail A. Sokolov.
- Information on AIX supplied by Gilles Ciselet.
- And, as always, many thanks to Stan Barber <sob@academ.com> for supporting wu-ftpd as he has. A massive amount of work has been done by Stan and it shows. Thanks!
- This FAQ was compiled by Kent Landfield <kent@landfield.com>.
- This document describes the virtual FTP server support available in Academ version of wu-ftpd 2.4 Release 2 Beta 10 on. I do not warrant the descriptions and instructions in this document. Use it AT YOUR OWN RISK. This is only meant as a shortcut to having to try everything to see what works. If it causes your computer to blow up, TOUGH!
- Your operating system may not support the virtual server feature. It has been tested on BSD/OS, Solaris 2.X, FreeBSD, SGI and Linux. If you test it and find that it works, please let me know and I will add your operating system's information here so others can benefit from it.