trAvis - MANAGER

Edit File: mod_core.html

<html>
<head>
<title>ProFTPD module mod_core</title>
</head>

<hr>
<center>
<h2>ProFTPD module <code>mod_core</code></h2>
</center>
<hr>

The <code>mod_core</code> module handles most of the core FTP commands.

<h2>Directives</h2>
<ul>
 <li><a href="#AllowFilter">AllowFilter</a>
 <li><a href="#AuthOrder">AuthOrder</a>
 <li><a href="#DebugLevel">DebugLevel</a>
 <li><a href="#DefaultAddress">DefaultAddress</a>
 <li><a href="#DenyFilter">DenyFilter</a>
 <li><a href="#DisplayChdir">DisplayChdir</a>
 <li><a href="#DisplayConnect">DisplayConnect</a>
 <li><a href="#DisplayQuit">DisplayQuit</a>
 <li><a href="#GroupOwner">GroupOwner</a>
 <li><a href="#HideGroup">HideGroup</a>
 <li><a href="#HideNoAccess">HideNoAccess</a>
 <li><a href="#HideUser">HideUser</a>
 <li><a href="#Include">Include</a>
 <li><a href="#MasqueradeAddress">MasqueradeAddress</a>
 <li><a href="#MaxCommandRate">MaxCommandRate</a>
 <li><a href="#MaxConnectionRate">MaxConnectionRate</a>
 <li><a href="#MaxInstances">MaxInstances</a>
 <li><a href="#PassivePorts">PassivePorts</a>
 <li><a href="#PathAllowFilter">PathAllowFilter</a>
 <li><a href="#PathDenyFilter">PathDenyFilter</a>
 <li><a href="#Port">Port</a>
 <li><a href="#ProcessTitles">ProcessTitles</a>
 <li><a href="#Protocols">Protocols</a>
 <li><a href="#ScoreboardFile">ScoreboardFile</a>
 <li><a href="#ScoreboardMutex">ScoreboardMutex</a>
 <li><a href="#ServerIdent">ServerIdent</a>
 <li><a href="#ServerType">ServerType</a>
 <li><a href="#SocketBindTight">SocketBindTight</a>
 <li><a href="#SocketOptions">SocketOptions</a>
 <li><a href="#SyslogFacility">SyslogFacility</a>
 <li><a href="#SyslogLevel">SyslogLevel</a>
 <li><a href="#TCPBacklog">TCPBacklog</a>
 <li><a href="#TimeoutIdle">TimeoutIdle</a>
 <li><a href="#TimeoutLinger">TimeoutLinger</a>
 <li><a href="#Trace">Trace</a>
 <li><a href="#TraceLog">TraceLog</a>
 <li><a href="#TraceOptions">TraceOptions</a>
 <li><a href="#TransferLog">TransferLog</a>
 <li><a href="#Umask">Umask</a>
 <li><a href="#UserOwner">UserOwner</a>
 <li><a href="#VirtualHost">&lt;VirtualHost&gt;</a>
</ul>

<hr>
<h2><a name="AllowFilter">AllowFilter</a></h2>
Syntax: AllowFilter pattern [flags] 
Default: None 
Context: &quot;server config&quot;, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code>,
<code>&lt;Directory&gt;</code>, .ftpaccess 
Module: mod_core 
Compatibility: 1.2.0pre7 and later

The <code>AllowFilter</code> allows the configuration of a regular expression
pattern that must be matched for all command arguments sent to
ProFTPD. It is extremely useful in controlling what characters may be sent in
a command to ProFTPD, preventing some possible types of attacks against ProFTPD.

The regular expression pattern is applied against the arguments to the
command sent by the client, so care must be taken when creating a proper regex.
Commands that fail the regex match result in a "Forbidden command" error being
returned to the client. If the pattern contains whitespace, it
must be enclosed in quotes.

The optional flags parameter, if present, modifies how the
givenpattern will be evaludated. The supported flags are:
<ul>
 <li>nocase|NC (no case) 
 This makes the pattern case-insensitive, i.e. there is
 no difference between 'A-Z' and 'a-z' when pattern is matched
 against the path
 </li>
</ul>

The example below allows commands which contain alphanumeric characters and
whitespace:
<pre>
 AllowFilter "^[a-zA-Z0-9 ,]*$"
</pre>

The <a href="../howto/Filters.html">Filters</a> howto covers filtering in
greater detail.

See also: <a href="#DenyFilter"><code>DenyFilter</code></a>, <a href="#PathAllowFilter"><code>PathAllowFilter</code></a>, <a href="#PathDenyFilter"><code>PathDenyFilter</code></a>

<hr>
<h2><a name="AuthOrder">AuthOrder</a></h2>
Syntax: AuthOrder module-name1 ... 
Default: mod_auth_file.c mod_auth_unix.c 
Context: &quot;server config&quot;, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_core 
Compatibility: 1.2.8rc1 and later

The <code>AuthOrder</code> directive configures the names of auth modules, and
the order in which they will be checked when authenticating a client.

At least one module name must be given; there is no maximum number of
modules that can be listed. The listed module names must the full name of the
source file, e.g. "mod_auth_unix.c". To see a full list of module names,
use:
<pre>
 $ proftpd -l
</pre>
Do not use "mod_auth.c", as that module is the authentication front end
module, and is necessary. Also, do not use "mod_auth_pam.c" as the only module,
as that module does not provide, by itself, all of the information needed
by proftpd for authenticating a client.

You can make an auth module be "authoritative" by appending an asterisk (*)
after the module name. Usually this is done for the "mod_auth_pam.c" module,
to ensure that the login fails if the PAM check fails.

Examples
<pre>
 # Use only AuthUserFiles when authenticating, and not the system's /etc/passwd
 AuthOrder mod_auth_file.c

# If the user's information is not in LDAP, they're not a user to use
  # this server.
  AuthOrder mod_ldap.c

# Use SQL tables first, then LDAP, for authentication
  AuthOrder mod_sql.c mod_ldap.c

# Use the normal system /etc/passwd and PAM, but make sure that PAM is
 # authoritative about accepting or rejecting the login
 AuthOrder mod_auth_pam.c* mod_auth_unix.c
</pre>

<hr>
<h2><a name="DebugLevel">DebugLevel</a></h2>
Syntax: DebugLevel level 
Default: DebugLevel 0 
Context: &quot;server config&quot;, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_core 
Compatibility: 1.2.8rc1 and later

The <code>DebugLevel</code> directive configures the debugging level the
server will use when logging. The level parameter must be between 0
and 10. This directive will take precedence over any
<code>-d</code>/<code>--debug</code> command-line debugging option used.

The <a href="../howto/Logging.html#Syslog">Logging</a> howto covers logging in
greater detail.

<hr>
<h2><a name="DefaultAddress">DefaultAddress</a></h2>
Syntax: DefaultAddress ip-address|dns-name [ip-address|dns-name ...] 
Default: None 
Context: &quot;server config&quot; 
Module: mod_core 
Compatibility: 1.2.7rc1 and later

The <code>DefaultAddress</code> directive sets the the address to which the
main server instance (i.e. the server configured by the "server config"
context) will bind. The default behaviour is to select whatever IP address
is reported by the operating system as the primary IP address.

Starting with <code>proftpd-1.3.0rc1</code>, it is possible to use more than
one FQDN or IP address.

Examples
<pre>
 ServerName "Default FTP Server"
 Port 21

# We want the main server instance to listen on a specific IP
  DefaultAddress 192.168.10.30

# Since 1.3.0rc1 it's also possible to use the following:
 DefaultAddress 192.168.10.30 my.domain.tld
</pre>

In <code>proftpd-1.3.5rc1</code>, the <code>DefaultAddress</code> directive
also handles names which indicates the device-name (or
interface-name); the IP address associated with this device/interface
will be used. For example, you can use:
<pre>
 DefaultAddress eth0
</pre>
Using the device/interface name is useful in cases where the same
<code>proftpd.conf</code> file is going to be deployed to multiple different
machines, which will have the same device/interface names but different IP
addresses.

See also: <a href="VirtualHost"><code>&lt;VirtualHost&gt;</code></a>

<hr>
<h2><a name="DenyFilter">DenyFilter</a></h2>
Syntax: DenyFilter pattern [flags] 
Default: None 
Context: &quot;server config&quot;, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code>,<code>&lt;Directory&gt;</code>, .ftpaccess 
Module: mod_core 
Compatibility: 1.2.0pre7 and later

The <code>DenyFilter</code> directive, like the <code>AllowFilter</code>
directive, specifies a regular expression pattern which must not
match any of the command arguments. If the pattern does match, a
"Forbidden command" error is returned to the client. This can be especially
useful for forbidding certain command argument combinations from ever reaching
ProFTPD.

Note that the <code>PASV</code> SFTP command cannot be blocked using
this directive.

For example, to reject commands which contain the percent (<code>%</code>)
character, you could use:
<pre>
 DenyFilter "%"
</pre>

The <a href="../howto/Filters.html">Filters</a> howto covers filtering in
greater detail.

See also: <a href="#AllowFilter"><code>AllowFilter</code></a>, <a href="#PathAllowFilter"><code>PathAllowFilter</code></a>, <a href="#PathDenyFilter"><code>PathDenyFilter</code></a>

<hr>
<h2><a name="DisplayChdir">DisplayChdir</a></h2>
Syntax: DisplayChdir filename ["on"|"off"] 
Default: None 
Context: &quot;server config&quot;, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code> 
Module: mod_core 
Compatibility: 1.3.1rc1 and later

The <code>DisplayChdir</code> directive configures the name of a text file that
will be displayed to the user, every time they change into a directory. If the
text file should only be displayed once to the client, the first time
they change into the directory (or if <code>proftpd</code> detects that the
<code>DisplayChdir</code> file has been changed since it was last displayed
to the client), then set the optional second parameter to on or
true.

If the filename is relative, it is looked for in the directory that
the user has changed into. Note that for anonymous ftp logins,
filename must reside within the <code>chroot()</code>ed
directory. If filename cannot be found or accessed, no error occurs
and nothing is logged or displayed to the client.

See the <a href="../howto/DisplayFiles.html">Display files</a> howto for
more information on the variables that can be used in a
<code>DisplayChdir</code> file.

See also: <a href="#DisplayConnect"><code>DisplayConnect</code></a>, <a href="#DisplayQuit"><code>DisplayQuit</code></a>

<hr>
<h2><a name="DisplayConnect">DisplayConnect</a></h2>
Syntax: DisplayConnect filename 
Default: None 
Context: &quot;server config&quot;, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_core 
Compatibility: 1.2.0pre2 and later

The <code>DisplayConnect</code> directive configures the filename of a
text file that will be displayed to the user when they initially connect,
before they login. The filename can be either relative or
absolute. In the case of a relative filename, the file is searched for
starting in the home directory of the <code>User</code> as which the server is
running. As this can lead confusion, absolute pathnames are highly
recommended. If filename cannot be found or accessed, no error
occurs and nothing is logged or displayed to the client.

See the <a href="../howto/DisplayFiles.html">Display files</a> howto for
more information on the variables that can be used in a
<code>DisplayConnect</code> file.

See also: <a href="#DisplayChdir"><code>DisplayChdir</code></a>,
<a href="#DisplayQuit"><code>DisplayQuit</code></a>

<hr>
<h2><a name="DisplayQuit">DisplayQuit</a></h2>
Syntax: DisplayQuit filename 
Default: None 
Context: &quot;server config&quot;, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code> 
Module: mod_core 
Compatibility: 1.2.0pre8 and later

The <code>DisplayQuit</code> directive configures the filename of a
text file that will be displayed to the user when they explicitly end the
FTP session using the <code>QUIT</code> command. The filename can be
either relative or absolute. In the case of a relative filename, the file is
searched for starting in the home directory of the logged-in user. Note:
if the session is restricted via <code>chroot</code>, either by the
<code>DefaultRoot</code> directive or because its an
<code>&lt;Anonymous&gt;</code> login, then filename must reside
within the <code>chroot()</code> directory. As this can lead confusion,
absolute pathnames are highly recommended. If filename cannot
be found or accessed, no error occurs and nothing is logged or displayed to
the client.

See the <a href="../howto/DisplayFiles.html">Display files</a> howto for
more information on the variables that can be used in a
<code>DisplayQuit</code> file.

See also: <a href="#DisplayChdir"><code>DisplayChdir</code></a>,
<a href="#DisplayConnect"><code>DisplayConnect</code></a>

<hr>
<h2><a name="GroupOwner">GroupOwner</a></h2>
Syntax: GroupOwner group-name|"~" 
Default: None 
Context: <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code>, .ftpaccess 
Module: mod_core 
Compatibility: 0.99.0 and later

The <code>GroupOwner</code> directive configures which group (via the
group-name parameter) will own all newly created directories and files,
within the configuration context that <code>GroupOwner</code> is set. The
group ID of group-name cannot be 0.

Note that <code>GroupOwner</code> cannot be used to override the operating
system/filesystem user/group paradigm. If the current user is not a member of
the specified group, new files and directories cannot be <code>chown()</code>ed
to the <code>GroupOwner</code> group. If this happens, the <code>STOR</code>
and <code>MKD</code>/<code>XMKD</code> FTP commands will succeed normally,
however the new directory entries will be owned by the current user's default
group (and a warning message logged). However, if you also use
the <code>UserOwner</code> directive in the same configuration context, this
restriction is lifted.

Some operating systems (e.g. FreeBSD) will use the GID of the parent
directory where the new file/directory is created, rather than GID of
the logged-in user which creates the new file/directory. To force the GID
of the newly created file to be that of the logged-in user, use:
<pre>
 # The tilde (~) syntax uses the GID of the logged-in user
 GroupOwner ~
</pre>

See also: <a href="#UserOwner"><code>UserOwner</code></a>

<hr>
<h2><a name="HideGroup">HideGroup</a></h2>
Syntax: HideGroup group-name 
Default: None 
Context: <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code> 
Module: mod_core 
Compatibility: 0.99.0 and later

The <code>HideGroup</code> directive configures a <code>&lt;Directory&gt;</code>
or <code>&lt;Anonymous&gt;</code> section to hide all directory entries owned
by the specified group-name. The group-name can also be
<code>~</code> (tilde), which is evaluated as the group-name of
the primary group of the logged-in user. This can be combined with a prefix
<code>!</code> (exclamation point) character, e.g. "!~", to mean
"any group that is not the primary group of the logged-in-user".

Normally, hidden directories and files cannot be seen via <code>LIST</code> or
<code>NLST</code> commands but can be operated on via other FTP commands
(<code>CWD</code>, <code>DELE</code>, <code>RETR</code>, etc). This
behavior can be modified via the <code>IgnoreHidden</code> directive.

Examples:
<pre>
 &lt;Directory path&gt;
 # Hide all files belonging to group 'wheel'
 HideGroup wheel

# Hide all files belonging to the primary group of the logged-in user
    HideGroup ~

# Hide all files that are NOT owned by the primary group of the logged-in
 # user
 HideGroup !~
 &lt;/Directory&gt;
</pre>

See also: <a href="#HideUser"><code>HideUser</code></a>, <a href="#HideNoAccess"><code>HideNoAccess</code></a>, <a href="#IgnoreHidden"><code>IgnoreHidden</code></a>

<hr>
<h2><a name="HideNoAccess">HideNoAccess</a></h2>
Syntax: HideNoAccess on|off 
Default: None 
Context: <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code> 
Module: mod_core 
Compatibility: 0.99.0 and later

The <code>HideNoAccess</code> directive configures a
<code>&lt;Directory&gt;</code> or <code>&lt;Anonymous&gt;</code> section to
hide all directory entries in a directory listing (e.g. via the
<code>LIST</code> or <code>NLST</code> FTP commands) to which the current
logged-in, authenticated user has no access. Normal Unix-style permissions
always apply, so that although a user may not be able to see a directory
entry that has "HideNoAccess on" applied, they will receive a normal
"Permission denied" error message when attempting to blindly manipulate the
file system object. The directory or file can be made completely invisible to
all FTP commands by applying <code>IgnoreHidden</code> in conjunction with
<code>HideNoAccess</code>.

See also: <a href="#HideGroup"><code>HideGroup</code></a>, <a href="#HideUser"><code>HideUser</code></a>, <a href="#IgnoreHidden"><code>IgnoreHidden</code></a>

<hr>
<h2><a name="HideUser">HideUser</a></h2>
Syntax: HideUser user-name 
Default: None 
Context: <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code> 
Module: mod_core 
Compatibility: 0.99.0 and later

The <code>HideUser</code> directive configures a <code>&lt;Directory&gt;</code>
or <code>&lt;Anonymous&gt;</code> section to hide all directory entries owned
by the specified user-name. The user-name can also be
<code>~</code> (tilde), which is evaluated as the user-name of
the logged-in user. This can be combined with a prefix <code>!</code>
(exclamation point) character, e.g. "!~", to mean "any user that is not
the logged-in-user".

Examples:
<pre>
 &lt;Directory path&gt;
 # Hide all files belonging to user 'root'
 HideUser root

# Hide all files belonging to the logged-in user
    HideUser ~

# Hide all files that are NOT owned by the logged-in user
 HideUser !~
 &lt;/Directory&gt;
</pre>

See also: <a href="#HideGroup"><code>HideGroup</code></a>, <a href="#HideNoAccess"><code>HideNoAccess</code></a>, <a href="#IgnoreHidden"><code>IgnoreHidden</code></a>

<hr>
<h2><a name="Include">Include</a></h2>
Syntax: Include path|pattern 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code> 
Module: mod_core 
Compatibility: 1.2.10rc1 and later

The <code>Include</code> directive allows inclusion of other configuration
files from within the server configuration files.

Shell-style (<code>fnmatch(3)</code>) wildcard characters can be used to
include several files at once, in alphabetical order. (If no matches for
the pattern are found, the <code>Include</code> directive is silently ignored.)
In addition, if <code>Include</code> points to a directory, rather than a file,
then <code>proftpd</code> will read all files in that directory. Note
that including entire directories is not recommended, as it is easy to
accidentally leave temporary files in a directory that can cause
<code>proftpd</code> to fail.

The path must be an absolute path.

Examples:
<pre>
 Include /etc/proftpd/conf/tls.conf
 Include /etc/proftpd/conf/vhosts/*.conf
</pre>

<hr>
<h2><a name="MasqueradeAddress">MasqueradeAddress</a></h2>
Syntax: MasqueradeAddress ip-address|dns-name|device-name 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code> 
Module: mod_core 
Compatibility: 1.2.2 and later

The <code>MasqueradeAddress</code> directive causes the server to display the
network information for the specified IP address or DNS hostname to the client
in the responses to <code>PASV</code> and <code>EPSV</code> FTP commands, on
the assumption that that IP address or DNS host is acting as a NAT gateway or
port forwarder for the server. For example:
<pre>
 MasqueradeAddress nat-gw.mydomain.com 
</pre>

The <code>MasqueradeAddress</code> directive also handles a parameter which
indicates the device-name (or interface-name); the IP address
associated with this device/interface will be used. For example, you can
use:
<pre>
 MasqueradeAddress eth0
</pre>
Using the device/interface name is useful in cases where the same
<code>proftpd.conf</code> file is going to be deployed to multiple different
machines, which will have the same device/interface names but different IP
addresses.

<hr>
<h2><a name="MaxCommandRate">MaxCommandRate</a></h2>
Syntax: MaxCommandRate count [secs] 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_core 
Compatibility: 1.3.4rc2 and later

The <code>MaxCommandRate</code> directive is used to configure a maximum
number of commands per time interval, after which <code>proftpd</code> will
start injecting a delay before handling the command. The more over the
configured command/sec rate the client is, the longer the delay. This feature
is used to "throttle" automated and/or malicious clients.

For example:
<pre>
 MaxCommandRate 200
</pre>
sets a maximum command rate of 200 commands per sec. Or:
<pre>
 MaxCommandRate 500 2
</pre>
sets a maximum command rate of 500 commands every 2 seconds.

<hr>
<h2><a name="MaxConnectionRate">MaxConnectionRate</a></h2>
Syntax: MaxConnectionRate count [interval] 
Default: None 
Context: server config 
Module: mod_core 
Compatibility: 1.2.7rc1 and later

The <code>MaxConnectionRate</code> directive is used to configure a maximum
count of connections per time interval (in seconds). If
this connection rate is reached, <code>proftpd</code> will simply close
additional connections, until the connection rate drops below the threshold.
The default interval is 1 second.

For example:
<pre>
 MaxConnectionRate 200
</pre>
sets a maximum connection rate of 200 connections per sec. Or:
<pre>
 MaxConnectionRate 500 2
</pre>
sets a maximum connection rate of 500 connections every 2 seconds.

<hr>
<h2><a name="MaxInstances">MaxInstances</a></h2>
Syntax: MaxInstances count 
Default: None 
Context: server config 
Module: mod_core 
Compatibility: 1.1.6p11 and later

The <code>MaxInstances</code> directive configures the maximum number of child
(session) processes that may be spawned by the <code>proftpd</code> daemon
process when running with "ServerType standalone" configured. The directive
has no effect when <code>proftpd</code> is configured with "ServerType inetd".

Each <code>proftpd</code> child process represents a single client connection,
and thus this directive also controls the maximum number of simultaneous
connections allowed. Additional connections beyond the configured limit are
logged, and silently disconnected. The <code>MaxInstances</code> directive
can be used to prevent undesirable denial-of-service attacks (e.g.
by repeatedly connecting to the FTP control port, a malicious client could try
to cause <code>proftpd</code> to repeatedly fork new processes, creating a
"fork-bomb"). By default, no limit is placed on the number of child
processes that may run at one time; it is highly recommended that a
maximum number, suitable to your sites traffic, be configured.

<hr>
<h2><a name="PassivePorts">PassivePorts</a></h2>
Syntax: PassivePorts min max 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_core 
Compatibility: 1.2.0rc2 and later

The <code>PassivePorts</code> directive restricts the range of ports from which
the server will select, when the client sends the <code>PASV</code> or
<code>EPSV</code> commands (i.e. requesting a passive data transfer).
The server will randomly choose a number from within the specified range until
an open port is found. Should no open ports be found within the 
configured range, the server will default to a random kernel-assigned port,
and a message logged.

The port range configured must be in the non-privileged range
(e.g. greater than or equal to 1024); it is STRONGLY RECOMMENDED
that the chosen range be large enough to handle many simultaneous passive
connections (for example, 49152-65534, the IANA-registered ephemeral port
range). The smaller your configured port range is, the greater the
chance that all of those ports will be in use (depending on the traffic to your
FTP server), and thus the greater the chance that a port outside that range
will be configured.

Example:
<pre>
 # Use the IANA registered ephemeral port range
 PassivePorts 49152 65534
</pre>

Note: Many admins wonder why the recommended port range is so large.
The answer is that there is really no value in having a small range. ProFTPD
does NOT automatically listen on these ports. For those people who are
worried about port scanning, having a larger <code>PassivePorts</code> range
will not mean that port scans will show those ports as being open AND that
something is listening there. Conversely, the question to ask yourself as
an administrator is: why do you think you need such a small
<code>PassivePorts</code> range?

<hr>
<h2><a name="PathAllowFilter">PathAllowFilter</a></h2>
Syntax: PathAllowFilter pattern [flags] 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code>, .ftpaccess 
Module: mod_core 
Compatibility: 1.1.7 and later

The <code>PathAllowFilter</code> directive allows the configuration of a
regular expression pattern that must be matched for all newly
uploaded (stored) files. The regular expression is applied against the entire
pathname specified by the client, so care must be taken when creating a proper
regex. Paths that fail the regex match result in a "Forbidden filename" error
being returned to the client. If the regular expression pattern 
parameter contains whitespace, it must be enclosed in quotes.

For example:
<pre>
 # Only allow a-z 0-9 . - _ in file names
 PathAllowFilter ^[a-z0-9._-]+$

# As above but with upper case characters as well
 PathAllowFilter ^[A-Za-z0-9._-]+$
</pre>

The optional flags parameter, if present, modifies how the given
pattern will be evaludated. The supported flags are:
<ul>
 <li>nocase|NC (no case) 
 This makes the pattern case-insensitive, i.e. there is
 no difference between 'A-Z' and 'a-z' when pattern is matched
 against the path
 </li>
</ul>

The <a href="../howto/Filters.html">Filters</a> howto covers filtering in
greater detail.

See also: <a href="#PathDenyFilter"><code>PathDenyFilter</code></a>

<hr>
<h2><a name="PathDenyFilter">PathDenyFilter</a></h2>
Syntax: PathDenyFilter pattern [flags] 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code>, .ftpaccess 
Module: mod_core 
Compatibility: 1.1.7 and later

Similar to the <a href="#PathAllowFilter"><code>PathAllowFilter</code></a>
directive, <code>PathDenyFilter</code> specifies a regular expression
pattern which must not match any uploaded pathnames. If the
regex does match, a "Forbidden filename" error is returned to the client.
This can be especially useful for forbidding .ftpaccess or .htaccess files.

For example:
<pre>
 # We don't want .ftpaccess or .htaccess files to be uploaded
 PathDenyFilter "(\\.ftpaccess|\\.htaccess)$"
</pre>

The optional flags parameter, if present, modifies how the given
pattern will be evaludated. The supported flags are:
<ul>
 <li>nocase|NC (no case) 
 This makes the pattern case-insensitive, i.e. there is
 no difference between 'A-Z' and 'a-z' when pattern is matched
 against the path
 </li>
</ul>

The <a href="../howto/Filters.html">Filters</a> howto covers filtering in
greater detail.

See also: <a href="#PathAllowFilter"><code>PathAllowFilter</code></a>

<hr>
<h2><a name="Port">Port</a></h2>
Syntax: Port number 
Default: Port 21 
Context: server config, <code>&lt;VirtualHost&gt;</code> 
Module: mod_core 
Compatibility: 0.99.0 and later

The <code>Port</code> directive configures the TCP port to which
<code>proftpd</code> will listen while running in standalone mode. This
directive has no effect when used on a server running in inetd mode;
see <a href="#ServerType"><code>ServerType</code></a>. The directive can be
used in conjunction with
<a href="#VirtualHost"><code>&lt;VirtualHost&gt;</code></a> in order to run a
virtual server on the same IP address as the master server, but listening on a
different port.

For any server, either <code>&lt;VirtualHost&gt;</code> or "server
config", using a number value of zero (0) will effectively
disable/turn off that server:
<pre>
 &lt;VirtualHost ...&gt;
 # This virtual server is disabled because of this Port setting
 Port 0

...
 &lt;/VirtualHost&gt;
</pre>

<hr>
<h2><a name="ProcessTitles">ProcessTitles</a></h2>
Syntax: ProcessTitles terse|verbose 
Default: ProcessTitles verbose 
Context: server config 
Module: mod_core 
Compatibility: 1.3.4rc2 and later

The <code>ProcessTitles</code> directive is used to tweak how
<code>proftpd</code> modifies the process title for session processes.

By default, <code>proftpd</code> updates the process title to show the current
FTP command and its arguments for every session, e.g.:
<pre>
 # ps aux | grep proftpd
 proftpd 30667 0.0 0.1 7304 1584 ? Ss 02:12 0:00 proftpd: (accepting connections)
 user1 31892 0.2 0.3 8004 3505 ? SL 20:13 0:12 proftpd: user1 - remote.client1.com: RETR file1.doc
 user2 31934 0.0 0.3 8004 3500 ? SL 21:27 0:00 proftpd: user2 - 4.3.2.1: STOR file2.zip
 user3 31891 0.2 0.3 8004 3504 ? SL 20:11 0:09 proftpd: user3 - remote.client2.com: RETR whatever.iso
</pre>
This is the same as having:
<pre>
 ProcessTitles verbose
</pre>
in your proftpd.conf.

To obscure the process titles, you can use:
<pre>
 ProcessTitles terse
</pre>
which results in process titles which look like:
<pre>
 # ps aux | grep proftpd
 proftpd 30667 0.0 0.1 7304 1584 ? Ss 02:12 0:00 proftpd: (accepting connections)
 user1 31892 0.2 0.3 8004 3505 ? SL 20:13 0:12 proftpd: processing connection
 user2 31934 0.0 0.3 8004 3500 ? SL 21:27 0:00 proftpd: processing connection
 user3 31891 0.2 0.3 8004 3504 ? SL 20:11 0:09 proftpd: processing connection
</pre>

<hr>
<h2><a name="Protocols">Protocols</a></h2>
Syntax: Protocols protocol1 ... 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_core 
Compatibility: 1.3.4rc1 and later

The <code>Protocols</code> directive is used to enable/disable specific
protocols support by the <code>proftpd</code> and its collection of modules.
This directive can be used, in conjunction with the
<a href="../contrib/mod_ifsession.html"><code>mod_ifsession</code></a> module,
to enable certain features for specific users/groups/classes.

The allowed protocols must be configured as a space-delimited list. For
example:
<pre>
 # Only enable FTPS and SFTP support, but not FTP or SCP
 Protocols ftps sftp
</pre>

The currently known/supported protocols include:
<ul>
 <li><code>ftp</code> 
 <li><code>ftps</code> (from <a href="../contrib/mod_tls.html"><code>mod_tls</code></a>) 
 <li><code>scp</code> (from <a href="../contrib/mod_sftp.html"><code>mod_sftp</code></a>) 
 <li><code>sftp</code> (from <a href="../contrib/mod_sftp.html"><code>mod_sftp</code></a>) 
</ul>

<hr>
<h2><a name="ScoreboardFile">ScoreboardFile</a></h2>
Syntax: ScoreboardFile path|"none" 
Default: ScoreboardFile /usr/local/var/proftpd.scoreboard
Context: server config 
Module: mod_core 
Compatibility: 1.2.7rc1 and later

The <code>ScoreboardFile</code> directive sets the path to the file where the
daemon will store its run-time "scoreboard" session information. This file is
necessary for support features such as
<a href="mod_auth.html#MaxClients"><code>MaxClients</code></a> to work properly,
as well as other utilities (such as <a href="../utils/ftpwho.html">ftpwho</a>,
<a href="../utils/ftptop.html">ftptop</a>, and
<a href="../utils/ftpcount.html">ftpcount</a>). Note that the directory
containing the scoreboard cannot be world-writable.

For performance reasons, it is strongly recommended that the
<code>ScoreboardFile</code> path not be located on a networked
filesystem, but rather be located on a local physical disk.

In order to disable scoreboarding (which can increase performance,
at the cost of functionality), any of the following can be used:
<pre>
 ScoreboardFile /dev/null
 ScoreboardFile none
 ScoreboardFile off
</pre>
Please read the
<a href="../howto/Scoreboard.html#ScoreboardDisabling">Scoreboard</a> howto
before disabling scoreboarding.

<hr>
<h2><a name="ScoreboardMutex">ScoreboardMutex</a></h2>
Syntax: ScoreboardMutex path 
Default: ScoreboardMutex /usr/local/var/proftpd.scoreboard.lck
Context: server config 
Module: mod_core 
Compatibility: 1.3.4rc1 and later

The <code>ScoreboardMutex</code> directive sets the path to a "mutex" file
which is used for scoreboard locking/synchronization; this mutex is used to
increase the daemon's performance under load.

For performance reasons, it is strongly recommended that the
<code>ScoreboardMutex</code> path not be located on a networked
filesystem, but rather be located on a local physical disk. It is best if
the <code>ScoreboardMutex</code> be located in the same directory as the
<a href="#ScoreboardFile"><code>ScoreboardFile</code></a>.

<hr>
<h2><a name="ServerIdent">ServerIdent</a></h2>
Syntax: ServerIdent off|on "identification string" 
Default: ServerIdent on "ProFTPD [version] Server (server name) [hostname]" 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_core 
Compatibility: 1.2.0pre2 and later

The <code>ServerIdent</code> directive sets the default message displayed when
a new client connects. Setting this to off displays:
<pre>
 [hostname] FTP server ready.
</pre>
If set to on, the directive can take an optional string argument,
which will be displayed instead of the default text. Sites desiring to give
out minimal information will probably want a setting like:
<pre>
 ServerIdent on "FTP Server ready."
</pre>
which won't even reveal the hostname.

An example of a custom identification string might be:
<pre>
 ServerIdent on "Welcome to ftp.linux.co.uk"
</pre>

<hr>
<h2><a name="ServerType">ServerType</a></h2>
Syntax: ServerType "standalone"|"inetd" 
Default: ServerType standalone 
Context: server config 
Module: mod_core 
Compatibility: 0.99.0 and later

The <code>ServerType</code> directive configures the <code>proftpd</code>
server operating mode. The parameter can either be inetd or
standalone.

A parameter value of inetd configures <code>proftpd</code> to expect
to be run from the <code>inetd</code>/<code>xinetd</code> "super server." New
connections are passed from <code>inetd</code>/<code>xinetd</code> to
<code>proftpd</code> and are processed immediately.

A parameter value of standalone configures <code>proftpd</code> to
start up on its own, and to begin listening to the configured addresses/ports
for incoming connections. New connections result in forked child processes
dedicated to processing all requests from the newly connected client.

<hr>
<h2><a name="SocketBindTight">SocketBindTight</a></h2>
Syntax: SocketBindTight on|off 
Default: off 
Context: server config 
Module: mod_core 
Compatibility: 0.99.0pl6 and later

The <code>SocketBindTight</code> directive controls how <code>proftpd</code>
creates and binds its initial TCP listening sockets in "ServerType standalone"
mode (see <a href="#ServerType"><code>ServerType</code></a>). This directive
has no effect upon servers running with "ServerType inetd", because
the TCP listening sockets in that mode are not needed or created by
<code>proftpd</code>.

When <code>SocketBindTight</code> is set to off (the default), a
single TCP listening socket is created for each port that the server must
listen on, regardless of the number of IP addresses being used by
<code>&lt;VirtualHost&gt;</code> configurations. This has the benefit of
requiring a relatively small number of file descriptors (one for each socket)
for the master daemon process, even if a large number of virtual servers are
configured. Each of these listening sockets is bound to the "wildcard"
address, meaning that on all IP addresses on that port (e.g. "*:21").

When <code>SocketBindTight</code> is set to on, a TCP listening socket
is created and bound to a specific IP address for the main "server
config" server and all configured virtual servers. This allows for situations
where an administrator may wish to have a particular port be used by both
<code>proftpd</code> (on one IP address) and another daemon (on a different IP
address). The drawback is that considerably more file descriptors will be
required if a large number of virtual servers must be supported.

Here's an example. Two servers have been configured (one "server config" and
one <code>&lt;VirtualHost&gt;</code>), with the IP addresses 10.0.0.1 and
10.0.0.2, respectively. The 10.0.0.1 server runs on port 21, while 10.0.0.2
runs on port 2001.

If we use:
<pre>
 SocketBindTight off
</pre>
then <code>proftpd</code> creates two sockets, both bound to all
available addresses; one socket listens on port 21 (i.e. "*:21"), the
other on port 2001 (i.e. "*.2001"). Since each socket is bound to all
available addresses, no other daemon or process will be allowed to bind to
ports 21 or 2001.

On the other hand, if we use:
<pre>
 SocketBindTight on
</pre>
then <code>proftpd</code> again creates two sockets. However one is bound to
10.0.0.1, port 21 (i.e. "10.0.0.1:21") and the other is bound to
10.0.0.2, port 2001 (i.e. "10.0.0.2:2001"). Thus these sockets are
"tightly" bound to the IP addresses. This means that port 21 can be
reused on any address other than 10.0.0.1, and similarly for port 2001
and 10.0.0.2.

One side effect of setting <code>SocketBindTight</code> to on is that
connections to non-bound addresses will result in a "connection refused"
message rather than the more common:
<pre>
 500 Sorry, no server available to handle request on a.b.c.d.
</pre>
due to the fact that no TCP listening socket has been bound to the particular
address/port pair. This may or may not be aesthetically desirable, depending
on your circumstances.

<hr>
<h2><a name="SocketOptions">SocketOptions</a></h2>
Syntax: SocketOptions [maxseg byte-count] [rcvbuf byte-count] [sndbuf byte-count] [keepalive "on"|"off"|spec] 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code> 
Module: mod_core 
Compatibility: 1.2.9rc1 and later

The <code>SocketOptions</code> directive is used to tune various socket-level
options. The rcvbuf and sndbuf parameters are used for
setting the TCP send/receive window sizes. The maxseg parameter is
used for setting a MSS (Maximum Segment Size) via <code>setsockopt(2)</code>'s
<code>TCP_MAXSEG</code> option. If the MSS is larger than the network
interface's MTU, it is ignored and has no effect.

Examples:
<pre>
 # Use buffer sizes of 32KB for both reading and writing
 SocketOptions rcvbuf 32768 sndbuf 32768
</pre>

In <code>proftpd-1.3.5rc1</code>, the <code>SocketOptions</code> directive
gained support for the keepalive parameter. By default,
<code>proftpd</code> enables TCP keepalives on all of its connections,
both control and data. To disable use of TCP keepalives, use:
<pre>
 SocketOptions keepalive off
</pre>
while to have TCP keepalives explicitly enabled in the config, you would use:
<pre>
 SocketOptions keepalive on
</pre>

The keepalive parameter also handles an argument in the form of
a "keepalive-spec", which is a colon-separated string of three numeric values:
idle-secs, probe-count, and interval-secs. On most TCP
stacks, the default TCP keepalive behavior uses 2 hours as the time (per
recommendation in RFC 1122), with 9 probes at 75 seconds between each probe.
Using the keepalive parameter, this would be configured as:
<pre>
 SocketOption keepalive 7200:9:75
</pre>
The first number (idle-secs) indicates the number of seconds the TCP
connection must be idle before the first TCP keepalive probe is sent. Once
the idle-secs time has passed, the TCP stack will send a number of
"probes", trying to elicit a response (<code>ACK</code>, <code>RST</code>,
etc) from the remote peer; the number of probes sent is configured by
the second number (probe-count). The probes will be sent out at
intervals governed by the third number (interval-secs), which configures
the number of seconds between each keepalive probe.

Note that not all platforms support configuring the idle, count, and
interval values of the TCP keepalive behavior in their TCP stack. On such
platforms, if the keepalive spec format is used, e.g.:
<pre>
 SocketOptions keepalive 7500:9:75
</pre>
and <code>proftpd</code> knows that it cannot alter the TCP keepalive values,
then <code>proftpd</code> will assume that the keepalive configuration
is equivalent to:
<pre>
 SocketOptions keepalive on
</pre>

<hr>
<h2><a name="SyslogFacility">SyslogFacility</a></h2>
Syntax: SyslogFacility facility 
Default: SyslogFacility daemon 
Context: server config 
Module: mod_core 
Compatibility: 1.1.6 and later

By default, ProFTPD logs its activity via the Unix syslog mechanism, which
allows for several different general classifications of logging messages,
known as "facilities." Normally, all authentication related messages are
logged with the <code>AUTHPRIV</code> (or <code>AUTH</code>) facility
(since these messages are intended to be secure, and never seen by unwanted
eyes), while normal operational messages are logged with the
<code>DAEMON</code> facility. The <code>SyslogFacility</code> directive
allows all logging messages to be directed to a different facility than
the default.

When this directive is used, all logging is done with the specified
facility, both authentication (secure) and otherwise. The
facility argument must be one of the following:
<ul>
 <li><code>AUTH</code> (or <code>AUTHPRIV</code>)
 <li><code>CRON</code>
 <li><code>DAEMON</code>
 <li><code>FTP</code>
 <li><code>KERN</code>
 <li><code>LPR</code>
 <li><code>MAIL</code>
 <li><code>NEWS</code>
 <li><code>USER</code>
 <li><code>UUCP</code>
 <li><code>LOCAL0</code>
 <li><code>LOCAL1</code>
 <li><code>LOCAL2</code>
 <li><code>LOCAL3</code>
 <li><code>LOCAL4</code>
 <li><code>LOCAL5</code>
 <li><code>LOCAL6</code>
 <li><code>LOCAL7</code>
</ul>
For more information on syslog facilities, see the <code>syslog.conf</code>
man page.

The <a href="../howto/Logging.html#Syslog">Logging</a> howto covers logging in
greater detail.

See also: <a href="#SyslogLevel"><code>SyslogLevel</code></a>,
<a href="mod_log.html#SystemLog"><code>SystemLog</code></a>

<hr>
<h2><a name="SyslogLevel">SyslogLevel</a></h2>
Syntax: SyslogLevel level 
Default: SyslogLevel debug 
Context: server config 
Module: mod_core 
Compatibility: 1.2.0rc2 and later

The <code>SyslogLevel</code> directive adjusts the verbosity of the messages
recorded via the default Unix syslog logging. The following levels
are available, in order of decreasing significance:

<table border=1>
 <tr>
 <td>Level</td>
 <td>Description</td>
 </tr>

<tr>
 <td><code>emerg</code></td>
 <td>Emergencies (e.g. the system is unusable)</td>
 </tr>

<tr>
 <td><code>alert</code></td>
 <td>Action must be taken immediately</td>
 </tr>

<tr>
 <td><code>crit</code></td>
 <td>Critical conditions</td>
 </tr>

<tr>
 <td><code>error</code></td>
 <td>Error conditions</td>
 </tr>

<tr>
 <td><code>warn</code></td>
 <td>Warning conditions</td>
 </tr>

<tr>
 <td><code>notice</code></td>
 <td>Normal but significant conditions</td>
 </tr>

<tr>
 <td><code>info</code></td>
 <td>Informational</td>
 </tr>

<tr>
 <td><code>debug</code></td>
 <td>Debug-level messages</td>
 </tr>
</table>

When a particular level is specified, messages from all other levels
of higher significance will be reported as well. For example, when:
<pre>
 SyslogLevel info
</pre>
is configured, then messages with log levels of <code>notice</code> and
<code>warn</code> will also be logged. Using a level of at least
<code>crit</code> is recommended.

The <a href="../howto/Logging.html#Syslog">Logging</a> howto covers logging in
greater detail.

See also: <a href="#SyslogFacility"><code>SyslogFacility</code></a>,
<a href="mod_log.html#SystemLog"><code>SystemLog</code></a>

<hr>
<h2><a name="TCPBacklog">TCPBacklog</a></h2>
Syntax: TCPBacklog backlog-size 
Default: 5 
Context: server config 
Module: mod_core 
Compatibility: 0.99.0 and later

The <code>TCPBacklog</code> directive controls the TCP connection queue
size for listening sockets; this directive only applies to <code>proftpd</code>
when it is configured with "<code>ServerType standalone</code>". It has
no effect if "<code>ServerType inetd</code>" is configured.

When a TCP connection is established by the TCP/IP stack within the kernel,
there is a short period of time between the actual establishment of the
TCP connection and when that connection is accepted for use by the listening
daemon via the <code>accept(2)</code> system call. The duration of this period
of time can vary quite a bit, and can depend upon several factors (e.g.
hardware, system load, etc). Any TCP connection which hasn't been
accepted by the listening daemon is placed in a "backlog" or queue of pending
connections. The <code>TCPBacklog</code> directive controls how the size
of this queue of pending connections.

If this queue of pending connections becomes full, new TCP connections
cannot be estaslished. Under heavy load, this can result in occasional
(or even frequent) errors seen by clients, such as "Connection refused",
even though the daemon is clearly running.

The larger the backlog-size, the more TCP connections can be
established to the daemon. This also means more kernel memory and other kernel
resources.

The issue is complicated further by the fact that different operating
systems handle the backlog-size value differently. The pending
connection queue is a critical kernel-level structure, and is sensitive
to <a href="http://en.wikipedia.org/wiki/Syn_flood">TCP syn floods</a>.
Each operating system, then, has different ways of handling incoming and
pending connections, to attempt to guard against such attacks. For Linux
systems, read the <code>tcp(7)</code> man page and specifically about
<code>tcp_abort_on_overflow</code>, </code>tcp_max_syn_backlog</code>,
and <code>tcp_syncookies</code>. On FreeBSD, read the
<code>syncookies(4)</code> man page. And read
<a href="http://www.sean.de/Solaris/soltune.html#backlog">here</a> for
additional tuning considerations on Solaris.

<hr>
<h2><a name="TimeoutIdle">TimeoutIdle</a></h2>
Syntax: TimeoutIdle seconds 
Default: 600 seconds 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code> 
Module: mod_core 
Compatibility: 0.99.0 and later

The <code>TimeoutIdle</code> directive configures the maximum number of
seconds that <code>proftpd</code> will allow clients to stay connected
without receiving any data on either the control or data connection. If data
are received on either connection, the idle timer is reset. Setting
<code>TimeoutIdle</code> to zero disables the idle timer completely, meaning
that clients can stay connected forever, without sending data. Note:
this is generally a very bad idea, as a "hung" TCP connection which is
never properly disconnected (e.g. the remote network may have become
disconnected from the Internet, etc) will cause a session process to
never exit, until manually killed. This session process will thus linger, using
up one of the <a href="#MaxInstances"><code>MaxInstances</code></a> as well as
any of the other configured limits. The maximum allowed seconds value
is 65535 (108 minutes).

See also: <a href="mod_auth.html#TimeoutLogin"><code>TimeoutLogin</code></a>,
<a href="mod_xfer.html#TimeoutNoTransfer"><code>TimeoutNoTransfer</code></a>,
<a href="mod_xfer.html#TimeoutStalled"><code>TimeoutStalled</code></a>.

<hr>
<h2><a name="TimeoutLinger">TimeoutLinger</a></h2>
Syntax: TimeoutLinger seconds 
Default: 30 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_core 
Compatibility: 1.2.10rc2 and later

The <code>TimeoutLinger</code> directive configures the maximum number of
seconds that <code>proftpd</code> will wait (or "linger") when closing a data
connection (i.e. for uploads, downloads, and directory listings). Once
the data connection is closed, <code>proftpd</code> will send a response
message ("226 Transfer complete") on the control connection indicating the
closure. This delay is necessary for properly handling some FTP clients.

If the client aborts a transfer and there is a long delay, this lingering close
is the most likely culprit. So if you encounter this delay, set
<code>TimeoutLinger</code> to a low number to remove the delay. The maximum
allowed seconds is 65535 (108 minutes).

For the curious, here are the full details: some FTP clients will close their
end of a data connection as soon as they are done sending their data; other
FTP clients will wait until the server closes its end of the data connection,
and some will close their side of the data connection only after they
receive the "226 Transfer complete" message on the control connection. In
order to ensure that all of the data has been transferred on a data connection,
<code>proftpd</code> will "linger" for a certain amount of time (governed
by the <code>TimeoutLinger</code> directive) before sending that
"226 Transfer complete" response, thus giving all client behaviors a chance
to do the right thing. However, this means that some clients will see a
this <code>TimeoutLinger</code> delay unnecessarily. The <code>proftpd</code>
daemon can't detect which type of behavior the client will use, so it is
up to the site admin to configure <code>proftpd</code> to work best with
their FTP clients.

<hr>
<h2><a name="Trace">Trace</a></h2>
Syntax: Trace channel1:level1 ... 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_core 
Compatibility: 1.3.1rc1 and later

The <code>Trace</code> directive is used to configure which trace channels
are logged to the <a href="#TraceLog"><code>TraceLog</code></a> file, and
which log levels for messages in that trace channel.

For example, to get the default trace channels logged:
<pre>
 Trace DEFAULT:10
</pre>

To disable logging of a particular trace channel entirely, use a log level
of zero, e.g.:
<pre>
 # Log all of the default trace channels except for 'lock' and
 # 'scoreboard'
 Trace DEFAULT:10 lock:0 scoreboard:0
</pre>

To see only a certain range of log levels in a given trace channel, you
can specify the log level range like this:
<pre>
 # Log only messages at levels 7-10 for the default channels
 TraceLog DEFAULT:7-10
</pre>

See the <a href="../howto/Tracing.html">Tracing</a> howto for more information.

<hr>
<h2><a name="TraceLog">TraceLog</a></h2>
Syntax: TraceLog path 
Default: None 
Context: server config 
Module: mod_core 
Compatibility: 1.3.1rc1 and later

The <code>TraceLog</code> directive is used to specify a log file for trace
logging messages. The path parameter given must be the full path to
the file to use for logging.

Note that this path must not be to a world-writable directory and,
unless <code>AllowLogSymlinks</code> is explicitly set to on
(generally a bad idea), the path must not be a symbolic link.

See the <a href="../howto/Tracing.html">Tracing</a> howto for more information.

<hr>
<h2><a name="TraceOptions">TraceOptions</a></h2>
Syntax: TraceOptions opt1 ... optN 
Default: None 
Context: &quot;server config&quot;, &lt;VirtualHost&gt;, &lt;Global&gt; 
Module: mod_core 
Compatibility: 1.3.4rc2 and later

The <code>TraceOptions</code> directive can be used to change the format
of the <a href="#TraceLog"><code>TraceLog</code></a> messages, e.g.
adding/remove certain fields of data.

The options supported by the <code>TraceOptions</code> directive are:
<ul>
 <li>ConnIPs
 <li>TimestampMillis
</ul>
These options are all disabled by default.

To enable an option, preface the option name with a '+' (plus) character;
to disable the option, use a '-' (minus) character prefix. For example:
<pre>
 # Log timestamps inncluding millisecs, but do not include the connection
 # IP address/port information
 TraceOptions +TimestampMillis -ConnIPs
</pre>

<hr>
<h2><a name="TransferLog">TransferLog</a></h2>
Syntax: TransferLog path|"none" 
Default: None 
Context: &quot;server config&quot;, &lt;VirtualHost&gt;, &lt;Global&gt;, &lt;Anonymous&gt; 
Module: mod_core 
Compatibility: 1.1.4 and later

The <code>TransferLog</code> directive configures the full path to the
"wu-ftpd style" file transfer log; see the <code>xferlog(5)</code> man page
for a description of this log file format. Separate log files can be created
for each <code>&lt;Anonymous&gt;</code> and/or <code>&lt;VirtualHost&gt;</code>.
Additionally, the special keyword "none" (available in proftpd-1.1.7 and later)
can be used, which disables wu-ftpd style transfer logging for the context in
which the directive is used.

See also: <a href="mod_log.html#ExtendedLog"><code>ExtendedLog</code></a>,
<a href="mod_log.html#LogFormat"><code>LogFormat</code></a>

<hr>
<h2><a name="Umask">Umask</a></h2>
Syntax: Umask file-umask [dir-umask] 
Default: None 
Context: &quot;server config&quot;, &lt;VirtualHost&gt;, &lt;Global&gt;, &lt;Anonymous&gt;, .ftpaccess 
Module: mod_core 
Compatibility: 0.99.0 and later

The <code>Umask</code> directive sets the mask applied to newly created file
and directory permissions. Any parameters supplied must be an octal number,
in the format <code>0xxx</code>.

An optional second dir-umask parameter can specify a different
<code>Umask</code> to be used when creating directories, rather than files.
If this second parameter is not used, directories are created using the
file-umask value from the first parameter. For more information on
umasks, consult your operating system documentation/man pages.

Note: ProFTPD will not create files that have the executable bit
enabled; this is a security-driven design decision. The permissions of an
uploaded file can be changed by issuing a <code>SITE CHMOD</code> command,
e.g.:
<pre>
 SITE CHMOD 0755 /path/to/uploaded/file
</pre>

The <code>Umask</code> <a href="../howto/Umask.html">howto</a> also talks about
umasks in greater detail.

<hr>
<h2><a name="UserOwner">UserOwner</a></h2>
Syntax: UserOwner user-name 
Default: None 
Context: &lt;Anonymous&gt;, &lt;Directory&gt; 
Module: mod_core 
Compatibility: 1.2pre11 and later

The <code>UserOwner</code> directive is used to specify the user-name
which will own all created files and directories within the
<code>&lt;Anonymous&gt;</code> or <code>&lt;Directory&gt;</code> section
contain the <code>UserOwner</code> directive; the default behavior is that
all created files/directories will be owned by the logged-in user, of course.

When the <code>UserOwner</code> directive is used, the
<code>GroupOwner</code> directive is not restricted to groups to which
the logged-in user belongs.

See also: <a href="#GroupOwner"><code>GroupOwner</code></a>

<hr>
<h2><a name="VirtualHost">&lt;VirtualHost&gt;</a></h2>
Syntax: &lt;VirtualHost ip-address|dns-name [ip-address|dns-name ...]&gt; 
Default: None 
Context: &quot;server config&quot; 
Module: mod_core 
Compatibility: 0.99.0 and later

The <code>&lt;VirtualHost&gt;</code> configuration section is used to create
an independent set of configuration directives that apply to a particular
hostname or IP address. It is often used in conjunction with system level
IP aliasing or dummy network interfaces in order to establish one or more
virtual servers which all run on the same physical machine. The
section is terminated with a <code>&lt;/VirtualHost&gt;</code> directive.

By using the <a href="#Port"><code>Port</code></a> directive inside a
<code>&lt;VirtualHost&gt;</code> section, it is possible to create a virtual
server which uses the same IP address as the master server, but
which listens on a different TCP port (Note, however, that this
approach is incompatible with a
<a href="#ServerType"><code>ServerType</code></a> of "inetd").

When <code>proftpd</code> starts up, virtual server connections are handled in
one of two ways, depending on the
<a href="#ServerType"><code>ServerType</code></a> setting:
<ul>
 <li>inetd
 
 The daemon examines the destination address and port of the incoming
 connection being handed off from <code>inetd/xinetd</code>. If the
 connection matches one of the configured <code>&lt;VirtualHost&gt;</code>
 sections, the connection is handled by that matching configuration. If no
 <code>&lt;VirtualHost&gt;</code> section matches, and the main server does
 not match, the client is informed that no server is available to handle
 their requests, and the client is disconnected.
 </li>

<li>standalone
 
 After parsing the configuration file, the daemon begins listening for
 connections on all configured ports, spawning child processes as necessary
 to handle connections for either the main server or any
 <code>&lt;VirtualHost&gt;</code> sections.

Because of the method that the daemon uses to listen for connections when
 in standalone mode, it is possible to support an exceedingly large number
 of virtual servers, potentially exceeding the number of per-process file
 descriptors. This is due to the fact that a single file descriptor is used
 to listen to each configured port, regardless of the number of addresses
 being monitored. Note that it may be necessary to increase the
 <a href="#TCPBacklog"><code>TCPBackLog</code></a> value on heavily loaded
 servers in order to avoid kernel-rejected client connections; clients
 will receive a "Connection refused" error when this condition happens.
 </li>
</ul>

Starting with <code>proftpd-1.3.0rc1</code>, it is possible to use more than
one DNS name or IP address. And starting with <code>proftpd-1.3.5rc1</code>,
a device/interface name can also be used.

Examples:
<pre>
 &lt;VirtualHost host1.domain.com host2.domain.com&gt;
 ...
 &lt;/VirtualHost&gt;

# Establish a virtual server for the eth1 interface
  &lt;VirtualHost eth1&gt;
    ...
  &lt;/VirtualHost&gt;

</pre>
The virtual server <a href="../howto/Vhost.html">howto</a> also talks about
virtual servers in greater detail.

See also: <a href="#DefaultAddress"><code>DefaultAddress</code></a>

<hr>
<h2><a name="Installation">Installation</a></h2>
The <code>mod_core</code> module is always installed.

<a name="FAQ">
<hr>
Frequently Asked Questions

<a name="ListenOnOneAddressOnly">
Question: How do I configure <code>proftpd</code> to
only listen to connections on one address, e.g. 127.0.0.1? If I use
the following in my <code>proftpd.conf</code>:
<pre>
 DefaultAddress localhost
</pre>
I am still able to connect to <code>proftpd</code> from another machine. 
Answer: The solution is to use the
<a href="#SocketBindTight"><code>SocketBindTight</code></a>, like this:
<pre>
 DefaultAddress localhost
 SocketBindTight on
</pre>
The <code>SocketBindTight</code> directive tells <code>proftpd</code> to
listen only on that 'localhost' IP address, rather than on all
addresses.

<hr>

Author: $Author: castaglia $ 
Last Updated: $Date: 2014-01-30 16:50:10 $

<hr>

<hr>

</body>
</html>