Next Previous Contents

6. Security

6.1 User, Group and Chroot

Unless compiled with --enable-run-as-root you must specify a non root user and group for frox to run as. It is strongly recommended that you do this rather than recompiling.

You must specify WorkingDir for frox in the config file. By default it will also chroot to this directory. If you do not wish to run chrooted you must explicitly set DontChroot to "yes" in the config file.

6.2 Access control lists

Access to frox is controlled by the access control lists in the config file. These take the format

ACTION can be one of Deny or Allow. CLIENT and SERVER are either a domain name, a *, an ip address, or an address/netmask in either x.x.x.x/y or x.x.x.x/y.y.y.y form. PORTS is optional. If present it should contain one or more port numbers or ranges of port numbers, separated by ",". There should be no whitespace within the PORTS string. If no ports are specified then ports are not taken into account in matching that rule.USER is also optional. If present then note that it should be ftp to match any anonymous connections.

Acls are checked after the client has connected to frox, but before frox connects to the server. If non-transparent proxying is enabled then the client will enter the username before the acl is checked. The acls are checked in the order they appear in the config file until one matches. If no acls match the connection is denied.

6.3 Command Control Program

Frox has optional support for a ftp-proxy like command control program (ccp). Just to confuse things there are two different ways that this can work. The default is still the old version based on ftp-proxy, while the new version is a bit more like the squid redirector interface.

To use either method you should compile with --enable-ccp, and set CCProgram to the program you wish use. This must be within the chroot jail with any libraries and/or shells it needs to run. To use the new version you should also explicitly set UseOldCCP to no in the config file.

The Old Version

The ccp will then be called for every command that the client sends. It will not be called for any commands that frox decides to send itself (eg. as part of determining whether a file is suitable for caching). It can make use of the following environment variables:

          FROX_CLIENT, FROX_SERVER: Ip addresses of client and server.
          FROX_SERVERNAME:          Server's domain name if known.
          FROX_SESSION:             Unique string for this session.
          FROX_COMMAND:             FTP command just given.
          FROX_PARAMATER:           Argument to that command.
With a new connection the ccp will be called with the special FROX_COMMAND of +NEW. The server variables may subsequently change if a user name is given which contains a different server to contact.

If the ccp exits with a value of 0 then the command is dealt with as normal. If it exits with 1 then the command is discarded. If it exits with 2 then the session is closed. If the ccp writes a line to stderr then it will be sent to the client over the control connection. If it writes a line to stdout it will be logged by frox. If the ccp returns a value other than 0 it is its responsibility to write a well formed ftp message to the client which tells it what is happening (eg. from a shell script by echo -ne "533 Permission denied\r\n" >&2) . Failure to do this will result in the client and proxy getting out of sync.

The New Version

One copy of the ccp will be executed each time a client connects. It should read commands and messages from stdin and write its replies back to stdout. Each call is a '\n' terminated string which starts with a single char, followed optionally by a space and a string.

If the initial char is "I" then it is followed by "client_ip server_ip server_name", although if the server_name is not known it will be replaced by an "X". If the char is a "C" then it is followed by a command from the client, and if it is a "S" it is followed by a message from the server.

The ccp should reply with a similar string. "C" should be followed by a message to go the client, while S is followed by a command for the server. In response to an "I" a "R" can be sent where the argument is the IP address of a server to contact in place of the currently selected one. A single "X" tells frox to continue as before, while a "Q" tells frox to drop the connection. Finally the string after an "L" will be logged by frox. It should also be followed by another line giving an action to take.

Written like that is is pretty confusing, so there are two example ccp scripts in the doc/ directory. One is a simple bash script to disallow downloading of files greater than a certain size. The other is a more complicated C program which attempts to redirect users to mirrors of ftp sites. I am sure there are other applications.

6.4 TLS/SSL Support

There is very experimental (currently only tested with vsftpd) support for having frox use encryption when connecting to the ftp server. You need to give --enable-ssl to ./configure, and define UseSSL yes in the config file. By default data connections will also be encrypted, but you can turn this off by setting DataSSL no. Note you will need to create /dev/urandom and /dev/random at least in the chroot jail, and possibly some other stuff, for the openssl libraries to work. If you are having difficulties try defining DontChroot yes temporarily to see if it fixes things.

Note SSL support currently only covers the connection between frox and the ftp server. Frox does not support clients connecting to it with SSL at the moment.

It is suggested to have a config file subsection which turns off SSL for anonymous connections. There is little point in having the overhead of encryption for this, and ftp servers may deny an anonymous connection once SSL has been negotiated (this is the default configuration of vsftpd). At this stage frox is not able to undo the ssl negotiation.

This is not yet rfc compliant. It should be at some point...

Next Previous Contents