Richard
Reputation: 2815
FTP not working via PHP (ProFTPD) - Operation not permitted
I try to upload a file via PHP to a FTP server running ProFTPD. This worked before like a charm. This is the code:
$this->con = ftp_ssl_connect($CFG['BACKUP_FTP_HOST'], $port);
ftp_login($this->con, $CFG['BACKUP_FTP_USER'], $CFG['BACKUP_FTP_PASSWORD']);
ftp_pasv($this->con, true); // Returns true
ftp_put($this->con, "/path/test.txt", __DIR__ . "/test.txt", FTP_ASCII); // Returns false, local file and remote directory exists (FTP_BINARY does not work also)
There are several funny PHP warning:
Warning: ftp_put(): Unable to build data connection: Operation not permitted
If I try to change in the passive mode via lftp, it does not work also:
lftp [email protected]:/> quote PASV
501 PASV: Operation not permitted
The return of FEAT is the following:
211-Features:
SSCN
SITE COPY
LANG en-US.UTF-8*;en-US
SIZE
PROT
CCC
SITE MKDIR
PBSZ
AUTH TLS
REST STREAM
UTF8
EPRT
SITE SYMLINK
EPSV
SITE UTIME
MDTM
SITE RMDIR
211 End
I think there is a problem with the FTP server, but other servers works with the configuration. Also, I can upload files with FileZilla. With PHP, the active mode is also not working.
The content of my proftpd.conf:
# Includes DSO modules
Include /etc/proftpd/modules.conf
# If set on you can experience a longer connection delay in many cases.
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
ServerIdent off
ServerName "FTP Server"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-al"
DenyFilter \*.*/
# Use this to jail all users in their homes
DefaultRoot ~
# Allow continuation of uploads/downloads
AllowRetrieveRestart On
AllowStoreRestart On
# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
RequireValidShell Off
# Port 21 is the standard FTP port.
Port 21
# Workaround for nasty problem with FileZilla:
<IfModule mod_facts.c>
FactsAdvertise off
</IfModule>
# Unlimited number of concurrent connections
MaxClients none
MaxInstances none
# Unlimited number of concurrent connections per IP/user allowed
MaxClientsPerHost none
MaxClientsPerUser none
PassivePorts 60000 65535
<IfModule mod_tls.c>
TLSEngine On
# Support TLSv1 (no more SSLv3 due to POODLE attack)
TLSProtocol TLSv1
# Safe ciphers:
TLSCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired on
# Server's certificate
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
TLSCertificateChainFile /etc/ssl/certs/proftpd-ca.crt
TLSDHParamFile /etc/proftpd/dhparams.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>
# Virtual FTP users file
AuthUserFile /etc/proftpd/passwd
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
# include additional configuration files
Include /etc/proftpd/conf.d/*.conf
# <EOF>-----------------------------------------------------------------------
Upvotes: 0
Views: 2900
Answers (1)
Castaglia
Reputation: 3089
You might configure a TLSLog file, and see what additional information is logged there. I suspect (but the TLSLog might confirm...or not) that mod_tls is requiring that your data transfer connection reuse the same TLS session as used on the control connection, and that your FTPS client is not doing this. This requirement can be relaxed by using the following in your mod_tls configuration:
TLSOptions NoSessionReuseRequired
For more information on this option, see the "NoSessionReuseRequired" description under TLSOptions.
Hope this helps!
Upvotes: 1
Related Questions
- PHP array delete by value (not key)
- configure proftpd to serve ftp and sftp simultaneously
- "Remote host closed connection during handshake" when connecting to FTP server using Commons Net FTPSClient
- Nginx with PhpMyAdmin (Secured via ssl)
- How to use ECDHE ciphers in PHP CURL?
- Cipher method not supported on laravel passport
- MySQL error when using remote connections with SSL
- proftpd via mysql & web management of FTP users