Configuring vsftpd with nginx on ubuntu

Question

I have vsftpd installed on Ubuntu 12.04LTS along with nginx, php, and sql on an Amazon ec2 instance. The web server is good to go, but I'm having trouble connecting to the FTP server. I'm not quite sure how to set the privileges or what configuration options I might be missing.

By default, the location of the web root is at /usr/share/nginx/www and it is owned by root:root. The web server runs as user www-data in the group www-data.

I've opened port 21 and set the passive ports in the ec2 backend and ufw firewall.

In vsftpd.conf, I have:

...
anonymous_enable=NO
local_enable=YES
local_umask=0027
chroot_local_user=YES
pasv_enable=YES
pas_max_port=12100
pasv_min_port=12000
port_enable=YES
...

Now, I'm unsure how to create the FTP user that when I login, displays my web directory with write access. I've tried it a few different ways, but I keep running into errors (either no connection, no write access, or very slow timeouts.)

score 0 · Answer 1 · answered Jun 19 '12 at 03:22

You might do the following to achieve what you described...

Please replace arby with whatever the FTP username you prefer.

sudo useradd -d /usr/share/nginx/www -G www-data arby

sudo chown -R arby:www-data /usr/share/nginx/www

sudo chmod -R g+w /usr/share/nginx/www

If you have already created an FTP username named arby, then please do the following instead of the first command...

sudo usermod -d /usr/share/nginx/www -a -G www-data arby

score 0 · Answer 2 · answered Jun 20 '12 at 11:39

Please be sure to use:

pasv_address=YOUR_PUBLIC_IP

In the vsftpd configuration, where YOUR_PUBLIC_IP is the Public IP of your EC2 instance since otherwise you won't be able to login to vsftpd.

The rest can be used from the 1'st answer, or you can alternatively use php-fpm working with an user of your choice. For instance assuming you want to use user webuser, you'll need to take the next steps(all steps should be done as the root user): 1) Create the user and change the privileges:

useradd -d /usr/share/nginx/www webuser
chown webuser.webuser -R /usr/share/nginx/www

2) Don't forget to add a password for this user by typing:

passwd webuser

3) Configure your php-fpm install by making /etc/php-fpm.conf have the following:

include=/etc/php-fpm.d/*.conf
[global]
pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php-fpm/error.log
daemonize = yes

And also create a /etc/php-fpm.d/webuser.conf with the next contents:

[webuser]

listen = /var/run/webuser.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0600
user = webuser
group = webuser
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 10240
env[HOSTNAME] = $HOSTNAME
env[PATH] = /bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f hostmaster@yourservername
php_flag[display_errors] = off
php_admin_value[error_log] = /usr/share/nginx/logs/php-errors.log
php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 512M
php_admin_value[session.save_path] = /tmp/
php_admin_value[date.timezone] = "UTC"

4) Add a vhost config to your nginx configuration like:

server {
          listen *:80;
          server_name  yourservername.com www.yourservername.com;
          client_max_body_size 24M;
          root /usr/share/nginx/www;
          location / {
           index index.php index.html;
          }
          access_log     /usr/share/nginx/logs/access.log;
          error_log      /usr/share/nginx/logs/error.log;
          error_page 404 /;
          location ~ /\.ht
          {
           deny all;
          }
          location ~ \.php$ {
           index index.php index.html;
           fastcgi_pass    unix:/var/run/webuser.sock;
           fastcgi_index  index.php;
           fastcgi_pass_header 'Set-Cookie';
           fastcgi_param  SCRIPT_FILENAME /usr/share/nginx/www$fastcgi_script_name;
           fastcgi_intercept_errors on;
           fastcgi_param  QUERY_STRING     $uri;
           include        fastcgi_params;
           break;
          }
        }

5) Restart your php-fpm service and restart your nginx service.

That should make it working.

Note: Make sure to create the /usr/share/nginx/logs directory.

score 0 · Accepted Answer · answered Jun 20 '12 at 21:47

First, be sure to open ports 35000:36000 on the firewall to permit PASV FTP.

Then for your /etc/vsftpd.conf

listen=YES
anonymous_enable=NO
local_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
hide_ids=YES
use_localtime=YES
nopriv_user=ftp
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
guest_enable=YES
guest_username=ftp
user_config_dir=/etc/vsftpd_user_conf
ftpd_banner=My FTP Server
virtual_use_local_privs=YES
anon_upload_enable=NO
async_abor_enable=YES
pasv_min_port=35000
pasv_max_port=36000
pasv_enable=YES
port_enable=YES
write_enable=NO

Then to create a user, run,

/bin/htpasswd /etc/ftpd.passwd myusername

Then create the accompanying file in /etc/vsftpd_user_conf/myusername

guest_username=www-data
local_root=/usr/share/nginx/www
write_enable=yes

The user connects as the guest_username stated, so it allows you to have multiple FTP users with different access, but all the while, preserving important file-level owner permissions.

That will give you a nice simple, chrooted, secure, isolated and manageable FTP configuration.

You're welcome.

Configuring vsftpd with nginx on ubuntu

3 Answers3