Configuring ProFTPD for the Canon 5D Mark IV

This Web page gives a commented configuration file that is usable to let you use ProFTPD as a server that can automatically accept pictures from a Canon 5D Mark IV, assuming you've done all the setup given on the main page. The rest of this page is a sample configuration file; comments are given after various sections. If you select the sample configuration from here on down, copy it, and paste it into your own configuration, the commments should disappear and you should have a working config file! (How cool is that?)

# This is a ProFTPD configuration file usable for serving a Canon 5D
# Mark IV.

ServerName		"ProFTPD"
ServerType		standalone
DefaultServer		on

# Port 21 is the standard FTP port.
Port			21

# FireWall PortRange for PASV
PassivePorts		40000 40999

If you have a network administrator who believes in harsh firewalling, you may need to change the passive port range.


# Set DebugLevel to values between 0 and 9
# default is 0
DebugLevel		0

# SystemLog -- Redirect syslogging to a file
SystemLog		/var/log/proftpd/proftpd.log

It's a good idea to log the daemon's activity so you can monitor misbehavior and debug problems. If you installed ProFTPD from your distro, it should have set up that log file and also created a logrotate configuration to keep the file from growing too large. If you didn't, or it didn't, you should configure rotation. You might also need to change the location of the log.

# Don't use IPv6 support by default; the 5D4 doesn't support it anyway.
UseIPv6			off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask			022

Some people might prefer 077, especially if the server is a shared machine.

# To prevent DoS attacks, set the maximum number of child processes
# to 5.  If you need to allow more than 5 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances		5

Unless you have multiple 5D4's, this number could probably be set to 1. This is basically the maximum number of cameras that are allowed to upload at the same time.

# Set the user and group under which the server will run.
User			ftp
Group			ftp

If you did a distro install, the distro should have created this user. Note that the ftp user is different from the user you created earlier for your camera to use (canon5d4 in my examples).

# Some logging formats
LogFormat default	"%h %l %u %t \"%r\" %s %b"
LogFormat auth		"%v [%P] %h %t \"%r\" %s"
LogFormat write		"%h %l %u %t \"%r\" %s %b"
# FIFO log format for automating upload repsonses
LogFormat fifo          "%r"

# ------------------------------
# Global Settings
# ------------------------------


  # ------------------------------
  # Login
  # ------------------------------

	ServerIdent		on "FTP server ready"
	DeferWelcome		on

	
	  IdentLookups		off
	
	UseFtpUsers		off
	RequireValidShell	off

	TimeoutLogin		60
	MaxLoginAttempts	3
	#MaxClientsPerHost	none
	#MaxClientsPerUser	1 "Only one connection at a time."

  # ------------------------------
  # Authentication
  # ------------------------------

	### PAM Authentication
	# AuthPAM: default: on
	AuthPAM			on

	# changed AuthPAMConfig file
	AuthPAMConfig		proftpd
	### PAM Authentication

	#AuthUserFile		/etc/proftpd/auth/passwd
	#AuthGroupFile		/etc/group

	### order of auth modules
	#AuthOrder		mod_auth_unix.c mod_auth_file.c
	AuthOrder		mod_auth_unix.c mod_auth_pam.c

Most of the above settings were installed by my distro, including the commented-out lines. You can change them to your taste if you know what you're doing.

  # ------------------------------
  # Post-Login
  # ------------------------------

	DisplayLogin		welcome.msg
	DisplayChdir		.message
	AllowOverride		off

	TimeoutIdle		7200
	TimeoutNoTransfer	 900
	TimeoutStalled		 300
	TimeoutSession		7200

The above timeouts are given in seconds; 7200 is two hours. I chose quite long timeouts because I didn't want the ftp server to give up on the camera in the middle of a picture transfer.

  # ------------------------------
  # Session
  # ------------------------------

	# To cause every FTP user to be "jailed" (chrooted) into their home
	# directory, uncomment this line.
	DefaultRoot		~ web,!users

	DenyFilter              \*.*/
	ListOptions             "-A +R" strict
	UseGlobbing             off

	ShowSymlinks            on
	TimesGMT                on

  # ------------------------------
  # Up- & Download
  # ------------------------------

	# having to delete before uploading is a pain ;)
	AllowOverwrite		on
	AllowRetrieveRestart	on
	HiddenStores		on
	DeleteAbortedStores	on
	#AllowStoreRestart	off	# is contrary to "DeleteAbortedStores"

  # ------------------------------
  # Logging
  # ------------------------------

	WtmpLog			off
	TransferLog		/var/log/proftpd/xferlog

	# Record all logins
	ExtendedLog		/var/log/proftpd/auth.log AUTH auth

	# Logging file/dir access
	ExtendedLog		/var/log/proftpd/access.log WRITE,READ write

	# Paranoia logging level....
	#ExtendedLog		/var/log/proftpd/paranoid.log ALL default

	# SQLLogFile
	#SQLLogFile		/var/log/proftpd/SQL.log

        # Log uploads to a pipe
        #ExtendedLog             /etc/proftpd/fifo WRITE fifo

The lines immediately above control logging. If you uncomment the very last one, you can make your server do something automatically every time an image is uploaded. On each upload, ProFTPD will write the name of the new file to /etc/proftpd/fifo, which you must have first created with mkfifo. It must be owned and writable by the ftp user, and readable by everyone. You can the write a program that reads the file names and does whatever you want; I won't cover that here. (The program has to be running before ProFTPD starts; I also won't cover how to arrange that.)

# Bar use of SITE CHMOD by default

  DenyAll


#####
# Include other confs, e.g. tls.conf
#Include			/etc/proftpd/conf.d/*.conf

#####

# ------------------------------
# Anonymous Settings
# ------------------------------

My distribution had a lot of stuff under "Anonymous Settings" in case you want to run anonymous ftp. I deleted all that stuff because anonymous ftp isn't really compatible with what we're doing here. In truth, anonymous ftp is pretty obsolete nowadays; ordinary Web sites are a better solution to the problem it tried to address.

# ------------------------------
# TLS Settings
# ------------------------------

In my distribution, the following material (to the end of the file) is kept in /etc/proftpd/conf.d/tls.conf and included with "Include /etc/proftpd/conf.d/*.conf". I have moved it here for convenience, but if your setup includes a conf.d it would probably be cleaner to put it in the tls.conf file.


    # If mod_tls was built as a shared/DSO module, load it
    LoadModule mod_tls.c



    TLSEngine                  on

    TLSProtocol                TLSv1 TLSv1.1 TLSv1.2

    # Are clients required to use FTP over TLS when talking to this server?
    TLSRequired                on

    # Server's RSA certificate
    TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.pem
    TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key

The above lines need to point to wherever you created your openssl certificate.


    # CA (or CA chain) to verify client certs 
    TLSCACertificateFile        /etc/proftpd/ssl/proftpd.pem

    # CA (or CA chain) to verify certification path of server cert
    TLSCertificateChainFile     /etc/proftpd/ssl/proftpd.pem

Again, the above lines need to point to where you made your certificate.


    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient            off

    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate none

    # Should Server request a Clients Certificate and send valid CA list ?
    TLSOptions                 NoCertRequest NoSessionReuseRequired

    TLSCipherSuite      ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

    # Debugging
    #TraceLog /var/log/proftpd/trace.log
    #Trace DEFAULT:10 tls:10 signal:0

If you have trouble connecting, you can uncomment the above two lines to turn on some logging that might help.