Forge Home


Puppet module to manage ProFTPD


1,318 latest version

4.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.3.0 (latest)
  • 2.2.0
released Aug 7th 2023
This version is compatible with:
  • Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , , FreeBSD

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'markt-proftpd', '2.3.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add markt-proftpd
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install markt-proftpd --version 2.3.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



markt/proftpd — version 2.3.0 Aug 7th 2023


Build Status Puppet Forge Puppet Forge - downloads

Table of Contents

  1. Overview
  2. Usage
  3. Reference
  4. Limitations
  5. Development
  6. Contributors


A Puppet module for ProFTPD, hiera-friendly, highly configurable and well-tested.


Beginning with proftpd

This example will install packages, setup a minimal configuration and activate the service for you:

class { 'proftpd': }

Loading additional modules is easy too:

class { 'proftpd':
  load_modules => {
    ban => {},
    tls => {},
    sql => {},

It is simple to add new options or overwrite the defaults in the configuration root or any (sub) section:

class { 'proftpd':
  options => {
    'ROOT'  => {
      'ServerName'   => 'FTP server',
      'MaxInstances' => '10',
    'IfModule mod_vroot.c' => {
      'VRootEngine' => 'on',

NOTE: You don't need to take care for section brackets or closing tags. The module will add this automatically.

Enabling anonymous login and customizing it's default options works the same way:

class { 'proftpd':
  anonymous_enable => true,
  options          => {
    'Anonymous ~ftp'        => {
      'Directory uploads/*' => {
        'Limit STOR'        => {
          'AllowAll'        => true,
          'DenyAll'         => false,

You may opt to disable the default configuration and do everything from scratch:

class { 'proftpd':
  default_config => false,
  options => {...}

(Here the options hash must contain all options required to run ProFTPD.)

Using Hiera

You're encouraged to define your configuration using Hiera, especially if you plan to disable the default configuration:

proftpd::default_config: false
# load modules in a specific order if necessary
    order: 1
    order: 2
    order: 3
    order: 4
    order: 5
  ban: {}
  tls: {}

    ServerType: 'standalone'
    DefaultServer: 'on'
    ScoreboardFile: '/var/run/proftpd.scoreboard'
    DelayTable: '/var/run/proftpd.delay'
    ControlsSocket: '/var/run/proftpd.socket'
    User: 'www'
    Group: 'www'
    Umask: '006'
    UseReverseDNS: 'off'
    DefaultRoot: '~ !'
    DefaultChdir: '/var/ftp'
    ServerName: '%{facts.networking.fqdn}'
    Port: '21'
    PassivePorts: '49152 65534'
    TransferLog: 'NONE'
      - 'default "%h %l %u %t \"%r\" %s %b"'
      - 'auth "%t %v [%P] %h \"%r\" %s"'
      - 'access "%h %l %u %t \"%r\" %s %b"'
      - '/var/log/proftpd/access.log INFO,DIRS,MISC,READ,WRITE access'
      - '/var/log/proftpd/auth.log AUTH auth'
    MaxClients: '20 "Connection limit reached (%m)."'
    MaxInstances: '20'
    MaxClientsPerHost: '15 "Connection limit reached (%m)."'
    MaxClientsPerUser: '10 "Connection limit reached (%m)."'
    TLSEngine: 'on'
    TLSProtocol: 'SSLv23'
    TLSRequired: 'off'
    TLSOptions: 'NoCertRequest'
    TLSVerifyClient: 'off'
    TLSRSACertificateFile: '/etc/ssl/%{facts.networking.fqdn}.crt'
    TLSRSACertificateKeyFile: '/etc/ssl/%{facts.networking.fqdn}.key'
    TLSLog: '/var/log/proftpd/tls.log'
    RequireValidShell: 'off'
    UseFtpUsers: 'on'
    AllowRetrieveRestart: 'on'
    AllowStoreRestart: 'on'
    AllowOverwrite: 'yes'
    AccessGrantMsg: '"Login OK"'
    IdentLookups: 'off'
    ServerIdent: 'on "FTP Service"'
    AllowForeignAddress: 'on'
    DirFakeUser: 'on www'
    DirFakeGroup: 'on www'
    PathDenyFilter: '"(\.ftpaccess)$"'
    ListOptions: '"-a"'
    MaxLoginAttempts: '2'
    AuthUserFile: '/etc/proftpd/proftpd.passwd'
    AuthGroupFile: '/etc/proftpd/'
    TimeoutLogin: '1800'
    TimeoutIdle: '1800'
    TimeoutStalled: '1800'
    TimeoutNoTransfer: '1800'
  'Directory /':
    AllowOverwrite: 'on'
    ServerName: '"FTP Server 1"'
    PassivePorts: '60000 65534'
  'IfModule mod_rewrite.c':
    RewriteEngine: 'on'
    RewriteLog: '/var/log/proftpd/rewrite.log'
      - |
        replace int:replaceall
            RewriteCondition        %m ^(STOR)$
            RewriteRule             ^(.*)$  "${replace:/$1/ /_}"
      - |
        replace int:replaceall
            RewriteCondition        %m ^(STOR)$
            RewriteRule             ^(.*)$  "${replace:/$1/\?/_}"
      - |
        replace int:replaceall
            RewriteCondition        %m ^(STOR)$
            RewriteRule             ^(.*)$  "${replace:/$1/Ü/UE}"
  'Directory /mnt/exchange/user1/*':
      - |-
        '%f "^[[:cntrl:] ]+"
            RewriteRule "^[[:cntrl:] ]+([^[:cntrl:]]+)" $1'
      - |-
        '%f "[[:cntrl:] ]+$"
            RewriteRule "([^[:cntrl:]]+)[[:cntrl:] ]+$" $1'
      - |-
        '%f "[[:cntrl:]]"
            RewriteRule "([^[:cntrl:]]+)[[:cntrl:]]*([^[:cntrl:]]*)[[:cntrl:]]*([^[:cntrl:]]*)" $1$2$3'  



You may want to use the $options parameter to overwrite default configuration options or build a ProFTPD configuration from scratch. There are few things you need to know:

  • sections: ProFTPD's configuration uses a number of <sections>. You create a new section by specifying a hash, the module's erb template will do the rest for you. This works for special cases like <IfDefine X> too.
  • ROOT: To add items to the root of the ProFTPD configuration, use this namespace.
  • false: Setting a value to 'false' will remove the item from the configuration.
  • multiple values: If you want to specify multiple values for the same configuration item (i.e. LogFormat or ExtendedLog), you need to specify these values as an array.

Classes and Parameters

Classes and parameters are documented in


OS Compatibility

This module was tested on FreeBSD, CentOS and Debian. Please open a new issue if your operating system is not supported yet, and provide information about problems or missing features.

Template Issues

The proftpd.conf.erb template... sucks. It suffers from code repetition. Furthermore it is limited to only four nested configuration sections (which should still be enough, even for rather complex configurations). If you come up with a better idea please let me know.


Please use the github issues functionality to report any bugs or requests for new features. Feel free to fork and submit pull requests for potential contributions.


This module is heavily inspired by and in part based on the following modules:

See the LICENSE file for further information.