[Proftpd-user] How to renew SSL certs without interrupting transfers

Discussion:

2016-08-24 09:53:01 UTC

After SSL certificates have been renewed, I understand I need to restart proftpd to
make it use the new certificates.

However, I don't want to interrupt ongoing transfers. Particularly because most of
our transfers are of very big files (50 - 150 GB), and users may not have configured
their client to be able to resume transfers, and most of our users wouldn't know what
this is about.

Is there a way to make proftps reload it's certificate files without interrupting
transfers?

If not, what would be the best way to check from a script if a transfer is in
progress, to be able to wait until it's done before retsarting?

Tomasz Chmielewski

2016-08-24 10:30:04 UTC

Permalink

Post by MI
After SSL certificates have been renewed, I understand I need to restart proftpd to
make it use the new certificates.
However, I don't want to interrupt ongoing transfers. Particularly because most of
our transfers are of very big files (50 - 150 GB), and users may not have configured
their client to be able to resume transfers, and most of our users wouldn't know what
this is about.
Is there a way to make proftps reload it's certificate files without interrupting
transfers?
If not, what would be the best way to check from a script if a transfer is in
progress, to be able to wait until it's done before retsarting?

netstat -tpna | grep ESTABLISHED | grep proftpd

Would output established connections to proftpd.

Tomasz Chmielewski
https://lxadm.com

Christopher Murley

2016-08-24 12:48:50 UTC

Permalink

The proftpd score board stores all this info. You can use the helper
programs ftptop, ftpwho to see whos logged in and what transfers are
taking place.
--
Regards,

-Chris

______________________________
Christopher D. Murley
Director of Network Operations
TownNews.Com - 800.293.9576

Post by Tomasz Chmielewski

netstat -tpna | grep ESTABLISHED | grep proftpd
Would output established connections to proftpd.
Tomasz Chmielewski
https://lxadm.com
------------------------------------------------------------------------------
_______________________________________________
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

2016-08-24 13:35:18 UTC

Permalink

ftptop can indeed show me what I want (with the -i option). But unlike top, it
doesn't seem to have an option to just print out and exit. So it is not well suited
to be part of a script which reloads/restarts services when a certificate has been
updated.

Are there other ways to extract info from the binary scoreboard file?

MI

Christopher Murley

2016-08-24 13:50:47 UTC

Permalink

You may have luck with ftpcount or ftpshut to stop all new connections for
FTP.
--
Regards,

-Chris

______________________________
Christopher D. Murley
Director of Network Operations
TownNews.Com - 800.293.9576

Post by MI
ftptop can indeed show me what I want (with the -i option). But unlike top, it
doesn't seem to have an option to just print out and exit. So it is not well suited
to be part of a script which reloads/restarts services when a certificate has been
updated.
Are there other ways to extract info from the binary scoreboard file?
MI

2016-08-24 18:05:43 UTC

Permalink

The simple netstat approach didn't work in the end, because on my system (Debian
Jessie), it doesn't show "proftpd" during an upload. Instead, it shows pid/filename:

# netstat -tpn
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
...
tcp 0 0 85.195.x.y:65231 96.239.59.96:58652 ESTABLISHED
57856/some_filename
tcp6 0 0 85.195.x.y:21 96.239.59.96:58647 ESTABLISHED
57856/some_filename

Strange. But nevermind, I settled on ftpcount instead.

Kartik Vashishta

2016-08-24 18:10:34 UTC

Permalink

lsof

Post by MI
The simple netstat approach didn't work in the end, because on my system
(Debian Jessie), it doesn't show "proftpd" during an upload. Instead, it
# netstat -tpn
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
...
tcp 0 0 85.195.x.y:65231 96.239.59.96:58652
ESTABLISHED 57856/some_filename
tcp6 0 0 85.195.x.y:21 96.239.59.96:58647
ESTABLISHED 57856/some_filename
Strange. But nevermind, I settled on ftpcount instead.
------------------------------------------------------------
------------------
_______________________________________________
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

2016-08-25 09:40:56 UTC

Permalink

That was a terse answer, but indeed, it seems to be my best bet so far. I still
cannot distinguish between and idle connection and a real transfer, but that's not a
big deal.

Anyway, this seems to be quick and reliable:

lsof -nPb -i tcp | grep '^proftpd.*ESTABLISHED'

Thanks,

MI

-------- Original Message --------

lsof

2016-08-24 13:28:12 UTC

Permalink

Thanks for the "netstat ... | grep ..." tip. I somehow had overlooked this simple
solution. (I used "ftpcount | perl ...", to get the number of users, which is
certainly overkill)

I was hoping to see actual file transfers, so that I could ignore connections which
are idle and restart anyway as long as there is no transfer. But maybe that's not
worth the trouble.

MI

-------- Original Message --------

Post by Tomasz Chmielewski

netstat -tpna | grep ESTABLISHED | grep proftpd
Would output established connections to proftpd.
Tomasz Chmielewski
https://lxadm.com