FTP 无法通过 PHP (ProFTPD) 工作 - 不允许操作答案

【问题标题】：FTP not working via PHP (ProFTPD) - Operation not permittedFTP 无法通过 PHP (ProFTPD) 工作 - 不允许操作
【发布时间】：2016-07-13 11:52:30
【问题描述】：

我尝试通过 PHP 将文件上传到运行 ProFTPD 的 FTP 服务器。这以前就像一个魅力。这是代码：

$this->con = ftp_ssl_connect($CFG['BACKUP_FTP_HOST'], $port);
ftp_login($this->con, $CFG['BACKUP_FTP_USER'], $CFG['BACKUP_FTP_PASSWORD']);
ftp_pasv($this->con, true); // Returns true
ftp_put($this->con, "/path/test.txt", __DIR__ . "/test.txt", FTP_ASCII); // Returns false, local file and remote directory exists (FTP_BINARY does not work also)

有几个搞笑的 PHP 警告：

Warning: ftp_put(): Unable to build data connection: Operation not permitted

如果我尝试通过lftp更改被动模式，它也不起作用：

lftp ftp@test.de:/> quote PASV
501 PASV: Operation not permitted

FEAT的返回如下：

211-Features:                
SSCN
SITE COPY
LANG en-US.UTF-8*;en-US
SIZE
PROT
CCC
SITE MKDIR
PBSZ
AUTH TLS
REST STREAM
UTF8
EPRT
SITE SYMLINK
EPSV
SITE UTIME
MDTM
SITE RMDIR
211 End

我认为 FTP 服务器有问题，但其他服务器可以使用该配置。另外，我可以使用 FileZilla 上传文件。使用 PHP，主动模式也不起作用。

我的proftpd.conf的内容：

# Includes DSO modules
Include /etc/proftpd/modules.conf

# If set on you can experience a longer connection delay in many cases.
<IfModule mod_ident.c>
IdentLookups                    off
</IfModule>

ServerIdent                     off
ServerName                      "FTP Server"
ServerType                      standalone
DeferWelcome                    off

MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on

TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200

DisplayLogin                    welcome.msg
DisplayChdir                    .message true
ListOptions                     "-al"

DenyFilter                      \*.*/

# Use this to jail all users in their homes
DefaultRoot                     ~

# Allow continuation of uploads/downloads
AllowRetrieveRestart            On
AllowStoreRestart               On

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
RequireValidShell               Off

# Port 21 is the standard FTP port.
Port                            21

# Workaround for nasty problem with FileZilla:
<IfModule mod_facts.c>
  FactsAdvertise off
</IfModule>

# Unlimited number of concurrent connections
MaxClients                      none
MaxInstances                    none

# Unlimited number of concurrent connections per IP/user allowed
MaxClientsPerHost               none
MaxClientsPerUser               none
PassivePorts 60000 65535
<IfModule mod_tls.c>
  TLSEngine On

  # Support TLSv1 (no more SSLv3 due to POODLE attack)
  TLSProtocol TLSv1

  # Safe ciphers:
  TLSCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  # Are clients required to use FTP over TLS when talking to this server?
TLSRequired on
  # Server's certificate
  TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
  TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
  TLSCertificateChainFile /etc/ssl/certs/proftpd-ca.crt
  TLSDHParamFile /etc/proftpd/dhparams.pem

  # Authenticate clients that want to use FTP over TLS?
  TLSVerifyClient off

</IfModule>

# Virtual FTP users file
AuthUserFile /etc/proftpd/passwd

# Set the user and group that the server normally runs at.
User                            proftpd
Group                           nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask                           022  022
# Normally, we want files to be overwriteable.
AllowOverwrite                  on
TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

# include additional configuration files
Include /etc/proftpd/conf.d/*.conf
# <EOF>-----------------------------------------------------------------------

【问题讨论】：

呃，这个远程目录路径是否正确/.../test.txt？
我已删除完整路径。
但它是 100% 正确的，如果您复制路径并将其粘贴到 FileZilla 中，您会进入目录？
是的。目录是正确的。
看起来是目录的权限问题。如果运行 unix 服务器，请尝试 chmod 775 'directory' -R ，并 chown 目录

标签： php ftp proftpd

【解决方案1】：

您可以配置一个TLSLog 文件，并查看其中记录了哪些附加信息。我怀疑（但TLSLog 可能会确认...或不确认）mod_tls 要求您的数据传输连接重用与控制连接上使用的相同的 TLS 会话，并且您的 FTPS客户没有这样做。可以通过在 mod_tls 配置中使用以下内容来放宽此要求：

TLSOptions NoSessionReuseRequired

有关此选项的详细信息，请参阅TLSOptions 下的“NoSessionReuseRequired”描述。

希望这会有所帮助！

【讨论】：