Advanced Site Configuration

This chapter covers advanced CompleteFTP site configuration options for users who need fine-grained control over protocols, security settings, and performance optimization. Most users should start with Site Configuration before proceeding to these advanced topics.

Overview

Advanced site configuration includes:

  • Protocol-specific tuning - Custom cipher suites, compression, authentication methods
  • Performance optimization - Connection pooling, timeout fine-tuning, encoding settings
  • Security hardening - Client certificates, advanced SSL/TLS settings, IP filtering
  • Specialized configurations - Custom passive mode, SSH forwarding, web application hosting

Advanced Protocol Configuration

FTPS Advanced Settings

# Enable FTPS implicit mode (legacy FTPS)
completeftp site set default ftpsImplicitEnabled=true
completeftp site set default portFTPSImplicit=990

# Require client certificates
completeftp site set default ftpsVerifyClient=true

# Data connection protection is handled automatically by FTPS protocol

SSH/SFTP Advanced Settings

# Configure SSH cipher algorithms
completeftp site set default sshCipher="AES_CTR_128,AES_CTR_192,AES_CTR_256"

# Set SSH MAC algorithms
completeftp site set default sshMAC="HMAC_SHA2_256,HMAC_SHA2_512"

# Configure SSH key exchange methods
completeftp site set default sshKeyExchange="DiffieHellmanGroup14Sha256"

# Set SSH key algorithms
completeftp site set default sshKeyAlgorithm="RSA,ECDSAsha2Nistp256"

# Configure SSH compression
completeftp site set default sshCompression="none,zlib"

# Enable SSH forwarding
completeftp site set default sshForwardingEnabled=true

# Enable SSH terminal access
completeftp site set default sshTerminalEnabled=true

Advanced SSL/TLS Settings

# Set minimum SSL/TLS version
completeftp site set default minimumSSLVersion="TLS1.2"

# Configure SSL cipher suites
completeftp site set default sslCipherSuites="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

# Enable perfect forward secrecy
completeftp site set default sslRequirePerfectForwardSecrecy=true

# Configure SSL session caching
completeftp site set default sslSessionCacheSize=1000
completeftp site set default sslSessionCacheTimeout=300000

Performance Optimization

Advanced Connection Management

# Configure advanced connection limits
completeftp site set default maxConnectionsHTTP=100
completeftp site set default maxLoginAttempts=3

Timeout Fine-Tuning

# Configure detailed timeout settings
completeftp site set default timeoutLogin=30000
completeftp site set default timeoutStalled=60000
completeftp site set default timeoutPassiveWait=10000
completeftp site set default timeoutHTTP=30000
completeftp site set default timeoutSSL=30000

# Set keep-alive timeouts
completeftp site set default keepAliveTimeout=60000
completeftp site set default keepAliveMaxRequests=100

Protocol-Specific Optimization

# Configure FTP-specific optimizations
completeftp site set default listingFormat="Unix"
completeftp site set default encoding="UTF-8"
completeftp site set default allowOverWriteOnRename=true
completeftp site set default backslashPathSep=false

HTTP/HTTPS optimizations are handled by web server configuration.

Advanced Security Configuration

Enhanced Auto-Ban Settings

# Configure auto-ban rules
completeftp site set default autoBanTriggerCount=5
completeftp site set default autoBanTriggerPeriod=300000  # 5 minutes
completeftp site set default autoBanDuration=3600000     # 1 hour

IP Filtering and Access Control

IP-based access control is configured through the ipFilter section. See the basic site configuration chapter for IP filter examples.

Authentication Security

# Configure advanced authentication settings
completeftp site set default requireSecureAuth=true
completeftp site set default allowAnonymousDataConnections=false
completeftp site set default forceSecureDataConnections=true

Password complexity is handled by authentication providers. See the user management chapter for password policy configuration.

Advanced Passive Mode Configuration

Complex NAT Scenarios

# Multi-interface passive mode configuration
completeftp site set default pasvPortMin=50000
completeftp site set default pasvPortMax=50100

# External IP for NAT environments
completeftp site set default pasvIP=203.0.113.10

# IP whitelist for data connections
completeftp site set default pasvWhiteList="192.168.1.0/24,10.0.0.0/8"

Per-interface passive settings are configured via network interface management.

Load Balancer Configuration

Passive mode for load balancers uses the standard pasvIP and port range settings (pasvPortMin, pasvPortMax).

File System and Display Advanced Options

Advanced File System Settings

# Configure advanced file system options
completeftp site set default homeDirIsRoot=true
completeftp site set default showHiddenFiles=false

# Archive navigation
completeftp site set default archiveNavEnabled=true

Virtual file system performance is optimized automatically.

Custom Display Settings

# Customize server responses
completeftp site set default hideProductVersion=true
completeftp site set default welcomeMessage="Welcome to our secure file transfer system"

Web Application Hosting

Advanced Web Settings

# Configure web application hosting
completeftp site set default sharingEnabled=true
completeftp site set default defaultWebApp="FileManager2"

HTML templates are configured via template files. MIME types are managed automatically.

Web Security Headers

Security headers are configured via the httpHeaders property. See the basic site configuration chapter for HTTP header examples.

Clustering and High Availability

Cluster Configuration

Clustering configuration is handled at the enterprise level. Contact EnterpriseDT support for clustering setup assistance.

Health Monitoring

Health monitoring is built into the server status system and accessible via the monitor commands.

Advanced Troubleshooting

Detailed Logging Configuration

Protocol logging is configured via server-level logging settings. Use the monitor command to view current logging configuration.

Performance Monitoring

Performance monitoring is available via monitor commands. Use completeftp monitor show for current metrics.

Specialized Site Templates

High-Security Government Site

# Ultra-secure configuration for sensitive environments
completeftp site add "High Security Site"
completeftp site set "High Security Site" ftpEnabled=false
completeftp site set "High Security Site" ftpsEnabled=false
completeftp site set "High Security Site" sftpEnabled=true
completeftp site set "High Security Site" httpEnabled=false
completeftp site set "High Security Site" httpsEnabled=false
completeftp site set "High Security Site" sshAuthMethods="publickey"
completeftp site set "High Security Site" minimumSSLVersion="Tls13"
completeftp site set "High Security Site" sshCipher="AES_CTR_256"
completeftp site set "High Security Site" sshMAC="HMAC_SHA2_256"
completeftp site set "High Security Site" maxConnectionsPerUser=1
completeftp site set "High Security Site" autoBanTriggerCount=1

High-Performance Bulk Transfer Site

# Optimized for large file transfers
completeftp site add "Bulk Transfer Site"
completeftp site set "Bulk Transfer Site" ftpEnabled=true
completeftp site set "Bulk Transfer Site" sftpEnabled=true
completeftp site set "Bulk Transfer Site" maxConnections=200
completeftp site set "Bulk Transfer Site" maxConnectionsPerUser=10
completeftp site set "Bulk Transfer Site" timeoutIdle=1800000    # 30 minutes
completeftp site set "Bulk Transfer Site" sshCompression="zlib"
completeftp site set "Bulk Transfer Site" pasvPortMin=50000
completeftp site set "Bulk Transfer Site" pasvPortMax=50200     # Larger range
Directory listings are automatically optimized.

DMZ External Access Site

# Site configuration for DMZ deployment
completeftp site add "DMZ Site"
completeftp site set "DMZ Site" ftpEnabled=false
completeftp site set "DMZ Site" ftpsEnabled=true
completeftp site set "DMZ Site" sftpEnabled=true
completeftp site set "DMZ Site" httpsEnabled=true
completeftp site set "DMZ Site" ftpsVerifyClient=true
completeftp site set "DMZ Site" minimumSSLVersion="Tls12"
completeftp site set "DMZ Site" autoBanTriggerCount=3
completeftp site set "DMZ Site" autoBanDuration=7200000        # 2 hours
completeftp site set "DMZ Site" maxConnectionsPerIP=5
completeftp site set "DMZ Site" geoBlockingEnabled=true

Performance Benchmarking

Load Testing Configuration

# Configure site for load testing
completeftp site set default maxConnections=1000
completeftp site set default maxConnectionsPerUser=50
completeftp site set default timeoutLogin=10000

Monitoring Commands

# Monitor current server status
completeftp monitor show

Best Practices for Advanced Configuration

Security Best Practices

  1. Layered Security - Combine multiple security measures (SSL/TLS, IP filtering, auto-ban)
  2. Principle of Least Privilege - Only enable needed protocols and features
  3. Regular Security Audits - Periodically review and update security settings
  4. Monitor and Alert - Set up monitoring for security events and performance issues
  5. Documentation - Document all custom configurations and changes

Performance Best Practices

  1. Baseline Testing - Establish performance baselines before making changes
  2. Incremental Changes - Make one change at a time and measure impact
  3. Monitor Resource Usage - Watch CPU, memory, and network utilization
  4. Optimize for Use Case - Different workloads need different optimizations
  5. Regular Review - Periodically review and adjust settings as usage patterns change

Maintenance Best Practices

  1. Configuration Backups - Regularly backup site configurations
  2. Change Management - Document all configuration changes
  3. Testing Environment - Test changes in non-production environment first
  4. Rollback Plan - Have a plan to quickly revert problematic changes
  5. User Communication - Inform users of planned changes and maintenance windows