Advanced Site Configuration
This chapter covers advanced CompleteFTP site configuration options for users who need fine-grained control over protocols, security settings, and performance optimization. Most users should start with Site Configuration before proceeding to these advanced topics.
Overview
Advanced site configuration includes:
- Protocol-specific tuning - Custom cipher suites, compression, authentication methods
- Performance optimization - Connection pooling, timeout fine-tuning, encoding settings
- Security hardening - Client certificates, advanced SSL/TLS settings, IP filtering
- Specialized configurations - Custom passive mode, SSH forwarding, web application hosting
Advanced Protocol Configuration
FTPS Advanced Settings
# Enable FTPS implicit mode (legacy FTPS on port 990)
# Use this only when clients require implicit FTPS; explicit FTPS (port 21) is preferred
completeftp site set default ftpsImplicitEnabled=true
completeftp site set default portFTPSImplicit=990
# Require client certificates for mutual TLS authentication
# Clients must present a valid certificate to connect via FTPS
completeftp site set default ftpsVerifyClient=true
SSH/SFTP Advanced Settings
Choose algorithms based on your security requirements and client compatibility:
# SSH cipher algorithms — AES-GCM provides authenticated encryption (preferred),
# AES-CTR is widely compatible. Remove older/weaker ciphers for hardened setups.
completeftp site set default sshCipher="AES_GCM_256,AES_GCM_128,AES_CTR_256,AES_CTR_192,AES_CTR_128"
# SSH MAC algorithms — SHA-2 ETM (encrypt-then-MAC) variants are most secure.
# SHA-1 MACs are included by default for compatibility but can be removed.
completeftp site set default sshMAC="HMAC_SHA2_256_ETM,HMAC_SHA2_512_ETM,HMAC_SHA2_256,HMAC_SHA2_512"
# SSH key exchange — ECDH and DH Group 14+ with SHA-256/512 are recommended.
# Group 1 (1024-bit) is considered weak and should be removed for security.
completeftp site set default sshKeyExchange="ECDHsha2Nistp256,ECDHsha2Nistp384,DiffieHellmanGroup14Sha256,DiffieHellmanGroup16Sha512"
# SSH key algorithms — Ed25519 and ECDSA are modern and fast.
# RSA with SHA-2 is widely compatible. DSA is deprecated and should be removed.
completeftp site set default sshKeyAlgorithm="Ed25519,ECDSAsha2Nistp256,ECDSAsha2Nistp384,RSA_sha2_256,RSA_sha2_512"
# SSH compression — enable zlib to reduce bandwidth for large transfers.
# Disable if CPU is a bottleneck or for security-sensitive environments.
completeftp site set default sshCompression="None,Zlib"
# SSH forwarding — allows tunneling TCP connections through the SSH channel.
# Only enable if users need port forwarding; disabled by default for security.
completeftp site set default sshForwardingEnabled=true
# SSH terminal — allows interactive shell access via SSH.
# Only enable if users need shell access; disabled by default for security.
completeftp site set default sshTerminalEnabled=true
Advanced SSL/TLS Settings
# Minimum SSL/TLS version — TLS 1.2 is the recommended minimum for most environments.
# Use TLS 1.3 only if all clients support it (provides better performance and security).
# Valid values: Ssl3, Tls1, Tls11, Tls12, Tls13
completeftp site set default minimumSSLVersion=Tls12
# SSL cipher suites — ECDHE suites provide perfect forward secrecy (PFS).
# GCM mode is preferred over CBC for performance and security.
# TLS 1.3 suites (TLS_AES_*) are automatically used for TLS 1.3 connections.
completeftp site set default sslCipherSuites="ECDHE_RSA_AES_256_GCM_SHA384,ECDHE_RSA_AES_128_GCM_SHA256,DHE_RSA_AES_256_GCM_SHA384,DHE_RSA_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"
Performance Optimization
Advanced Connection Management
# Configure advanced connection limits
completeftp site set default maxConnectionsHTTP=100
completeftp site set default maxLoginAttempts=3
Timeout Fine-Tuning
All timeout values are in milliseconds. Choose values based on your network conditions and user behavior:
| Setting | Default | Description | Guidance |
|---|---|---|---|
timeoutIdle |
300000 (5 min) | Disconnect idle connections | Lower (60-120s) for public servers to free resources; higher (10-30 min) for internal users on slow links |
timeoutLogin |
60000 (1 min) | Time allowed to complete login | 30-60s is typical; lower for public servers to limit brute-force window |
timeoutStalled |
60000 (1 min) | Disconnect stalled transfers | Increase for very slow or satellite links; 60s is reasonable for most |
timeoutPassiveWait |
60000 (1 min) | Time to wait for passive data connection | Increase if FTP clients are slow to open data connections through firewalls |
timeoutHTTP |
1800000 (30 min) | HTTP/HTTPS session timeout | Higher default for web File Manager sessions; lower for API-only use |
# Tighten timeouts for a public-facing server
completeftp site set default timeoutLogin=30000 # 30 seconds
completeftp site set default timeoutIdle=120000 # 2 minutes
completeftp site set default timeoutStalled=60000 # 1 minute
completeftp site set default timeoutPassiveWait=30000 # 30 seconds
# Relax timeouts for internal users on slow links
completeftp site set default timeoutIdle=600000 # 10 minutes
completeftp site set default timeoutHTTP=3600000 # 1 hour
Protocol-Specific Optimization
# Configure FTP-specific optimizations
completeftp site set default listingFormat="Unix"
completeftp site set default encoding="UTF-8"
completeftp site set default allowOverWriteOnRename=true
completeftp site set default backslashPathSep=false
HTTP/HTTPS optimizations are handled by web server configuration.
Advanced Security Configuration
Enhanced Auto-Ban Settings
# Configure auto-ban rules
completeftp site set default autoBanTriggerCount=5
completeftp site set default autoBanTriggerPeriod=300000 # 5 minutes
completeftp site set default autoBanDuration=3600000 # 1 hour
IP Filtering and Access Control
IP-based access control is configured through IP filter rules. For comprehensive coverage of IP filtering including allow/deny rules, precedence, per-user restrictions, and auto-ban bypass, see IP Filtering.
Authentication Security
# Configure SSH authentication methods
# Options: Password, PublicKey, PublicKeyAndPassword (requires both)
completeftp site set default sshAuthMethods="PublicKey,PublicKeyAndPassword"
# Limit login attempts before disconnect (helps prevent brute-force)
completeftp site set default maxLoginAttempts=3
# Disable anonymous access
completeftp site set default anonymousEnabled=false
Password complexity is handled by password policies. See User Management for password policy configuration. For external authentication (LDAP, SAML, database), see Authentication Methods.
Advanced Passive Mode Configuration
Complex NAT Scenarios
# Multi-interface passive mode configuration
completeftp site set default pasvPortMin=50000
completeftp site set default pasvPortMax=50100
# External IP for NAT environments
completeftp site set default pasvIP=203.0.113.10
# IP whitelist for data connections
completeftp site set default pasvWhiteList="192.168.1.0/24,10.0.0.0/8"
Per-interface passive settings are configured via network interface management.
Load Balancer Configuration
Passive mode for load balancers uses the standard pasvIP and port range settings (pasvPortMin, pasvPortMax).
File System and Display Advanced Options
Advanced File System Settings
# Configure advanced file system options
completeftp site set default homeDirIsRoot=true
completeftp site set default showHiddenFiles=false
# Archive navigation
completeftp site set default archiveNavEnabled=true
Virtual file system performance is optimized automatically.
Custom Display Settings
# Customize server responses
completeftp site set default hideProductVersion=true
completeftp site set default welcomeMessage="Welcome to our secure file transfer system"
Web Application Hosting
For comprehensive web application management including adding custom apps, URL mappings, HTTP headers, and MIME types, see Web Applications.
# Quick reference — key site-level web settings
completeftp site set default sharingEnabled=true
completeftp site set default defaultWebApp="FileManager2"
completeftp site set default jssEnabled=true
completeftp site set default httpBasicAuth=false
Clustering and High Availability
Cluster Configuration
For full clustering setup including adding/removing servers, security, and troubleshooting, see Clustering.
Health Monitoring
Health monitoring is built into the server status system and accessible via the monitor commands.
Advanced Troubleshooting
Detailed Logging Configuration
For comprehensive logging configuration including log levels, auditing, and event recording, see Monitoring and Logging.
Performance Monitoring
For monitoring settings and log management, see Monitoring and Logging.
Specialized Site Templates
High-Security Government Site
# Ultra-secure configuration for sensitive environments
completeftp site add "High Security Site"
completeftp site set "High Security Site" ftpEnabled=false
completeftp site set "High Security Site" ftpsEnabled=false
completeftp site set "High Security Site" sftpEnabled=true
completeftp site set "High Security Site" httpEnabled=false
completeftp site set "High Security Site" httpsEnabled=false
completeftp site set "High Security Site" sshAuthMethods="PublicKey"
completeftp site set "High Security Site" minimumSSLVersion="Tls13"
completeftp site set "High Security Site" sshCipher="AES_CTR_256"
completeftp site set "High Security Site" sshMAC="HMAC_SHA2_256"
completeftp site set "High Security Site" maxConnectionsPerUser=1
completeftp site set "High Security Site" autoBanTriggerCount=1
High-Performance Bulk Transfer Site
# Optimized for large file transfers
completeftp site add "Bulk Transfer Site"
completeftp site set "Bulk Transfer Site" ftpEnabled=true
completeftp site set "Bulk Transfer Site" sftpEnabled=true
completeftp site set "Bulk Transfer Site" maxConnections=200
completeftp site set "Bulk Transfer Site" maxConnectionsPerUser=10
completeftp site set "Bulk Transfer Site" timeoutIdle=1800000 # 30 minutes
completeftp site set "Bulk Transfer Site" sshCompression="Zlib"
completeftp site set "Bulk Transfer Site" pasvPortMin=50000
completeftp site set "Bulk Transfer Site" pasvPortMax=50200 # Larger range
Directory listings are automatically optimized.
DMZ External Access Site
# Site configuration for DMZ deployment
completeftp site add "DMZ Site"
completeftp site set "DMZ Site" ftpEnabled=false
completeftp site set "DMZ Site" ftpsEnabled=true
completeftp site set "DMZ Site" sftpEnabled=true
completeftp site set "DMZ Site" httpsEnabled=true
completeftp site set "DMZ Site" ftpsVerifyClient=true
completeftp site set "DMZ Site" minimumSSLVersion="Tls12"
completeftp site set "DMZ Site" autoBanTriggerCount=3
completeftp site set "DMZ Site" autoBanDuration=7200000 # 2 hours
completeftp site set "DMZ Site" maxConnectionsPerUser=5
Performance Benchmarking
Load Testing Configuration
# Configure site for load testing
completeftp site set default maxConnections=1000
completeftp site set default maxConnectionsPerUser=50
completeftp site set default timeoutLogin=10000
Monitoring Commands
# Monitor current server status
completeftp monitor show
Best Practices for Advanced Configuration
Security Best Practices
- Layered Security - Combine multiple security measures (SSL/TLS, IP filtering, auto-ban)
- Principle of Least Privilege - Only enable needed protocols and features
- Regular Security Audits - Periodically review and update security settings
- Monitor and Alert - Set up monitoring for security events and performance issues
- Documentation - Document all custom configurations and changes
Performance Best Practices
- Baseline Testing - Establish performance baselines before making changes
- Incremental Changes - Make one change at a time and measure impact
- Monitor Resource Usage - Watch CPU, memory, and network utilization
- Optimize for Use Case - Different workloads need different optimizations
- Regular Review - Periodically review and adjust settings as usage patterns change
Maintenance Best Practices
- Configuration Backups - Regularly backup site configurations
- Change Management - Document all configuration changes
- Testing Environment - Test changes in non-production environment first
- Rollback Plan - Have a plan to quickly revert problematic changes
- User Communication - Inform users of planned changes and maintenance windows