Advanced Site Configuration

This chapter covers advanced CompleteFTP site configuration options for users who need fine-grained control over protocols, security settings, and performance optimization. Most users should start with Site Configuration before proceeding to these advanced topics.

Overview

Advanced site configuration includes:

  • Protocol-specific tuning - Custom cipher suites, compression, authentication methods
  • Performance optimization - Connection pooling, timeout fine-tuning, encoding settings
  • Security hardening - Client certificates, advanced SSL/TLS settings, IP filtering
  • Specialized configurations - Custom passive mode, SSH forwarding, web application hosting

Advanced Protocol Configuration

FTPS Advanced Settings

# Enable FTPS implicit mode (legacy FTPS on port 990)
# Use this only when clients require implicit FTPS; explicit FTPS (port 21) is preferred
completeftp site set default ftpsImplicitEnabled=true
completeftp site set default portFTPSImplicit=990

# Require client certificates for mutual TLS authentication
# Clients must present a valid certificate to connect via FTPS
completeftp site set default ftpsVerifyClient=true

SSH/SFTP Advanced Settings

Choose algorithms based on your security requirements and client compatibility:

# SSH cipher algorithms — AES-GCM provides authenticated encryption (preferred),
# AES-CTR is widely compatible. Remove older/weaker ciphers for hardened setups.
completeftp site set default sshCipher="AES_GCM_256,AES_GCM_128,AES_CTR_256,AES_CTR_192,AES_CTR_128"

# SSH MAC algorithms — SHA-2 ETM (encrypt-then-MAC) variants are most secure.
# SHA-1 MACs are included by default for compatibility but can be removed.
completeftp site set default sshMAC="HMAC_SHA2_256_ETM,HMAC_SHA2_512_ETM,HMAC_SHA2_256,HMAC_SHA2_512"

# SSH key exchange — ECDH and DH Group 14+ with SHA-256/512 are recommended.
# Group 1 (1024-bit) is considered weak and should be removed for security.
completeftp site set default sshKeyExchange="ECDHsha2Nistp256,ECDHsha2Nistp384,DiffieHellmanGroup14Sha256,DiffieHellmanGroup16Sha512"

# SSH key algorithms — Ed25519 and ECDSA are modern and fast.
# RSA with SHA-2 is widely compatible. DSA is deprecated and should be removed.
completeftp site set default sshKeyAlgorithm="Ed25519,ECDSAsha2Nistp256,ECDSAsha2Nistp384,RSA_sha2_256,RSA_sha2_512"

# SSH compression — enable zlib to reduce bandwidth for large transfers.
# Disable if CPU is a bottleneck or for security-sensitive environments.
completeftp site set default sshCompression="None,Zlib"

# SSH forwarding — allows tunneling TCP connections through the SSH channel.
# Only enable if users need port forwarding; disabled by default for security.
completeftp site set default sshForwardingEnabled=true

# SSH terminal — allows interactive shell access via SSH.
# Only enable if users need shell access; disabled by default for security.
completeftp site set default sshTerminalEnabled=true

Advanced SSL/TLS Settings

# Minimum SSL/TLS version — TLS 1.2 is the recommended minimum for most environments.
# Use TLS 1.3 only if all clients support it (provides better performance and security).
# Valid values: Ssl3, Tls1, Tls11, Tls12, Tls13
completeftp site set default minimumSSLVersion=Tls12

# SSL cipher suites — ECDHE suites provide perfect forward secrecy (PFS).
# GCM mode is preferred over CBC for performance and security.
# TLS 1.3 suites (TLS_AES_*) are automatically used for TLS 1.3 connections.
completeftp site set default sslCipherSuites="ECDHE_RSA_AES_256_GCM_SHA384,ECDHE_RSA_AES_128_GCM_SHA256,DHE_RSA_AES_256_GCM_SHA384,DHE_RSA_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Performance Optimization

Advanced Connection Management

# Configure advanced connection limits
completeftp site set default maxConnectionsHTTP=100
completeftp site set default maxLoginAttempts=3

Timeout Fine-Tuning

All timeout values are in milliseconds. Choose values based on your network conditions and user behavior:

Setting Default Description Guidance
timeoutIdle 300000 (5 min) Disconnect idle connections Lower (60-120s) for public servers to free resources; higher (10-30 min) for internal users on slow links
timeoutLogin 60000 (1 min) Time allowed to complete login 30-60s is typical; lower for public servers to limit brute-force window
timeoutStalled 60000 (1 min) Disconnect stalled transfers Increase for very slow or satellite links; 60s is reasonable for most
timeoutPassiveWait 60000 (1 min) Time to wait for passive data connection Increase if FTP clients are slow to open data connections through firewalls
timeoutHTTP 1800000 (30 min) HTTP/HTTPS session timeout Higher default for web File Manager sessions; lower for API-only use
# Tighten timeouts for a public-facing server
completeftp site set default timeoutLogin=30000      # 30 seconds
completeftp site set default timeoutIdle=120000       # 2 minutes
completeftp site set default timeoutStalled=60000     # 1 minute
completeftp site set default timeoutPassiveWait=30000 # 30 seconds

# Relax timeouts for internal users on slow links
completeftp site set default timeoutIdle=600000       # 10 minutes
completeftp site set default timeoutHTTP=3600000      # 1 hour

Protocol-Specific Optimization

# Configure FTP-specific optimizations
completeftp site set default listingFormat="Unix"
completeftp site set default encoding="UTF-8"
completeftp site set default allowOverWriteOnRename=true
completeftp site set default backslashPathSep=false

HTTP/HTTPS optimizations are handled by web server configuration.

Advanced Security Configuration

Enhanced Auto-Ban Settings

# Configure auto-ban rules
completeftp site set default autoBanTriggerCount=5
completeftp site set default autoBanTriggerPeriod=300000  # 5 minutes
completeftp site set default autoBanDuration=3600000     # 1 hour

IP Filtering and Access Control

IP-based access control is configured through IP filter rules. For comprehensive coverage of IP filtering including allow/deny rules, precedence, per-user restrictions, and auto-ban bypass, see IP Filtering.

Authentication Security

# Configure SSH authentication methods
# Options: Password, PublicKey, PublicKeyAndPassword (requires both)
completeftp site set default sshAuthMethods="PublicKey,PublicKeyAndPassword"

# Limit login attempts before disconnect (helps prevent brute-force)
completeftp site set default maxLoginAttempts=3

# Disable anonymous access
completeftp site set default anonymousEnabled=false

Password complexity is handled by password policies. See User Management for password policy configuration. For external authentication (LDAP, SAML, database), see Authentication Methods.

Advanced Passive Mode Configuration

Complex NAT Scenarios

# Multi-interface passive mode configuration
completeftp site set default pasvPortMin=50000
completeftp site set default pasvPortMax=50100

# External IP for NAT environments
completeftp site set default pasvIP=203.0.113.10

# IP whitelist for data connections
completeftp site set default pasvWhiteList="192.168.1.0/24,10.0.0.0/8"

Per-interface passive settings are configured via network interface management.

Load Balancer Configuration

Passive mode for load balancers uses the standard pasvIP and port range settings (pasvPortMin, pasvPortMax).

File System and Display Advanced Options

Advanced File System Settings

# Configure advanced file system options
completeftp site set default homeDirIsRoot=true
completeftp site set default showHiddenFiles=false

# Archive navigation
completeftp site set default archiveNavEnabled=true

Virtual file system performance is optimized automatically.

Custom Display Settings

# Customize server responses
completeftp site set default hideProductVersion=true
completeftp site set default welcomeMessage="Welcome to our secure file transfer system"

Web Application Hosting

For comprehensive web application management including adding custom apps, URL mappings, HTTP headers, and MIME types, see Web Applications.

# Quick reference — key site-level web settings
completeftp site set default sharingEnabled=true
completeftp site set default defaultWebApp="FileManager2"
completeftp site set default jssEnabled=true
completeftp site set default httpBasicAuth=false

Clustering and High Availability

Cluster Configuration

For full clustering setup including adding/removing servers, security, and troubleshooting, see Clustering.

Health Monitoring

Health monitoring is built into the server status system and accessible via the monitor commands.

Advanced Troubleshooting

Detailed Logging Configuration

For comprehensive logging configuration including log levels, auditing, and event recording, see Monitoring and Logging.

Performance Monitoring

For monitoring settings and log management, see Monitoring and Logging.

Specialized Site Templates

High-Security Government Site

# Ultra-secure configuration for sensitive environments
completeftp site add "High Security Site"
completeftp site set "High Security Site" ftpEnabled=false
completeftp site set "High Security Site" ftpsEnabled=false
completeftp site set "High Security Site" sftpEnabled=true
completeftp site set "High Security Site" httpEnabled=false
completeftp site set "High Security Site" httpsEnabled=false
completeftp site set "High Security Site" sshAuthMethods="PublicKey"
completeftp site set "High Security Site" minimumSSLVersion="Tls13"
completeftp site set "High Security Site" sshCipher="AES_CTR_256"
completeftp site set "High Security Site" sshMAC="HMAC_SHA2_256"
completeftp site set "High Security Site" maxConnectionsPerUser=1
completeftp site set "High Security Site" autoBanTriggerCount=1

High-Performance Bulk Transfer Site

# Optimized for large file transfers
completeftp site add "Bulk Transfer Site"
completeftp site set "Bulk Transfer Site" ftpEnabled=true
completeftp site set "Bulk Transfer Site" sftpEnabled=true
completeftp site set "Bulk Transfer Site" maxConnections=200
completeftp site set "Bulk Transfer Site" maxConnectionsPerUser=10
completeftp site set "Bulk Transfer Site" timeoutIdle=1800000    # 30 minutes
completeftp site set "Bulk Transfer Site" sshCompression="Zlib"
completeftp site set "Bulk Transfer Site" pasvPortMin=50000
completeftp site set "Bulk Transfer Site" pasvPortMax=50200     # Larger range
Directory listings are automatically optimized.

DMZ External Access Site

# Site configuration for DMZ deployment
completeftp site add "DMZ Site"
completeftp site set "DMZ Site" ftpEnabled=false
completeftp site set "DMZ Site" ftpsEnabled=true
completeftp site set "DMZ Site" sftpEnabled=true
completeftp site set "DMZ Site" httpsEnabled=true
completeftp site set "DMZ Site" ftpsVerifyClient=true
completeftp site set "DMZ Site" minimumSSLVersion="Tls12"
completeftp site set "DMZ Site" autoBanTriggerCount=3
completeftp site set "DMZ Site" autoBanDuration=7200000        # 2 hours
completeftp site set "DMZ Site" maxConnectionsPerUser=5

Performance Benchmarking

Load Testing Configuration

# Configure site for load testing
completeftp site set default maxConnections=1000
completeftp site set default maxConnectionsPerUser=50
completeftp site set default timeoutLogin=10000

Monitoring Commands

# Monitor current server status
completeftp monitor show

Best Practices for Advanced Configuration

Security Best Practices

  1. Layered Security - Combine multiple security measures (SSL/TLS, IP filtering, auto-ban)
  2. Principle of Least Privilege - Only enable needed protocols and features
  3. Regular Security Audits - Periodically review and update security settings
  4. Monitor and Alert - Set up monitoring for security events and performance issues
  5. Documentation - Document all custom configurations and changes

Performance Best Practices

  1. Baseline Testing - Establish performance baselines before making changes
  2. Incremental Changes - Make one change at a time and measure impact
  3. Monitor Resource Usage - Watch CPU, memory, and network utilization
  4. Optimize for Use Case - Different workloads need different optimizations
  5. Regular Review - Periodically review and adjust settings as usage patterns change

Maintenance Best Practices

  1. Configuration Backups - Regularly backup site configurations
  2. Change Management - Document all configuration changes
  3. Testing Environment - Test changes in non-production environment first
  4. Rollback Plan - Have a plan to quickly revert problematic changes
  5. User Communication - Inform users of planned changes and maintenance windows